# Verification of Real-Time Systems with BDD-like Data-Structures

Document Sample

```					 ATVA’2003 Tutorial

Verification of Real-Time Systems
with BDD-like Data-Structures

Farn Wang
Dept. of Electrical Engineering
National Taiwan University
1
Real-Time Systems
but only at the right time !!

Aviation             Nuclear reactors
Battlefield          Medical monitors
Missles              Chemical plants
Sonars               Multimedia

2
Real-Time Systems
What is a Real-Time Systems？
but only at the right time !!
Example：Synchronous Machine Guns
A service that is not at the right time can be worse
than no service!!

3
Schütte-Lanz SL2 airship
bombing Warsaw

Courtesy of Rosebud’s WWI and   4
early Aviation Image Archive
Wrights, the beginning of flight era

Courtesy of Rosebud’s WWI and   5
early Aviation Image Archive
The beginning
of air-combat

An imaginary
solution to air-
combat

Difficult to
aim in 3D
maneuver
Courtesy of Rosebud’s WWI and
early Aviation Image Archive 6
Sopwith Camel

Courtesy of Rosebud’s WWI and
early Aviation Image Archive    7
VII
S.254

Courtesy of Rosebud’s
WWI and early
Aviation Image Archive
8
WWI
dogfight

空中纏鬥

Courtesy of Rosebud’s
WWI and early Aviation
Image Archive            9
Timed automata
real-time system behaviors:
• In 500ms, update the actuators every
50ms, until the target is hit.

x:=0; z:=0                      x、 z are real-number clocks of
monitor   the same rate.
x<500ms
z50ms

z=50ms                              hit
z:=0;                                             10
Timed Automata
A=Q, X, I, , E, , 
Q:   set of control locations
X: set of clocks
I : initial constraints
 : Q(P,X)；invariance constraint at
locations
EQQ : set of transitions
 : E (P, X)；triggering conditions
 : E 2X : clocks to reset at transitions
11
A=Q, X, I, , E, , 
Q={monitor，hit}         E={(monitor,monitor),(monitor,hit)}
X={x,z}                        (monitor ,monitor): z =50
I=hit                         (monitor, hit): true
(monitor): x  500z  50     (monitor ,monitor): {z}
(hit): true                  (monitor, hit): {}

monitor
x:=0; z:=0           x  500ms
z  50ms

z=50ms                         hit
12
z:=0
TCTL
(Timed Computation-Tree Logic)
 ::= q | xc |  | 12 | x. | 1U2 | 

Example：It is possible that I will get my
salary at the 7th day.
day.(day=7salary)
Example：No matter what, I will be married
in 10 years.
year.(year < 10married)
13
TCTL
(Timed Computation-Tree Logic)
Example：After you are married, you can
remain happy in five days.
(married day.  (day<5 happy))

Example：After you are married, you will
remain happy in five days.
(married  day.  (day<5 happy))
14
TCTL verification complexities
• TCTL model-checking problem against
timed automata is PSPACE-complete.
• TCTL satisfiability problem is undecidable.
Alur, Cocoubetis, Dill. IEEE LICS 1990

15
Zones
basic objects for manipulation and representation
a (convex) state-space bounded by constraints
like
• x-x’ < d, x,x’  X; d  N{}
• x-x’  d, x,x’  X; dN
Features:
• convex
• the reachable state-space is a union of zones
• can intersect with one another nondisjoint paths
• can contain one another  redundancy
• non-canonical  needs normal (or canonical) forms
16
Zones
Two zones
(0-x1-3 x1-x2<5 x2-x1<4)(0-x2<-2 x2-x1<4)
Can also be viewed as a union of set of literals,
{0-x1-3, x1-x2<5, x2-x1<4}{0-x2<-2, x2-x1<4}
0-x1<-3
x1-x2<5
x2

x2-x1<4

0-x2<-2
17
x1
Zones
(0-x1-3 x1-x2<5 x2-x1<4)(0-x2<-2 x2-x1<4)

Normal forms
closure form: all-pair shortest-path form
(0-x1-3 0-x2<2x1-x2<5 x2-x1<4)
(0-x2<-2 0-x1<2x2-x1<4)
always the most number of constraints
reduced form: minimum number of constraints

(0-x1-3 x1-x2<5 x2-x1<4)
(0-x2<-2x2-x1<4)
18
Symbolic manipulation of dense-time
state-space
[Henzinger, et al, IEEE LICS 1992]
s0              y 15                 s1
p  x 3  y  x+5      y:=0            q  x+6  y+8

What is the weakest precondition in s0 that
• can transition from S0 to S1？
xtion_bcke(η) : the weakest preconditoin after
transition e ？
• after time  0 , remains in s0？
time_bck(η) : the weakest precondition toηthrough
time-progress？                    19
xtion_bcke(η) : the weakest
preconditoin after transition e ?

