Symbolic model checking
for simply-timed systems
N. Markey1,2 and Ph. Schnoebelen2
1
Département d’Informatique
Université Libre de Bruxelles
email: nmarkey@ulb.ac.be
2
Lab. Spécification & Vérification
ENS de Cachan & CNRS UMR 8643
email: (markey,phs)@lsv.ens-cachan.fr
Abstract. We describe OBDD-based symbolic model checking algorithms for simply-timed systems, i.e. finite state graphs where transitions
carry a duration. These durations can be arbitrary natural numbers. A
simple and natural semantics for these systems opens the way for improved efficiency. Our algorithms have been implemented in NuSMV
and perform well in practice (on standard case studies).
1
Introduction
Symbolic verification of timed systems. Formal verification tools play an everincreasing role in the design of complex systems. Using OBDD technology, symbolic model checking techniques [3, 17], are able to analyze larger and larger
models [12, 1]. Symbolic model checking techniques are not so successful with
time-critical systems. A popular approach to these systems is based on timed
automata, for which several model checkers exist (e.g. [22, 16]). Timed automata
raise difficult problems: the existing symbolic representations for sets of clock
valuations (including DBMs, CDDs and REDs) are not as simple and convenient as OBDDs and do not mix well with the OBDDs used for the control part.
Finally fixpoint computations are notably tricky for timed automata [2].
State graphs as timed models. Time-critical systems do not always have to be
modeled with timed automata. Indeed, labeled state graphs, a.k.a. Kripke structures (KS’s), have been used for such purposes. If we assume that each transition
in a KS takes one time unit, RTCTL model checking is not harder than CTL
model checking [13] 3 . Symbolic OBDD-based model checking extends easily to
RTCTL on KS’s [6]. The corresponding algorithms have been implemented (e.g.
in NuSMV [11], Verus [4]) and perform quite efficiently. This approach combines
simplicity and efficiency. Its limitation is the restricted expressive power of the
KS model, even disregarding the issue of discrete vs. dense time.
3
RTCTL, or “Real Time CTL”, is the extension of CTL where temporal modalities
may carry numerical time bounds.
2
N. Markey and Ph. Schnoebelen
Our contribution. We extend symbolic RTCTL model checking to timed Kripke
structures (TKS’s), i.e. Kripke structures where each transition carries a duration, that can be any integer value (including zero). Thus the difference between
KS’s and TKS’s is that we do not assume that each transition takes one and
only one time unit. We provide algorithms for symbolic model checking on TKS’s
against RTCTL specifications. We also compute quantitative information, answering queries of the kind “what is the minimum (resp. maximum) delay between a state satisfying some Start property and a state satisfying some Final
property?” [9].
Durations in TKS’s are atomic and do not reduce to a sequence of unit steps,
contrary to the model used in RAVEN [19], for instance. Our model checking
algorithms take advantage of this semantics of time and, for models that would
naturally be described with long transitions, they perform better than the algorithms offered in NuSMV (see Section 6). Thus, while our approach builds
on earlier research by Campos, Clarke et al. [5–10], there are nevertheless some
clear differences between the two approaches: differences in the models, in the
algorithms, and in the running times. A more detailed comparison is provided
in section 7.
We implemented our algorithms on top of NuSMV. This readily provides
a symbolic model checker for TKS’s, called TSMV and available at http://
www.lsv.ens-cachan.fr/~markey/TSMV/. Our experiments indicate that our
tool TSMV provides appreciable gain in expressive power and improved running
time (when compared with the verification of “equivalent” unit-steps KS’s).
Finally, TSMV improves the available set of solutions for model checking
simply-timed systems, i.e. systems where the control part is too large for a timedautomaton approach, and where the timing aspects are simple enough to be
described with durations on transitions.
What use are arbitrary durations? Compared to plain KS’s, there are three main
ways where TKS’s provide increased expressive power:
Long steps: TKS’s allow considering that some transitions take a long time,
e.g. 1000 time units. Such transitions could be encoded in KS’s by inserting 999 intermediate states (e.g. using a simple counter) as advocated in [7,
p.106]. But this encoding is tedious, and leads to quite costly extra verification work. It is better to have algorithms that understand arbitrary
durations.
Instantaneous steps: TKS’s allow considering that some transitions have zero
duration. This is very convenient in models where some steps are described
indirectly, as a short succession of micro-steps.
Counting specific events only: Zero-length transitions are also a convenient
way of abstracting away (for timing aspects only) from some internal transitions. Then the RTCTL formulae count the durations of the other, timerelevant, transitions. This can also be used in models where transitions carry
some “cost”, a notion more general than elapsed time. For example, when verifying a communication protocol, one can wish to only count the sendings
and receivings of messages. When checking a model of an elevator system,
Symbolic model checking for simply-timed systems
3
one can wish to count cabin moves, or door closings and openings, and use
these in cost-constrained CTL formulae.
2
Basic notions
We assume familiarity with CTL model checking on finite Kripke structures
(KS’s). Furthermore, we assume the reader understands the working of OBDDbased symbolic model checking, as implemented e.g. in (Nu)SMV [3, 17, 11].
These notions are available in several textbooks, for instance [12, 1].
