1 Verification Options & Beyond Reachability or how to make UPPAAL perform better and more Kim Guldstrand Larsen BRICS@Aalborg

1

Verification Options&Beyond Reachability

or how to make UPPAAL perform better and more

Kim Guldstrand Larsen BRICS@Aalborg

2SV 2001 Kim G. Larsen UCb

Verification Options

• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Early Termination• Global Reduction • Active-Clock Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation• Distributed Impl.

• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Early Termination• Global Reduction • Active-Clock Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation• Distributed Impl.


Forward Rechability

Passed

Waiting Final

Init

INITIAL Passed := Ø; Waiting := {(n0,Z0)}

REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add

{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed

UNTIL Waiting = Ø or Final is in Waiting

n,Z’

m,U

n,Z

Init -> Final ?

location

zone


Forward Rechability

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?

location

zone

Questions:1. Order for exploration Waiting ?

2. How to store symbolic state in Passed ?

3. When to store in Passed ?


Order of ExplorationDepth-First vs Breadth-First

Passed

Waiting Final

Init

n,Z’

m,U

n,Z

Depth-FirstWaiting repr. as stack

Breadth-FirstWaiting repr as queue

Depth-FirstWaiting repr. as stack

Breadth-FirstWaiting repr as queue

In most cases BF to be preferred.Allows for generation of “shortest”traces.

DF useful in situations when reachability may be concluded without generating full state-space.Easy calculation of traces.


Representation of symbolic states Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3 3 -2 -2

1

ShortestPath

ClosureO(n^3)

Z

Allows foreasy exploration

and subset-checking


Representation of symbolic states Local Reduction

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Canonical wrt =Space worst O(n^2) practice O(n)

Z


SPACE PERFORMANCE

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Per

cen

t Minimal Constraint

Global Reduction

Combination


TIME PERFORMANCE

0

0,5

1

1,5

2

2,5

Per

cen

t Minimal Constraint

Global Reduction

Combination


Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?

ZZ'



REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in Passed then STOP - else /explore/ add



Earlier Termination

Passed

Waiting Final

Init

n,Zk

m,U

n,Z

Init -> Final ?

n,Z1

n,Z2 ZZii

ZZ'


Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices

CDD-representationsCDD-representations

CAV99

Nodes labeled with differences

Maximal sharing of substructures (also across different CDDs)

Maximal intervals Linear-time algorithms

for set-theoretic operations.

NDD’s Maler et. al

DDD’s Møller, Lichtenberg


SPACE PERFORMANCE

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

Per

cen

t CDD

Reduced CDD

CDD+BDD


TIME PERFORMANCE

0

1

2

3

4

5

6

Per

cen

t CDD

Reduced CDD

CDD+BDD


Representation of symbolic states (In)Active Clock Reduction

x is only active in location S1

x>3x<5

x:=0

x:=0

S x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitionx<7


Representation of symbolic states Active Clock Reduction

x>3x<5

S

x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitiong1

gkg2r1

r2 rk

iii

ii

rClocks/SAct

gClocks

)S(Act

S1

S2 Sk

Only save constraints on active clocks


When to store symbolic stateGlobal Reduction

No Cycles: Passed list not needed for termination

However,Passed list useful forefficiency


When to store symbolic stateGlobal Reduction

Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?

prop2


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?Hashtable

prop2


Over-approximationConvex Hull

x

y

Convex Hull

1 3 5

1

3

5


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z

Passed= Bitarray

1

0

1

0

0

1

UPPAAL 8 Mbits

HashfunctionF


Bitstate Hashing


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add




REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add



Passed(F(n,Z)) = 1

Passed(F(n,Z)) := 1


Distributing UPPAALUPPAAL

P

W

Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k


Distributing UPPAALUPPAAL

P

W

Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k

P1

W1

P2

W2

P4

W4

P3

W3

Passedstructuredistributed



Distributing UPPAALUPPAAL Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k

P1

W1

P2

W2

P4

W4

P3

W3



Check in local Passedlist.If not present save,explore and distribute ...


? MPI


Distributing UPPAALUPPAAL Gerd Behrmann, Thomas Hune,Frits Vandraager CAV2k

P1

W1

P2

W2

P4

W4

P3

W3



?

Implemented usingMPI

on SUN Interprise 10000Beowulf cluster

Implemented usingMPI

on SUN Interprise 10000Beowulf cluster




Performance

FullState SpaceGeneration

FullState SpaceGeneration

Super-linearSpeed-up

SUN Interprise 10000Shared Memory 12GB Ram24 333Mhz CPU’s

T(n)T(1)

31

Beyond Reachability- (Bi)Simulation- Compositional Verification


Timed Bisimulation

Del.Acta allfor

Rt's's'ss'.t't ii)

Rt's't'tt'.s's i)

:holds following

the thensRt whenever if onbisimulati timed a is R

aa

aa

0Rd:dDel

R. onbisimulati timed

somefor sRt whenever t s write We

Wang’91


Timed Simulation

Del.Acta allfor

Rt's't'tt'.s's i)

:holds following

the thensRt whenever if simulation timed a is R

aa

0Rd:dDel

R. simulation

timed somefor sRt ifft s write We


Examples


Abstraction & Compositionality dealing w stateexplosion

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

1 2

43

1 2

43

2121

2211

AACCACAC

Concrete Abstract

simulation


Abstraction Example

a1 a2 a3 a4 a5

a b


Example Continued

abstractedby


Proving abstractions using reachability

A[] not TestAbstPoP1.BAD

Recognizesall the BADcomputationsof PoP1

Documents

1 Verification Options & Beyond Reachability or how to make UPPAAL perform better and more Kim Guldstrand Larsen BRICS@Aalborg