s0           y 15              s1
p  x 3  y  x+5   y:=0         q  x+6  y+8

Source                      assignment    Destination
invariance     trigger
invariance

p  x 3  y  x+5 y 15  y(y=0  x+6  y+8η)

How to get rid of the y ?
20
time_bck(η) : the weakest precondition
toηthrough time-progress？
s0 +                         s0
+
p  x 3  y  x+5          p  x 3  y  x+5
Destination
Source           Time              invariance
invariance       progress

px3 yx+5  (0  x+ 3  y+x++5η)

How to get rid of the  ?
21
How to get rid of the  ？
s0 +                            s0
+
p  x 3  y  x+5             p  x 3  y  x+5

Pairwisely，deduce all transitivities through 
p  y  x +5   (0    2-x      15-y    3-x)
independent of         at RHS             at LHS
0           15-y        0  15-y , 0  3-x
2-x         3-x           2-x  15-y , 2-x  3-x
Thus we get： p  y  x +5  y15  x 3  y-x13
22
TCTL Model checking procedures
• Basic procedures
– Xtion_bcke(η)
• weakest precondition of discrete transitions
– Time_bck(η)
• backward time-progression
• Reachable-bck(η1,η2) ≡
lfpY.(η2(η1time_bck(η1VeTxtion_bck(Y,e))))

23
Model checking with Non-Zeno
requirement
• Lemma: given d1, A,
ν╞ηiff there is a finite runρ
–   fromν
–   of duration d
–   along ρ every state satisfies ηand
–   ρ ends at a state satisfying η
• η≡gfp Y.(ZC.reachable-bck(η,YZCd))

24
The BDD-like Data-Structures

Farn Wang

Dept of Electrical Engineering
National Taiwan University

NSC 90-2213-E-002-132.

25
Background
up to 2000, many proposals for BDD-like data-
structures for dense-time state-spaces.
• NDD, DDD, CDD, RED
• None of them shows advantage over DBM.
Motivation for this research
Find out the reasons and ways for
improvements.

26
Related work
• BDD: for untimed systems [Bryant 86; Burch, Clarke, et al, 90]
• DBM: 2-dimensional matrix for a region. [Dill 89]
• NDD: BDD to encode discrete time state-spaces.
[ABKMPR97]
• CDD: a decision diagram for dense-time state-space
membership [BLPWW99]. Like CRD, except:
– default value is (- , ).
– a value [c,d] of variable x-x' means cx-x‘d.
• DDD: variable like x-y~ c [WME92,Balarin96,MLAH99]
– Exponential number of BDD atoms
• RED: encode the ordering of the fractional parts of
clock readings with a single-bit varible [Wang 00]
– for symmetric systems                           27
What we have done in this research ?
Identication of reasons for ineffiency in previous
research:
• semantics of the variables; and
• choice of normal forms
Such issues have not been paid proper attention in
the past.
• Proposal of CRD and its efficient manipulations
• Experiments.