2.1
Kripke structures with durations on transitions
Simply-timed Kripke Structures (TKS’s) are an extension of KS’s where each
transition is labeled by a nonnegative integer. Formally, given a set AP =
{p1 , p2 , . . .} of atomic propositions, a TKS is a tuple M = hS, S0 , R, Li where
S = {s, s′ , . . .} is a finite set of states, S0 ⊆ S is a set of initial states, and
L : S 7→ 2AP is a labeling of states with atomic propositions. The difference
with KS’s is that here R ⊆ S × N × S is a finite set of transitions labeled by
a natural number, called the duration of the transition. We require that the
untimed relation R, obtained from R by dropping durations, is total.
Fig. 1 displays a simple example.
p1 p3 s2
Note that, between two states, there
0
may exist several transitions with different durations. In graphical repre0
21
s1 p2
sentations, such sets of transitions are
3
sometimes depicted with several labels on one arrow.
5
A path π in M is an infinite se1
d3
d2
d1
s3
→ · · · of linked
→ s2 −
→ s1 −
quence s0 −
transitions. For such a path, and for
Fig. 1. A simple TKS
n ∈ N, we let π(n) denote the nth
dn+1
dn+2
state sn , and π n denote the nth suffix sn −−→ sn+1 −−→ · · · . Finally, for
dn+1
dn+2
n ≤ m ∈ N, we let π[n..m] denotes the finite sequence sn −−→ sn+1 −−→ · · · sm
with m − n transitions and m − n + 1 states. The (cumulative) duration Dπ[n..m]
of such a finite sequence is dn + · · · + dm−1 (hence 0 when n = m). We write
Π(s) for the set of paths that start from s: since R is total, Π(s) is never empty.
2.2
RTCTL: a temporal logic with timing constraints
RTCTL formulae are the state formulae built according to the following syntax:
ϕs ::= ¬ϕs | ϕs ∧ ψs | E ϕp | p1 | p2 | · · ·
ϕp ::= ¬ϕp | Xϕs | ϕs Uα ψs
(state formulae)
(path formulae)
where α, called the timing constraint, is a predicate on durations. All constraints
of the form “≤ k”, “= k”, “≥ k” and “[k..l]” for k and l values in the relevant
4
N. Markey and Ph. Schnoebelen
domain (here N) are allowed. We write n |= α when duration n ∈ N satisfies
the constraint α (definition omitted). We write s |= ϕs and π |= ϕp when a
state s ∈ S satisfies a state formula ϕs (resp. a path π satisfies a path formula
ϕp ). The definition is as expected, and we only spell out the few cases that are
specific to RTCTL and TKS’s:
s |= E ϕp
def
π |= Xϕs
def
⇔ there exists a π ∈ Π(s) s.t. π |= ϕp ,
⇔ π(1) |= ϕs ,
there exists i ∈ N s.t. Dπ[0..i] |= α,
def
π |= ϕs Uα ψs ⇔
π(i) |= ψs , and π(j) |= ϕs for all 0 ≤ j < i.
We use all the classical abbreviations: ⊤, ⊥, ϕs ∨ ψs , ϕs ⇒ ψs , A ϕp (for
¬E¬ϕp ), Fα ϕs (for ⊤Uα ϕs ), and Gα ϕs (for ¬Fα ¬ϕs ). Then EFα ϕ means that
it is possible to reach a state satisfying ϕ via a finite path whose cumulative
duration satisfies α, and EGα ϕ means that there is a path along which ϕ holds
at all states visited after a cumulative duration satisfying α.
2.3
Some comments on semantics
Our semantics for TKS’s is the simplest and most natural way of reading state
graphs like the one in Fig. 1. However, it differs from the semantics commonly
found with other models (like timed automata). Disregarding the well-known
issue of discrete vs. dense time, the important differences are:
Zeno behaviors: we admit infinite paths where time stays forever bounded.
This simplifies the exposition, and lets us use durations for counting things
other than elapsed time. It is however possible to rule our Zeno behaviors
with fairness constraints (see Section 5.3).
10
Atomicity of durations: during a transition s −
→ s′ , the system moves from
“s at some time t” to “s′ at t + 10”: between t and t + 10, there is no state
(or time) where the system is in. Hence s1 |= AG=2 ⊥ in Fig. 1 since no path
starting from s1 encounters a cumulative duration of 2. See section 7 for a
comparison with other semantics of durations.
3
Symbolic computation of minimum and maximum
delays
In this section, we present a symbolic algorithm for computing the minimum
delay between two sets of states. An algorithm for maximum delay would be
similar. As we explain below, this algorithm improves on earlier proposals in its
strategy for handling the durations that appear in the model.
The minimum delay between a set Start ⊆ S of starting states and a set
d1
→
Final ⊆ S of final states is the minimum d s.t. there is a finite path s0 −
dn
→ sn in S with s0 ∈ Start, sn ∈ Final , and d = d1 + · · · + dn [9]. The
s1 . . . −
minimum is ∞ if no such path exists. It is 0 when Start ∩ Final is non-empty,
or when Final can be reached from Start using only zero-transitions.
