Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010
Model Checking Motivation Embedded Systems Omnipresent Safety relevant systems Pentium bug Ariane 5 Errors can be extremely harmful Correct functioning is absolutely mandatory
Model Checking Correct Systems Erroneous Systems Every system state satisfies Find error states fast invariant Short error traces M , s 0 | = ∀ � ϕ M , s 0 | = ∃ ♦ ¬ ϕ full state space Directed Model Checking Combination of Artificial Intelligence and Model Checking Accelerate the search to error states with heuristic functions
Outline Introduction Timed Automata Directed Model Checking Coming up with Heuristics in a Principled Way Pattern Database Heuristics Pattern selection strategies Summary Empirical evaluation of several heuristics Literature
Timed Automata Syntax Definition (Timed Automaton) A timed automaton A is a tuple x ≥ 1 � L, l 0 , E, X, V, Σ , I � , where x ≤ 1 x ≤ 1 c ? c ? L finite set of locations, x := 0 x < 1 s 0 s 1 s 2 l 0 ∈ L the initial location, X finite set of clocks, V finite set of integer variables, Σ synchronization symbols, E finite set of edges, and I assigns invariants to locations.
Timed Automata Semantics Semantics A possible Behavior States assign values to x ≥ 1 x ≤ 1 x ≤ 1 Automata, c ? c ? Integer variables, and x := 0 x < 1 s 0 s 2 s 1 Clocks Transitions Discrete x s 2 Delay 1 s 1 � infinite transition system s 0 s 0 0 1 2 3 time
The Zone Graph Symbolic State Space The Zone Graph Finite & exact abstraction of the timed automata semantics A symbolic state corresponds to a set of states that have the same discrete part and the clock values satisfy a conjunction of clock constraints, a so called zone s 0 , s 0 , . . . . . . . x ≥ 0 x < 1 . . . . . . . x ≥ 1 s 0 , s 0 , s 1 , . . . . . . . x ≤ 1 x ≤ 1 x ≤ 1 x = 0 x = 0 c ? c ? . . . . . . . x := 0 x < 1 s 0 , s 2 , s 0 s 1 s 2 . . . . . . . x ≥ 1 x ≤ 1 . . . . . . . s 0 , s 1 , s 2 , . . . . . . . x ≤ 1 x = 1 x < 1
Model Checking Task Definition (Model Checking Task) A model checking task T is a tuple �M , ϕ � , where M = A 1 � . . . � A n is a system of timed automata ϕ is an error formula
Directed Model Checking Objective in DMC Given: a model checking task T = �M , ϕ � with corresponding symbolic state space S ( M ) = � S, s 0 , T � t 1 t 2 t n Find: a sequence π = s 0 − → s 1 − → . . . s n − 1 − → s n , t i where s i ∈ S , s i − → s i +1 ∈ T , and s n | = ϕ Approach: informed search algorithm heuristic function
Directed Model Checking Model Checking + Heuristic Search Definition (heuristic function) Let T = �M , ϕ � be a model checking task and let S ( M ) = � S, s 0 , T � be the state space of M . A heuristic function (or heuristic) is a function h : S → N 0 ∪ {∞} . The heuristic estimate h ( s ) for a state s ∈ S is supposed to estimate the distance from s to the nearest error state.
Heuristic Search The General Idea d i s t a n c e e s t i m a t e distance estimate init error distance estimate e t a m i t s e e c n a t s d i
The Properties of Heuristics Definition (perfect heuristic) Let T = �M , ϕ � and let S ( M ) = � S, s 0 , T � . The perfect heuristic of S ( M ) is the heuristic h ∗ which maps each state s ∈ S to the length of a shortest path from s to any error state. Note: h ∗ ( s ) = ∞ iff no error state is reachable from s . Heuristic h is called admissible if h ( s ) ≤ h ∗ ( s ) for all states s ∈ S safe if h ∗ ( s ) = ∞ for all s ∈ S with h ( s ) = ∞ goal-aware if h ( s ) = 0 for all error states s ∈ S consistent if h ( s ) ≤ h ( s ′ ) + 1 for all nodes s, s ′ ∈ S s. t. s → s ′ ∈ T
A Generic Informed Search Algorithm 1 function dmc( M , ϕ , h ) : 2 open = empty priority queue 3 closed = ∅ 4 open.insert( s 0 , priority ( s 0 , h ) ) 5 while open � = ∅ do: 6 s = open.getMinimum() 7 if s | = ϕ then: 8 return True 9 if s �∈ closed then: 10 closed = closed ∪ { s } for each s ′ ∈ succs ( s ) do: 11 open.insert( s ′ , priority ( s ′ , h ) ) 12 13 return False
Heuristic Search Methods A ∗ Search priority ( s, h ) = depth ( s ) + h ( s ) If h is admissible � shortest possible error traces Often high memory consumption Greedy Search priority ( s, h ) = h ( s ) Expands fewer states than A ∗ in practice No guarantee on error trace length
Dominance Definition (Dominance) Let h , h ′ be two admissible heuristics. The heuristic h dominates h ′ iff ∀ s ∈ S : h ( s ) > h ′ ( s ) Theorem Let h , h ′ be two admissible heuristics. If h dominates h ′ , then every state explored by A ∗ with h is also explored by A ∗ with h ′ .