• Tools available at: http://cc.ee.ntu.edu.tw/~val/
28
CRD: Clock-Restriction Diagram
• A BDD-like data-structure
• Recording device for (zone) DBM set
• variables like x-x’
• Arc values like (<, d), d [-CA,CA]{}; or
(, d), d [-CA,CA]
• Default value on arcs: (<, )
– No constraint!
29
CRD Example
(0-x1-3 x1-x2<5 x2-x1<4)(0-x2<-2 x2-x1<4)

0-x1                    0-x1                           0-x1     (-3,)
(-,-3]
-3          <     (-,-3]          (-,)
0-x2             0-x2
x1-x2        0-x2     x1-x2          0-x2
[-2,)                    (-,-2)
<5          <-2    (-,5)           (-,-2)               (-,-2)
x2-x1                   x2-x1             x1-x2                x1-x2
<4                      (-,4)          (-4,5)              (-4,)
true                    true                          true

(a) CRD with            (b) CRD with               (c) equivalent CDD
interval                   with disjoint
upperbounds             representation                          30
intervals
Representation fragmentation of CDD
Two zones
(0-x1-3 x1-x2<5 x2-x1<4)(0-x2<-2 x2-x1<4)
CDD is forced to represent it in 3 disjoint zones.
0-x1
(-,-3]
0-x1<-3                          0-x2             0-x2
x2                                 [-2,)
(-,-2)
x1-x2                x1-x2
x2-x1<4                     x1-x2<5                          (-4,)
(-4,5)
true
0-x2<-2
31
x1
Sensitivity to variable semantics
Representation fragmentation of CDD
Example: (0x141x25)(1x150x24)
x1-0        x1-0               x1-0
[0,1)             (4,5]
[0,4]       [1,5]                     [1,4]
x2-0       x2-0      x2-0      x2-0        x2-0
[1,5]       [0,4]                    [0,5]
[1,5]             [0,4]
true        true               true

CDD representation fragmentation problem!
•Exponential blow-up in sizes
•Destroying the shape of analyzed zones                32
Sensitivity to variable semantics
On the other hand, CRD prevails.
Example: (0x141x25)(1x150x24)
0-x1    0-x1             0-x1           Linear to the
-4      -1      -4        -1          sizes of
components
x1-0     x1-0     x1-0           x1-0
Preserve zone
0      5       0              5
structures
0-x2    0-x2     0-x2            0-x2
-1      -4      -1         -4
x2-0     x2-0     x2-0        x2-0
5       0       5          0

true    true             true                      33
Sensitivity to variables semantics
A family of state-spaces with n clocks that blows up CDD,
1  i  n 1  j  n ((i + j)%n)  xj  2n + ((i + j)%n)
Caution: such fragmentation problem also may nullify
previous analysis effort on zones.
clock count       2       3    4    5     6     7       9      11 13              15
CDD node counts       4   12   31    73   162    346    1479    6064   24469      98166

arc counts       6   23   78   238   663   1721   10056   52427   256674    1210285

CRD node counts       7   16   29   46    67     92     154     232      326        436

arc counts       8   18   32   50    72     98     162     242      338        450

34
Sensitivity to choice of normal forms
In general, reduced CRDs have much fewer nodes along each path!
{0-x2<-3, x1-x31, x2-x1<-4}
0-x2         0-x1                 0-x1
<-3           <-7                  (-,-7)
x1-x3        0-x2                 0-x2
1           <-3                  (-,-3)
x2-x1        0-x3                 0-x3
<-4           <-6                  (-,-6)
true         x1-x3                x1-x3
1                   (-,1]
x2-x1                x1-x2
CRD in            <-4 CRD in           (4, ) CDD in
reduced form   x2-x3 closure form   x2-x3       closure form
<-3                  (-,-3)
35
true                 true
Sensitivity to choice of normal forms
Reduced CRDs are less likely to interfere
data-sharing!     (x1-x2<3  x3-x16  x3-x26)
(x1-x2<3 x3-x16)        (x1-x45  x3-x16  x3-x411)
 (x1-x45 x3-x16)
x1-x2
x1-x2                                   <
<3
<                            x1-x4
<3                                             5
x1-x4
x3-x1          x3-x1
6                 6
x3-x1          reduced                             closure
x3-x2          x3-x4
6                     <-9            11
36
true                          true
Sensitivity to choice of normal forms
Reduced form makes it difficult to detect zone-containment.