Symbolic model checking for simply-timed systems
5
Assume M = hS, S0 , R, Li is a TKS. Let dmax denote the highest duration
occurring as a label in R. For d = 0, . . . , dmax , write Rd for the relation {(s, s′ ) ∈
S
d
S2 | s −
→ s′ } and Rd′ for Rd \ e<d Re . Hence Rd relates states that are connected
by a transition with duration d and Rd′ also relates these states provided they are
not related by a “shorter” transition. Finally, write Dur for the set {d1 , . . . , dl }
(in increasing order) of all durations d with non-empty Rd and Dur ′ for the set
{d′1 , . . . , d′m } of all durations for which Rd′ is non-empty. Note that Dur contains
exactly the labels appearing in R (thus dl = dmax ) and that Dur ′ ⊆ Dur .
The procedure and its correctness proof. Algorithm 1 is a backward chaining
procedure computing minimum delays (Algorithms for modalities EF=0 and EU=0
1
2
3
4
5
6
7
8
9
10
11
function min_delay(Start,Final )
n ← 0;
Incr[0], Diff[0] ← EF=0 ( Final );
repeat {
if ( Start ∩ Diff[n] 6= ∅ ) { return(n); }
n++;
¯
S˘
Pre[Rd′ ](Diff[n-d]) | d ∈ Dur ′ ∧ 0 < d ≤n ;
aux ←
Diff[n] ← EU=0 ( ¬Incr[n-1], ¬Incr[n-1] ∩ aux );
Incr[n] ← Incr[n-1] ∪ Diff[n];
} until (n≥ dmax ∧ Incr[n] = Incr[n-dmax ]);
return(∞);
Algorithm 1: Algorithm for computing minimum delay
are discussed later, in section 4.1.) We prove correctness by showing that the
following two invariants hold whenever we enter the repeat loop:
h
i
0 ≤ i ≤ n ⇒ s ∈ Incr[i] iff s |= EF≤i Final
(Inv1)
h
i
0 ≤ i ≤ n ⇒ s ∈ Diff[i] iff s ∈ (Incr[i] \ Incr[i − 1])
(Inv2)
– (Inv1) and (Inv2) clearly hold the first time the loop is entered: n is 0 and
both Incr[0] and Diff[0] have been initialized correctly (by convention
Incr[−1] is empty).
– Once we are inside the loop, n is incremented. The last three lines of the
loop compute Incr[n] and Diff[n] for that new value. The following key
Lemma ensures that (Inv1) and (Inv2) are maintained.
Lemma 3.1. Assume n > 0. The following are equivalent:
(a) s |= EF≤n ϕ ∧ ¬EF<n ϕ.
d
1. s′ −
→ s′′ , and
′ ′′
′′
(b) ∃d ∈ {1, . . . , n}, ∃s , s ∈ S : 2. s |= EF≤n−d ϕ ∧ ¬EF<n−d ϕ, and
3. s |= E(¬EF<n ϕ)U=0 (s′ ∧ ¬EF<n ϕ).
d′
Additionally, (b) implies that there is no s′ −
→ s′′ with d′ < d.
6
N. Markey and Ph. Schnoebelen
– Once the invariants are established, we can check the return values. The
algorithm returns a number n iff it is the smallest value s.t. Start intersects
Diff[n]. This is correct by (Inv1) and (Inv2).
– The algorithm returns ∞ iff Incr[n] = Incr[n-dmax ] for some n ≥ dmax
s.t. Start does not intersect Incr[n]. In such a case, all Incr[m] for m ≥ n
are equal (stabilization has been reached at index n and detected at index
n + dmax ) and Final is not reachable from Start. Hence the returned value
is correct.
– Finally, the algorithm must terminate since, as can be seen from (Inv1), the
Incr[n]’s are increasing.
Some comments on the algorithm. When comparing this algorithm to the standard one (assuming durations are encoded as sequences of unit-length transitions
between intermediate states), it could be noted that we compute more Pre’s: The
standard algorithm computes one Pre and one union of BDDs per iteration of the
loop computing min, while Algorithm 1 computes (at most) dmax Pre’s and as
many unions per iteration. However, our computations use much smaller BDDs:
– When considering unit-length transitions, the sets of states computed by
the standard algorithm contain some “fake” intermediate states, leading to
larger BDDs and unnecessary computations that are not performed with our
algorithm;
– We split the transition relation into one transition BDD for each duration
occuring in the model.
Also, a specific feature of our algorithm is that it uses the Rd′ relations instead of the Rd ’s. This is correct in situations where shorter transitions have no
disadvantages (e.g. when looking for minimum delays, or for evaluating EU≤k
modalities). In practice, using Rd′ results in using smaller relations and a smaller
Dur ′ set. The difference between Rd and Rd′ can be dramatic in examples where
the system can nondeterministically pick any large enough duration for its steps,
as in the bridge benchmark (see Section 6);
OBDD-based implementation. Algorithm 1 leads naturally to an OBDD-based
implementation. As usual, we assume a state is given by the values of state
variables x1 , . . . , xm . The transition relation is an OBDD-encoded predicate
R(x1 , . . . , xm , d, x′1 , . . . , x′m ). Our implementation precomputes Dur ′ and the Rk′
relations for k ∈ Dur ′ . This only requires simple Boolean operations on OBDDs.
An OBDD for R′ is obtained via
R′ := ∀d′ [R ∧ (d ≤ d′ ∨ ¬R[d/d′ ])].