Heuristics for Directed Model Checking Requirements for h 1. Accurate (with respect to h ∗ ) “The closer the better” It has to work well in practice 2. Efficiently computable for any state s Heuristic has to be computed for every encountered state Efficient = low-order polynomial in �T � 3. Derived automatically for a given model checking task Based on the declarative description of T No user interaction
A Simple Heuristic for Directed Model Checking Hamming Distance Heuristic The minimal number of variable values that have to be changed in order to turn s into an error state e . h ( s ) = min = ϕ #different values( s, e ) e ∈ S : e | Intuition The more similar to an error state the closer to an error state.
Criticism of the Hamming Distance Heuristic What is wrong with the Hamming distance heuristic? Quite uninformative: the range of heuristic values is small; typically, most successors have the same estimate Sensitive to reformulation: can easily transform any MC task into an equivalent one where h ( s ) = 1 for all non-error states (how?) Ignores almost all problem structure: heuristic values do not depend on the set of transitions! � need a better, principled way of coming up with heuristics
Coming up with Heuristics in a Principled Way In this Lecture: Pattern Database Heuristics State-of-the-art heuristics Based on abstractions Fully automatically generated No user interaction Applicable to a wide range of transition systems
A Design Principle for Heuristics The General Idea Given A model checking task T = �M , ϕ � with Corresponding state space S ( M ) = � S, s 0 , T � A Generic Approach for Obtaining Heuristics Select an overapproximation T α of T with T α = �M α , ϕ α � and S ( M α ) = � S α , s α 0 , T α � For every state s ∈ S encountered during the search Find a (shortest) error trace π in � S α , s α , T α � h ( s ) = | π |
A Design Principle for Heuristics The General Idea Original Transition System Overapproximation
A Design Principle for Heuristics The General Idea Original Transition System Overapproximation s s α h ( s ) = 2
Pattern Database (PDB) Heuristics Prior to Search Choose an abstraction α For every abstract state s α ∈ S ( M α ) = � S α , s α 0 , T α � Compute abstract error distance dist α ( s α ) Store � s α , dist α ( s α ) � in lookup table (the pattern database) During Search Map state s to corresponding abstract state s α Heuristic value: h ( s ) = d ( s α )
How to Choose the Abstraction? The Original State Space
How to Choose the Abstraction? The Trivial Abstraction
How to Choose the Abstraction? The Identity Abstraction
How to Choose the Abstraction? The Perfect Abstraction
Conflicting Requirements Requirements for the Heuristic Informativeness (quality) Has to work well in practice Requirements for the Abstraction Efficient to compute Not too many abstract states Succinct representation (memory requirement) Question: where is the sweet-spot?
Two Different Abstraction Classes Predicate Abstraction Abstract state space defined by a set of selected predicates Use SAT or SMT to construct abstract state space Fine-grained Variable Abstraction Special case of predicate abstraction Ignores subset of the system’s variables Abstract model in same formalism (can be constructed with the same tool, often more efficient than general purpose SAT solvers)
Pattern Selection What kind of pattern shall we use? Definition (Pattern) A pattern is a set of variables/predicates used to define a system. In this Lecture Cone-of-influence-based pattern selection Pattern selection using counterexamples Syntax-based pattern selection A local search approach
Pattern Selection for Variable Abstractions Pattern P Subset of the variables that are used to define the system e. g., clocks, automata, synchronization labels, . . . Abstraction of M with respect to P = { P, y, c, g } M α = P α M = P � Q c ! c ! g ? g ? x > 2 g ? x > 2 P α P x := 0 x := 0 left walk right left walk right y ≥ 2 y ≥ 2 y ≤ 1 y ≤ 1 g ! g ! c ? c ? Q y := 0 y := 0 green green red yellow red yellow
Patterns and Overapproximations But: P = { P, y, c, g } does not induce an overapproximation! Why . . . c ! c ! g ? g ? x > 2 g ? g ? x > 2 P P α x := 0 x := 0 left walk right left walk right y ≥ 2 y ≥ 2 y ≤ 1 y ≤ 1 g ! g ! c ? c ? Q Q α y := 0 y := 0 green green red yellow red yellow
Recommend
More recommend