(x1-x3  -1  x3-x2  -2  x2-x1  3)
x1-x2
 (x1-x3  -1  x3-x1  1)             -3       <
x2-x1
x2-x1                                3
3                     Note, it is O(n3)       x1-x3          x1-x3
<                          -1                   -1
x1-x3          x1-x3    to deduce the           x3-x1          x3-x1
-1                -1   all-pair             1
x2-x3            1
x3-x2          x3-x1    shortest-path       2
-2              1                             x3-x2
relation.                              closure
true                                  -2
reduced                                                   true      37
Contained zone-path elimination
 A node with single outgoing arc labeled <
can be bypassed.
x-x’
 Given two arcs, when           ~1d1       ~2d2
– ~1d1 more restrictive than ~2d2
– D1 D2
D1            D2
then D1 can be removed.
slim
The operation MAY or MAY NOT
lead to smaller CRD sizes.                   x-x’
~1d1           ~2d2
Don't know how to do this
with CDD.
D1-D2          D2
38
Set-oriented manipulations on CRDs
Given two CRDs D1:{1, 2}\$ and D2:{2, 3},
 D1  D2 is the CRD for {2}          O(|D1||D2|)
 D1  D2 is the CRD for {1, 2 , 3} O(|D1||D2|)
 D1 - D2 is the CRD for {1}          O(|D1||D2|)

Space-intersection: D1  D2
 For every 1(x,x')= (~1,d1) and 2(x,x')= (~2,d2)
12(x,x') = (~1,d1) if d1<d2  (d1==d2  ~ ==“<'')
(~2,d2) otherwise
 D1D2 ={12 | 1 D1;2 D2}       O(|D1|2|D2|2)
39
BDD+CRD
Can combine BDD with CRD in the
same data-structure.
D1  D2 is like D1  D2
D1  D2 is like D1  D2
D1 - D2 is like D1  D2
with integrated evaluation ordering.

40
Style of CRD manipulating algorithm
set ; /* database of already-processed cases */
(B,D) {  = ; return rec(B,D); }
rec(B, D) with B=(xB-xB',(i, Bi)1i n),D =(xD-xD',(j, Dj)1j m) {
if B==true, return D; else if D is true, return B;
else if H,(B,D,H), return H;
else if xB-xB‘ precedes xD-xD‘, H:=(xB-xB‘ , (i, rec(Bi,D))1i n;
else if xD-xD‘ precedes xB-xB‘, H:=(xD-xD‘ , (j, rec(B, Dj)1j m;
else {
for (i=n, j= m, H=false; i1j  1, do {
if i == j , { H= H  (xB-xB‘, (i , rec(Bi,Dj))); i--; j--; }
else if i< j, { H= H  (xB-xB‘, (j, Dj)); j--; }
else if i> j, { H= H  (xB-xB‘, (i , Bi)); i--; }
}
if I  1, H= H  (xB-xB‘, (h , Bh)1 h i);
if j  1, H= H  (xB-xB‘, (h , Dh)1 h j);
}
 =   {(B,D,H)}; return H\$;                                            41
}
Computation of closure CRDs
closurep() {
for x X,
for x1, x2  X,
if (x1,x)+ (x,x2) (x1,x2),
(x1,x2)= (x1,x)+ (x,x2);
return  ;
}

Does not respect the evaluation-ordering of BDD-like
data-structures!
Random-accessing is expensive.