(1)
′
(Here R[d/d′ ] is R where d′ has been substituted for d.) Then Dur and Dur (in
predicate form) are obtained with:
Dur := ∃x1 , . . . , xm , x′1 , . . . , x′m R,
Dur ′ := ∃x1 , . . . , xm , x′1 , . . . , x′m R′ .
(2)
And, for k ∈ Dur (resp. in Dur ′ ), the relations Rk and Rk′ are obtained with:
Rk := ∃d(R ∧ d = k),
Rk′ := ∃d(R′ ∧ d = k).
(3)
Symbolic model checking for simply-timed systems
7
Some other implementation details are not so relevant. For example, observe that
it is not necessary to store all previous Incr[i] and Diff[i]: Our implementation
only stores the last 1 + dmax values.
4
Symbolic model checking of RTCTL properties
We describe algorithms for the main RTCTL modalities. As is usual in symbolic
model checking, these algorithms accept sets of states (corresponding to the
subformulae that are combined by the modality) and return a set of states,
where the compound formula holds.
4.1
Zero-duration conditions
Modalities with “=0” constraints play a special role, as seen in Section 3.
EU=0 : Formula EϕU=0 ψ holds in all states where it is possible to reach a state
satisfying ψ all the while visiting only states satisfying ϕ and only using
zero-length steps. Our procedure for the EU=0 modality mimics the standard
NuSMV routine for the (untimed) CTL modality EU, with the difference
that R0 rather than R is taken as the underlying transition relation.
EG=0 : This modality can be seen as a weak until: EG=0 ϕ means that ϕ must
hold until we (possibly) reach a state by firing a non-zero duration transition.
We use the modality EU=0 above for the strong until case, and add states
from which there exists a path verifying Gϕ and only using zero-steps.
AU=0 : Formula AϕU=0 ψ is equivalent to AF=0 ψ ∧ AϕUψ, and AF=0 ψ is equivalent to ¬EG=0 ¬ψ.
4.2
RTCTL modalities with ≤ k constraints
The procedures for the EU≤k and the EG≤k modalities work by computing iteratively a sequence Incr[0], Incr[1], . . . , Incr[k] of sets associated with EϕU≤i ψ
(resp. EG≤i ϕ) for i = 0, 1, . . . , k, and returning Incr[k] Other modalities with
≤ k constraints are readily obtained from the above ones.
We do not describe these procedures in more detail here since they are very
similar to the functions that compute minimum delays: Compare the specification for the sequence Incr[0], Incr[1], . . . and the invariant (Inv1).
4.3
RTCTL modalities with interval constraints
The EU[k..l] modality. For EU[k..l] we use Algorithm 2. Write w for the width
l − k + 1 of the interval [k..l] (and assume that both w and l are nonnegative).
Algorithm 2 performs l+1 steps, computing intermediary results. The same comments as for the minimum delay algorithm could be issued here: this algorithm
computes more Pre’s and unions than an equivalent algorithm with unit-length
transition, but they involve much smaller BDDs.
The correctness of the algorithm relies on the following Lemma:
8
N. Markey and Ph. Schnoebelen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
function EUint(S1 , S2 , k, l)
w ← l − k + 1; i ← 0;
if (w≤0 || l<0) { return(FALSE) }
/* Initialization (step i=0)*/
for (j←1; j ≤min(w, dmax ); j++) { S˘
¯
Pre[Rd ](⊤) | d ≥j ) )
Incr[j] ← EU=0 ( S1 , S2 ∩ EF=0 (
}
for (j← w+1; j≤dmax ; j++) { Incr[j] ← ∅ }
Incr[dmax + 1] ← ∅
aux0, Res ← EU=0 ( S1 , S2 );
/* Loop (steps i=1..l)*/
for (i←1; i≤ l; i++) {
for (j←1; j≤ dmax ; j++) {
Incr[j] ← Incr[j+1] ∪ EU=0 ( S1 , S1 ∩ Pre[Rj ](Res) ) ;
}
Res ← Incr[1];
if (i<w) { Res ← Res ∪ aux0 }
}
return(Res);
Algorithm 2: Algorithm for EU[k..l]
Lemma 4.1. After step i, the following invariants hold for all j between 1 and
dmax + 1:
0
0
d
there is a path π = s −
→ ··· −
→ s′ −
→ s′′ · · · s.t.
(Inv4)
s ∈ Incr[j] iff (a) d ≥ j, and
(b) π |= S1 U[i+j−w..i+j−1] S2 .
s ∈ Res iff s |= ES1 U[i+1−w..i] S2 .
(Inv5)
Other modalities The algorithm for modality EG[k..l] is similar to the previous
one, and also has to consider “border case” paths never reaching an interesting
cumulative duration.
The modality AU[k..l] is handled using previous algorithms: We use the following equivalence, which holds whenever k > 0:
A(ϕU[k..l] ψ) ≡ AF[k..l] ψ ∧ AG<k (ϕ ∧ AX(AϕUψ))
Algorithms for modalities for “≥ k”-constraints are not described in the paper,
but they are very similar to the above ones.
5
TSMV: embedding our algorithms on top of NuSMV
We now describe how we implemented our algorithms on top of NuSMV [11].