42
Computation of closure CRDs
Reformulation of closure form computation:
closurep() {
for x X, {
for x1, x2  X such that x1-x precedes x-x2,
if (x1,x)+ (x,x2) (x1,x2),
(x1,x2)= (x1,x)+ (x,x2);
for x1,x2  X such that x1-x succeeds x-x2,
if (x1,x)+ (x,x2) (x1,x2),
(x1,x2)= (x1,x)+ (x,x2);
}
return  ;
43
}
Computation of closure CRDs
closurep(D) { for xX, D= xtive(D, x); return D; }
clock L, M, R; upperbound ; set Ψ, Φ;
xtive(D, x) { Ψ = ; M=x; return rec_xtive(D); }
rec_xtive(D) with D=(x-x', (i, Di)1 i m) {
if D is true, return D; else if H,(D,H)  Ψ, return H;
H:=false;
if x is M, for i= 1 to n, {
D'= rec_xtive(Di); R=x';  = i ; Φ = ;
H= H (x-x' i rec_xtive_right(D'));
}
else if x' is M, for i= 1 to n, {
D'= rec_xtive(Di); L=x;  = i ; Φ = ;
H= H  (x-x' i rec_xtive_left(D'));
}
else H=1in (x-x' i rec_xtive(D'));
Ψ := Ψ  {(D,H)}; return H;                              44
}
Computation of closure CRDs
rec_xtive_left(D) with D=(x-x', (i, Di)1 i m) {
if D is true, return D; else if H,(D,H)Φ, return H;
if x is M, H= 1in (x-x'i  L-x'(+ i) rec_xtive_left(Di);
else H= 1in (x-x'i  rec_xtive_left(Di);
Φ= Φ  {(D,H)}; return H;
}
rec_xtive_right(D) with D=(x-x', (i, Di)1 i m) {
if D is true, return D; else if H,(D,H)Φ, return H;
if x is M, H= 1in (x-x'i  x-R(+ i) rec_xtive_right(Di);
else H= 1in (x-x'i  rec_xtive_right(Di);
Φ= Φ  {(D,H)}; return H;
}                                                            45
DRC: a new normal form
(Difference-Reduced Closure)
Specifically bound to our variable-ordering constraints:
x-0 and 0-x‘      precede             x-x'
magnitude constraints            difference constraints

 Magnitude constraints are used commonly in
modelling.
 x-x' is magnitude-redundant if it can be derived from
x-0 and 0-x‘
DRC CRD
 Identical to closure form except all magnitude-
redundant constraints are eliminated.

46
TCTL Inevitability Analysis of
Dense-Time Systems
Farn Wang
Dept. of Electrical Engineering, National Taiwan University

Geng-Dian Hwang, Fang Yu
Institute of information science, Academia Sinica

47
Outline
•   Why ?
•   TCTL inevitability analysis
•   Performance solutions
•   Experiments
•   Strategy for combinations of techniques

48
Why ?
• Motivation
– Efficiency for general TCTL model-checking.
• The state-of-art
– Safety properties: 
• Negation: reachability properties: 
– Least fixpoint evaluation
• Heavily researched for efficient evaluation
• nonZeno requirement, not very necessary
– Inevitability properties: 
• Kind of parallel to liveness properties in LTL
• Negation: 
– Greatest fixpoint evaluation
• Not very much researched for efficient evaluation
49
• nonZeno requirement necessary
Our contribution
• a symbolic greatest fixpoint algorithm with
non-Zeno requirement
• Techniques for performance solution
– Timing distance to measure non-Zenoness
– Early Decision on the Greatest Fixpoint
– Abstraction techniques
• Experiments to evaluate the techniques
• Strategies to combine techniques

50
Outline
•   Why ?
•   TCTL inevitability analysis
•   Performance solutions
•   Experiments
•   Strategy for combinations of techniques

51
Gfp procedure
• η≡gfp Y.(ZC.reachable-bck(η,YZCd))

• gfp(η){
Y:=η; Y’:=true;
Repeat until Y=Y’,{
Y’:=Y;
Y:=Yclock_eliminate
( ZC=0reachable-bck(η,YZCd), ZC);
}
return Y;
}
52
Outline
•   Why ?
•   TCTL inevitability analysis
•   Performance solutions
•   Experiments
•   Strategy for combinations of techniques

53
Performance solutions
Goal:
• To build an arsenal of on-the-shelf
reduction techniques

54
EDGF: early decision on GFP
evaluation

• Observation
– The state space shrinks iteratively
• Basic idea
– Stop at a gfp iteration if already no target states
are in the gfp.
• Cost
– Small extra computation

55
EDGF: early decision on GFP evaluation

Example:
TargetIdentifiedTargetHit
• After negation,
TargetIdentified    TargetHit
• Can quit evaluation iff

56
Tolerating Zenoness
• Observation
– Well-designed ystems may satisfy inevitability
properties even for non-Zeno computations
• Less expensive procedure
η≡gfp Y.(ηtime-bck(ηVeTxtion_bck(Y,e)))
– Over-estimate the greatest fixepoints

57
Abstract model-checking with TCTL
• A safe abstraction
– Over approximate with subclass TCTL of TCTL
• Extend procedure of reachable-bck
– Reachable-bckO(η1,η2)
≡ lfpY.abs(η2(η1time_bck(η1
VeTxtion_bck(Y,e))))
• abs()
– A generic abstraction procedure
– In our tool red, we have implemented
• Game abstraction
• Game discrete abstraction
• Game magnitude abstraction                  58
Outline
•   Why ?
•   TCTL inevitability analysis
•   Performance solutions
•   Experiments
•   Strategy for combinations of techniques

59
Experiments
red 4.1: Our implementation
• A full TCTL mode-checker/simulator
• CRD (Clock-Restriction Diagram)
– VMCAI’2003
• Counter-example
• Coverage estimation for TA symbolic
simulation
– FORTE’2003
60
Experiments
Benchmarks
• PATHOS real-time operating system scheduling
specification
– (pending3running3)
– (parent1=NULLi:i1,(parentiNULLparenti<i))
• CSMA/CD protocol
– A: ((transm1transm2)x.(x<26bus_idle))
– B: ((transm1x152)wait1)
– C: (bus_idle(bus_collisionbus_idle))

Pentium 4 / 1.7GHz / 256MB / Linux
61
Performance w.r.t
parameter for measuring time-
progress
• Learn how to choose the value of time-progress
parameter d for verification performance

PATHOS

62
Performance w.r.t
parameter for measuring time-
progress
• Learn how to choose the value of time-progress
parameter d for verification performance

Election

63
Performance w.r.t
parameter for measuring time-
progress
• Learn how to choose the value of time-progress
parameter d for verification performance

CSMA/CD
(A)

64
Performance w.r.t
parameter for measuring time-
progress
• Learn how to choose the value of time-progress
parameter d for verification performance

CSMA/CD
(B)

65
Performance w.r.t
parameter for measuring time-
progress
• Learn how to choose the value of time-progress
parameter d for verification performance

CSMA/CD
(C)

66
Performance w.r.t.
non-Zeno and EDGF
benchmar   Concu     No non-Zeno requirement          non-Zeno requirement
ks         rrency

EDGF            No EDGF          EDGF              No EDGF
time/space, O/M: Out of memory
pathos     3 proc.   0.09s/18k       0.1s/18k         0.08s/17k         0.09s/17k
5 proc.   6.52s/857k      6.65s/859k       1.17s/114k        1.28s/114k
7 proc.   O/M             O/M              30.71s/942k       31.16s/941k
Leader-    3 proc.   0.28s/33k       0.28s/33k        0.25s/84k         0.24s/84k
election
5 proc.   10.01s/234k     10.07s/234k      11.23s/1164k      11.17s/1164k
7 proc.   206.7s/1693k    205.7s/1693k     860.5s/42062k     859.7s/42062k
CSMA/CD    bus+3     0.24s/49k       0.66s/63k        3.09s/191k        98.33s/191k
(A)
bus+5     2.39s/378k      8.47s/625k       195.14s/4501k     6021s/7036k
CSMA/CD    bus+3     1.52s/62k       1.52s/62k        28.67s/151k       34.88s/151k
(B)
bus+5     10.94s/239k     11.58s/239k      235.48s/765k      283s/766k
CSMA/CD    bus+3     0.14s/49k       0.21s/49k        0.29s/79k         5.51s/183k
(C)
bus+5     1.32s/286k      2.44s/285k       6.73s/1045k       173.82s/2724k
bus+7     16.32s/2364k    32.84s/2367k     166.14s/10652k    4558s/27993k 67
Performance w.r.t.