The resulting model checker is called TSMV and is available at http://www.lsv.
ens-cachan.fr/~markey/TSMV/, together with all the examples of Section 6.
Symbolic model checking for simply-timed systems
9
Extending NuSMV was quite easy and, essentially, we added about 3.500
lines of C code in the model checking section of the tool. These implement the
procedures described in earlier sections (Algorithms 1, 2 and other timed modalities described in section 4), and the computations of sets Dur , Dur ′ , Dur ′′ and
relations Rd , Rd′ described in section 3.
5.1
Defining TKS’s
For describing TKS’s, we opted for the simplest and most practical solution.
When describing a model, we use normal NuSMV syntax and reserve an additional state variable, called duration, for specifying the duration of steps.
Hence, instead of specifying durational TKS steps of the form
d
′
hv1 , . . . , vm i −
→ hv1′ , . . . , vm
i
(TKS step)
we describe simple KS steps of the form
′
hv1 , . . . , vm , ⋆i −
→ hv1′ , . . . , vm
, di
(extended KS step)
For example, the TKS from Fig. 1 could be defined with
VAR
state: 1..3;
duration: 0..21;
TRANS
(state = 1 & next(state)=2 & next(duration) = 0)
| (state = 2 & next(state)=1 & next(duration) = 0)
| (state = 2 & next(state)=3 & next(duration) = 21)
...
More realistic examples can be found in Section 6.
Using this scheme has a number of benefits. It lets us reuse all the NuSMV
machinery for assembling and instantiating modules. Furthermore, it allows using symbolic constraints when defining sets of possible durations between states
(see e.g. the bridge example).
Once NuSMV has computed an OBDD for the transition relation of the
extended KS, it is easy to extract the relations of the underlying TKS, with the
projections and other Boolean operations described in Section 3.
5.2
Querying the TKS
TSMV reuses NuSMV syntax for RTCTL formulae. Additionally, we support
RTCTL modalities with right-open intervals. Computing minimum and maximum delays reuses NuSMV syntax too. For example, one would write:
SPEC AG>=4 (p2 -> AF<=21 ! p1)
COMPUTE MAX[p1 | p2, state = 2]
10
5.3
N. Markey and Ph. Schnoebelen
Extra features
As much as possible, TSMV reuses features from NuSMV. For example:
Fairness: For simplicity, our exposition in Section 2 did not mention fairness
issues. But fairness constraints à la SMV are allowed in TSMV, and only fair
paths are considered. Fairness constraints can involve the duration variable,
thus TSMV can express the so-called “non-Zeno” behavior.
Counter-example generation: In some cases, it is possible to reuse NuSMV
counter-example generation features. This could be done e.g. with “=0” constraints, that can easily be expressed in pure RTCTL (using the subformula duration=0). For other modalities, our algorithms do not rely enough
on NuSMV temporal primitives and we are developping our own counterexample generation functions for these cases.
6
6.1
Experimental results
The bridge-crossing problem
The problem. The bridge-crossing problem is a famous mathematical puzzle with
time critical aspects [21, 18]. A group of four persons, called P1, P2, P3 and P4,
cross a bridge at night. It is dark and one can only cross the bridge with a lamp.
Only one lamp is available and at most two persons can cross at the same time.
Therefore any solution requires that, after the first two persons cross the bridge,
one of them returns, carrying back the lamp for the remaining persons. The four
persons have different maximal speeds: here P1 crosses in 5 time units (t.u.),
P2 in 10 t.u., P3 in 20 t.u. and P4 in 25 t.u. When a pair crosses the bridge,
they move at the speed of the slowest person in the pair. Now, how much time
is required before the whole group is on the other side?
Bridge-crossing in TSMV. A person is described as an SMV module with his
crossing time as a parameter. His possible steps are to stay where he is, or move to
the other side. He can only cross when the lamp is on his side (and then the lamp
crosses with him). When he crosses, the transition takes at least his crossing time.
This way, when four persons are synchronized, the crossing time is any integer
greater or equal to the maximum crossing time of the crossing persons. The
complete system is obtained by combining four persons (four instances of the
same person module, with different crossing times) with a Boolean lamp value
keeping track of the position of the lamp, and adding a further constraint (an
INVAR in SMV) telling that at most two persons cross in one move. The system
is further labeled with two propositions: initial for the initial configuration,
and safe for the configurations where everyone is on the other side of the bridge.
We can ask how much time is required for crossing:
COMPUTE MIN[initial, safe]
The answer (60 t.u.) is obtained in a few milliseconds.
Symbolic model checking for simply-timed systems
11
It turns out that 60 t.u. is the best total crossing time from the initial configuration. But if we let people move freely and at some time ask them to cross
quickly, can it happen that they are in a configuration where more than 60 t.u.
are required? We ask
SPEC
AG EF<=60 safe
and get a negative answer: in some reachable configurations, more than 60 t.u.
are required.
Indeed, if we start after just one person has crossed, that person will have to
come back before we can implement the 60 t.u. solution. Hence 85 t.u. (=25+60)
are sometimes required. We check that this is indeed the worst case with
SPEC
(AG EF<=85 safe) & !(AG EF<=84 safe)
Comparison with related tools. The same example can be treated with NuSMV,
Verus or RAVEN. Since NuSMV and Verus only handle unit steps, we use the
method advocated in [7, p.106] and introduce a counter forcing several t.u. between actual system moves. It can be argued that these models are slightly more
cumbersome. With RAVEN, we can directly specify duration intervals for each
transitions, even though it internally considers the semi-continuous semantics.