abstraction techniques
benchma    Concur    No abs.          Game abs.       Game-discrete   Game-magnitude
rks        rency                                      abs.            abs.
time/space
pathos     3 proc.   0.08s/17k        0.11s/17k       0.09s/17k       0.1s/22k
5 proc.   1.17s/114k       1.16s/71k       1.2s/71k        8.55s/674k
7 proc.   30.71s/942k      6.66s/175k      8.62s/175k      6890s/62321k
Leader-    3 proc.   0.25s/84k        0.25s/84k       0.23s/84k       0.25s/84k
election
5 proc.   11.23s/1164k     11.71s/1164k    11.38s/1164k    11.39s/1164k
7 proc.   860.6s/42062k    854.8s/42123k   861.5s/42123k   8667.7s/42123k
CSMA/C     bus+3     3.09s/191k       3.35s/191k      1.33s/191k      3.35s/191k
D(A)
bus+5     195.14s/4501k    29.89s/2529k    16.96s/2529k    29.8s/2529k
CSMA/C     bus+3     28.67s/151k      2.73s/88k       3.91s/85k       2.73s/88k
D(B)
bus+5     235.48s/765k     9.54s/290k      14.72s/281k     9.54s/290k
CSMA/C     bus+3     0.29s/79k        0.19s/79k       0.18s/79k       0.19s/79k
D(C)
bus+5     6.73s/1045k      2.85s/1045k     2.90s/1045k     2.85s/1045k
bus+7     166.14s/10652k   47.64s/10652k   47.84s/10652k   47.64s/10652k
68
Performance w.r.t.
Kronos 5.2
benchma    Concurr   No abs.             extrapolation      inclusion            convex-hull
rks        ency
Time, Q/N/C: can’t construct automata, O/M: out of memory
pathos     3 proc.   0.01s               0.01s              0.02s                0.02s
5 proc.   Q/N/C               Q/N/C              Q/N/C                Q/N/C
Leader-    3 proc.   0.01s               0.01s              0.01s                0.01s
election
5 proc.   Q/N/C               Q/N/C              Q/N/C                Q/N/C
CSMA/C     bus+3     0.01s               0.01s              0.01s                0.01s
D(A)
bus+5     0.31s               0.31s              0.32s                0.32s
CSMA/C     bus+2     8.67s               8.68s              8.65s                8.71s
D(B)
bus+3     O/M                 O/M                O/M                  O/M
CSMA/C     bus+2     2.69s               2.70s              2.72s                2.69s
D(C)
bus+3     O/M                 O/M                O/M                  O/M

69
Semiformal verification
• or Symbolic simulation
• or Symbolic trajectory evaluation
Use BDD to represent symbolic traces for
better coverages.

70
Numerical Coverage Estimation for the
Symbolic Simulation of Real-Time Systems

Farn Wang
EE, National Taiwan University, Taiwan, ROC

Geng-Dian Hwang, Fang Yu
71
Outline
• Introduction
• Previous work
• Framework of verification
• TA arc coverage metric (ACM)
• Back-and-forth region coverage metric
(RCM)
• Triggering-condition coverage metric
(TCM)
• Experiments                             72
Introduction
• 50+% development resource  Verification & Integration
– Depends on coverage metrics to measure
• progress and
• Confidence
Mythical ? /* not the issue of this work */
– Still cannot get enough coverage before project deadline
• Formal verification: new hope ?
– Intrinsic high complexity!
– Functional completeness!
• Simulation + Formal verification  Symbolic Simulation
–   Using symbolic states for a set of concrete states
–   Using symbolic traces instead of concrete traces
–   Forward simulation: strongest postcondtion calculation
–   Backward simulation: weakest precondition calculation
73
Why Symbolic Simulation ?