The command COMPUTE MIN[initial, safe] produces the (correct) answer
but takes significantly more time with NuSMV, Verus and RAVEN than with
TSMV (see Table 1).
When verifying SPEC (AG EF<=85 safe) & !(AG EF<=84 safe) we obtain
a negative answer! This is because the semantical models are different. With
all three tools, the semi-continuous semantics introduces intermediary positions
along what are long steps in our TKS’s, and the AG modality quantifies over
these intermediate positions too.
It can be argued that the semi-continuous semantics is “better”, or closer to
specifier’s purposes. However, it makes verification more costly. Furthermore, it
is slightly less general: our TKS’s generalize unit-steps KS’s, while TKS semantics can only be simulated akwardly in KS’s. The previous example shows that
a counter-based encoding is not enough: one further has to adapt the RTCTL
formulae. For example, in the bridge problem, we can introduce a new proposition, crossing, labeling intermediate configurations that should not exist in the
TKS. Then the following formula is satisfied:
SPEC
6.2
AG (!crossing -> EF<= 85 (safe & !crossing)).
TSMV and sensitivity to scaling up the durations
The bridge problem is an example of a system where durations are mostly “long”
(greater than 1). Our algorithms are designed in such a way that only useful
durations are considered. As a result, TSMV is mostly insensitive to scaling up
the durations. When we define a model “bridge x 10” by replacing 5, 10, 20
and 25 with (resp.) 50, 100, 200, and 250, TSMV computes the minimum delay
of 600 t.u. in more or less the same time it needed for the initial problem 4 .
4
The TKS defined with bridge x 10 is not exactly a scaling up of bridge. It uses conditions of the form “duration >= 100” that allow all values 100, 101, 102, . . . , dmax .
12
N. Markey and Ph. Schnoebelen
TSMV
time
mem
NuSMV
time
mem
time
bridge
0.02 s
1.3 M
0.21 s
9.5 M
7.14 s
16.5 M
4.01 s
5.9 M
bridge×10
0.04 s
1.3 M
23.24 s
18.5 M
259.54 s
39.2 M
3 098 s
371 M
bridge×20
0.07 s
1.3 M
120.13 s
18.5 M
573.05 s
44.1 M
bridge×50
0.22 s
9.0 M
2 209 s
35.0 M
3 626 s
55.0 M
bridge×100 0.45 s
Verus
mem
RAVEN
time
mem
11.0 M 14 296 s 65.0 M 17 870 s 59.2 M
Table 1. Scale up (in)sensitivity
By contrast, the computation time for NuSMV, Verus and RAVEN increases
dramatically when we scale up the durations. In fact, there is no way to avoid
this: These tools do not know about TKS’s and are bound to compute all sets
associated with different values of the counter for intermediate states. Computing
these sets is a tedious and mostly repetitive task that cannot be avoided unless
a notion of TKS is introduced.
Table 1 shows how running time and memory requirements grow when we
scale up the timing parameters of the bridge problem.
6.3
Verifying the PCI local bus
A model of the PCI local bus was analyzed by Campos et al. in [8], computing
minimum and maximum delays with symbolic model checking techniques. This
model is a standard example that comes with the NuSMV distribution. We
refer to [8] for more explanations on this case study. The reader only needs
to know that it is a large example where NuSMV can show that a complete
transaction might take up to 244 steps, from the request of the bus to the end
of the transaction.
First of all, we added duration 1 to all transitions. This allows a direct comparison with NuSMV. In that case, we were able to prove the aforementioned
maximal time for a complete transaction, by adding the following lines to the
main module of the PCI model:
VAR duration: 0..1;
TRANS next(duration)=1
COMPUTE MAX[ req0, isa_bridge.end_transaction ]
COMPUTE MAX[ req1, scsi_ctrl.end_transaction ]
COMPUTE MAX[ req2, vga_ctrl.end_transaction ]
COMPUTE MAX[ req4, processor.end_transaction ]
(E1 )
For the isa_bridge and scsi_ctrl components, the result is 244. It is 130 for
the other two components (see explanations for this difference in [8]).
Counting specific kinds of events is possible. For instance, one can use durations to count the number of transactions issued on the PCI bus between a
request and a grant of each of the masters.
Symbolic model checking for simply-timed systems
DEFINE start_tr := processor.start_transaction |
vga_ctrl.start_transaction |
scsi_ctrl.start_transaction |
isa_bridge.start_transaction ;
VAR duration: 0..1;
TRANS next(duration)=case
start_tr: 1;
1
: 0;
esac
COMPUTE MAX[ req0, grant=0 ]
COMPUTE MAX[ req1, grant=1 ]
COMPUTE MAX[ req2, grant=2 ]
COMPUTE MAX[ req4, grant=4 ]
13
(E2 )
TSMV answers that up to 5 transactions might start between request and grant
for both the isa_bridge and the scsi_ctrl components, and 2 for the other
two masters. These are the values given in [8], where they were obtained with a
special condition counting Algorithm.
With the following lines, we count the amount of data the processor can
transfer between a request and its corresponding grant:
(in module bus_master)
VAR transmitting: boolean;
ASSIGN init(transmitting) := FALSE;
next(transmitting) := (count>next(count));
(in module main)
VAR duration: 0..1;
TRANS next(duration)=case
processor.transmitting : 1;
1
: 0;
esac
COMPUTE MAX[ req0, grant=0 ]
COMPUTE MAX[ req1, grant=1 ]
COMPUTE MAX[ req2, grant=2 ]
COMPUTE MAX[ req4, grant=4 ]
(E3 )
The result is 30 for the isa_bridge, the scsi_ctrl and the vga_ctrl, and 15
for the processor (the total amount of data that a master can transmit in one
“session” is limited to 15 in this model).
Last, we verify that, when a transaction is aborted, the component has to
request for the bus before being able to transmit anew. We verify this property
for the processor by counting only data transfers of the processor, and specifying
that, after abortion, he can transmit at most one bit of data if it does not assert
a new grant. This is achieved with the following additions to pci4p.smv:
(in module bus_master)
VAR transmitting: boolean;
ASSIGN init(transmitting) := FALSE;
next(transmitting) := (count>next(count));
(in module main)
VAR duration: 0..1;
TRANS next(duration)=case
processor.transmitting : 1;
1
: 0;
esac
SPEC AG ((processor.transmitting & abort) -> !E [ (!req4) U>=2 TRUE ] )
(E4 )
14
N. Markey and Ph. Schnoebelen
SPEC EF ((processor.transmitting & abort) ->
SPEC EF ((processor.transmitting & abort) ->
E [ (!req4) U= 1 TRUE ] )
E [ (!req4) U= 0 TRUE ] )
The table below summarizes the total time and memory consumption for the
four examples above. Since NuSMV does not handle zero-duration transitions,
it could only be applied in the first example:
time
21 228KB
TSMV
memory
26 932KB
(E2 )
69.59 sec.
24 340KB
(E3 )
306.74 sec.
31 780KB
(E4 )
178.37 sec.
time
186.34 sec.
(E1 )
7
NuSMV
memory
13.56 sec. 33 900KB
Table 2. Verification of the PCI local bus
Comparison with other work
On the semantics of time. Emerson et al. [13] pioneered the investigation of
RTCTL model checking on KS’s with unit-length transitions. Campos, Clarke
et al. [5, 10] and Kropf, Ruf et al. [14, 20] considered more general Timed Transition Systems (TTGs) where durations can be arbitrary (sets of) natural numbers.
The difference between these models and our TKS’s is that time in TTGs elapses
“semi-continuously”, i.e. using intermediate states, while TKS’s transitions are
atomic (see section 2.3). We chose atomic durations because they lead to more
efficient model checking algorithms [15]. When it comes to modeling actual systems, the semi-continuous semantics is perhaps more natural (but we did not
feel hampered by atomic durations in our case studies). Observe that it is easy to
simulate semi-continuous durations in atomic durations (by adding intermediate
states) while designing a simulation the other way around is more involved.
Another major issue is that consecutive zero-length transitions in TKS’s are
not amalgamated (which would make intermediate states disappear). Amalgamating these can make verification more efficient when zero-length transitions
are just internal micro-steps, as in [7]. But when zero-length transitions are used
in condition-counting applications, amalgamating them is costly (sometimes infeasible). Additionally, this loses a lot of the branching-time aspects that CTL
talks about. Finally, these two different ways of treating zero-length transitions
have very different applications.
On algorithmics. It may seem that our symbolic algorithms are not very different from earlier algorithms for RTCTL model checking: these procedures all
compute fixed-points iteratively. However, an important difference exists: all our
algorithms use information on what durations really appear in the model. In connection with the atomicity of durations, this leads to more efficient algorithms.
In particular, it makes model checking mostly insensitive to scaling up the durations, as illustrated in section 6.2. Additionally, the algorithms we designed for
Symbolic model checking for simply-timed systems
15
the “≥ k” and “≤ k” constraints benefit from considering a derived transition
relation where only maximal (resp. minimal) durations appear (see Section 3).
On implementations. Several symbolic algorithms for discrete-time models have
been published, and some of them consider models with arbitrary durations
on transitions. However, not all published algorithms have been implemented.
NuSMV and Verus only support unit-length durations. RAVEN uses the semicontinuous semantics and does not allow null durations. TSMV is, to our knowledge, the first tool dealing with (general) integer durations in discrete time models. Similarly, “≥ k” constraints are not available in the other tools.
8
Conclusion
We proposed OBDD-based symbolic verification procedures for model checking
RTCTL properties and for computing extremum delays. The underlying models
are (symbolic descriptions of) TKS’s, or state graphs where transitions carry an
arbitrary duration.
For the analysis of timed systems, this extends the verification facilities that
are offered in NuSMV (based on earlier work by Campos, Clarke et al.). Our
algorithms are implemented on top of NuSMV, and allow all combinations of
long, unit and zero-length steps. We also deal with an enlarged set of RTCTL
modalities, and offer procedures for computing extremum delays.
The procedures we propose take advantage of the TKS model: we do not
reduce a long step (e.g. 10 time units) to an implicit sequence of 10 unit steps.
A consequence is that the behavior of our model checking algorithm enjoys a
kind of insensitivity to scaling up of durations (a feature of tools based on timed
automata). This suggests that there exist ways of bridging the gap that still
exists between approaches à la SMV where clocks are considered like any other
discrete variable, and approaches based on timed automata, à la UPPAAL and
Kronos, still in need of efficient symbolic representations handling combinatorial
control and clock valuations.
References
1. B. Bérard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and Ph. Schnoebelen. Systems and Software Verification. Model-Checking Techniques and
Tools. Springer, 2001.
2. P. Bouyer. Forward analysis of updatable timed automata. Formal Methods in
System Design, 24(3):281–320, 2004.
3. J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic
model checking: 1020 states and beyond. Inf. & Comp., 98(2):142–170, 1992.
4. S. Campos. Verus 0.9 – Reference Manual. Pittsburgh, PA, USA, March 1997.
5. S. Campos and E. M. Clarke. Real-time symbolic model checking for discrete time
models. In T. Rus and C. Rattray, editors, Theories and Experiences for Real-Time
System Development, vol. 2 of AMAST Series in Computing, pp. 129–145. World
Scientific, 1995.
16
N. Markey and Ph. Schnoebelen
6. S. Campos and E. M. Clarke. Analysis and verification of real-time systems using quantitative symbolic algorithms. J. Software Tools for Technology Transfer,
2(3):260–269, 1999.
7. S. Campos and E. M. Clarke. The Verus language: representing time efficiently
with BDDs. Theor. Comp. Sci., 253(1):95–118, 2001.
8. S. Campos, E. M. Clarke, W. R. Marrero, and M. Minea. Verifying the performance of the PCI local bus using symbolic techniques. In Proc. 1995 Int. Conf. on
Computer Design (ICCD ’95), VLSI in Computers and Processors, Austin, TX,
USA, Oct. 1995, pp. 72–78. IEEE Comp. Soc. Press, 1995.
9. S. Campos, E. M. Clarke, W. R. Marrero, M. Minea, and H. Hiraishi. Computing
quantitative characteristics of finite-state real-time systems. In Proc. 15th IEEE
Real-Time Systems Symposium (RTSS’94), San Juan, Puerto Rico, Dec. 1994, pp.
266–270. IEEE Comp. Soc. Press, 1994.
10. S. Campos, M. Teixeira, M. Minea, A. Kuehlmann, and E. M. Clarke. Model
checking semi-continuous time models using BDDs. In Proc. 1st Int. Workshop
on Symbolic Model Checking (SMC’99), Trento, Italy, July 1999, vol. 23(2) of
Electronic Notes Theor. Comp. Sci. Elsevier Science, 1999.
11. A. Cimatti, E. M. Clarke, F. Giunchiglia, and M. Roveri. NuSMV: a new symbolic
model checker. J. Software Tools for Technology Transfer, 2(4):410–425, 2000.
12. E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. MIT Press, 1999.
13. E. A. Emerson, A. K. Mok, A. P. Sistla, and J. Srinivasan. Quantitative temporal
reasoning. Real-Time Systems, 4(4):331–352, 1992.
14. J. Frößl, J. Gerlach, and Th. Kropf. An efficient algorithm for real-time symbolic
model checking. In Proc. European Design and Test Conference (ED&TC’96),
Paris, France, Mar. 1996, pp. 15–21. IEEE Comp. Soc. Press, 1996.
15. F. Laroussinie, N. Markey, and Ph. Schnoebelen. On model checking durational
Kripke structures (extended abstract). In Proc. 5th Int. Conf. Foundations of
Software Science and Computation Structures (FOSSACS’2002), Grenoble, France,
Apr. 2002, vol. 2303 of Lect. Notes Comp. Sci., pp. 264–279. Springer, 2002.
16. K. G. Larsen, P. Pettersson, and Wang Yi. UPPAAL in a nutshell. J. Software
Tools for Technology Transfer, 1(1–2):134–152, 1997.
17. K. L. McMillan. Symbolic Model Checking. Kluwer Academic, 1993.
18. G. Rote. Crossing the bridge at night. EATCS Bull., 78:241–246, 2002.
19. J. Ruf. RAVEN: Real-time analyzing and verification environment. J. Universal
Comp. Sci., 7(1):89–104, 2001.
20. J. Ruf and Th. Kropf. A new algorithm for discrete timed symbolic model checking. In Proc. Int. Workshop Hybrid and Real-Time Systems (HART’97), Grenoble,
France, Mar. 1997, vol. 1201 of Lect. Notes Comp. Sci., pp. 18–32. Springer, 1997.
21. T. C. Ruys and E. Brinksma. Experience with literate programming in the modelling and validation of systems. In Proc. 4th Int. Conf. Tools and Algorithms for
the Construction and Analysis of Systems (TACAS’98), Lisbon, Portugal, Mar.
1998, vol. 1384 of Lect. Notes Comp. Sci., pp. 393–407. Springer, 1998.
22. S. Yovine. Kronos: A verification tool for real-time systems. J. Software Tools for
Technology Transfer, 1(1–2):123–133, 1997.