State-Space

74
What is coverage ?
• Partition the verification function into portions
• A portion is visited if one of its elements is visited.
• Use the
# visited portions
coverage =
# all portions
to evaluate the progress of verification.

EXAMPLE
•   FSM ARC: elementsarcs;         portions  arcs
•   Line:    elements code lines; portions  code lines
•   State:  elementsstates;      portions  states
•   Region:  elementsstates;      portions  regions 75
Why coverage ?
• Too many functional elements (e.g. states)
to visit!
– To save the development budget,
• Make the portions big enough
• only visit a representative in each portion
• Need a number to tell your boss

76
Why Symbolic Simulation ?
(revisited)
In a dense or infinite-state systems,
state coverage of concrete traces is always 0.

Needs
• Symbolic traces with nonzero volume
• New coverage metrics for infinite and
dense systems
77
Previous work
• VLSI industry
–   Statement
–   transition
–   abstraction of models and semantic control over transition coverage
–   observability issue
• GOTCHA: Generator of Test Cases for Hardware
Architecture
– a prototype coverage-driven test generator implemented as an extension of
the Murphi model-checker
• Coverage "completeness" w.r.t. CTL [Ho, et al]
• simulation + formal verification [Dill]
Coverage estimation for dense and infinite
systems ????                                                                78
Framework of verification
System model: timed automata (TA)
A=(Q, X, I, , E, , )
Symbolic Simulate(A, p) /*A is a TA; p is the safety state predicate.*/ {
Compute the estimation f of the whole target function F.
:=the initial condition of A;
do {
Select   , T’ E;
 :=   eT’ next(A,  ,e)
Compute the estimation v of the verified proportion
Print the numerical coverage estimation v/f
} until (fixpoint is reached or v/f > threshold or p)
}                                                                       79
Criteria for good coverage metrics
• Accountability: Each portion is accounted for
once and only once.
• Coverability: 100% coverage can be done.
– A tight estimation of the function!
• Discernment: risk states and non-risk states
fall in different portions.
Interestingly, people seldom talk about what
makes of good coverage metrics.
80
TA arc coverage metric (ACM)
• Portions: arcs of TAs
– (1,7), (1,10), (4,7), (4,10), (2,8), (5,8), (3,6,9)

Idle                   Idle                   Idle
1               3       4        6           7
!start           2           !start    5                      8          9
x1=0;        !end ?collision x2=0; !end ?collision ?start    ?end
!collision !collision
x1<=5                  x2<=5
10
busy                   busy            busy                 collision
?start

Sender 1              Sender 2                       Bus
81
TA arc coverage metric (ACM)
• ACM can very often be too coarse to discern risk states

accountabilit   coverability   efficiency   discernment
y
ACM        O               O              O            X

82
Back-and-forth region coverage metric
(RCM)
How to estimate state-coverage
for dense-time systems ?
• Concrete state: (q, ),   R+
• Symbolic state: ([q,q’], ),
– : Boolean formulus of c ~ x-x’ ~’ c’
Three Challenges
• tight estimation of the target  coverability
• estimation of a zone  rough estimation of
volume, ……
• estimation as a set of zones  accountability
83
Challenge I: tight estimation of the target
function

• How to get rid of as much irrelevant states
as possible ?
• The target = F  B
– F = the untimed quotient structure of the state-
space of A from initial states
– B = the magnitude quotient structure of the
backward reachable state-space from risk states

84
Challenge II: coverage estimation of a zone

• For the efficiency, we intuitively compute something
like a normalized volume.
• For each constraint, partition the real number lines
into the following 4Cmax+3 basic intervals
(-∞, -Cmax),[-Cmax,-Cmax],…,[-1,-1],(-1,0),[0,0],(0,1),[1,1],…,[Cmax,Cmax], (Cmax, ∞)

• For example, |-3≤x-x’<2| is 10
• The normalized volume of (Q’,K) is
| q'q  1 |                      | c ~ x  x' ~' c' |
 
|Q|       c ~ x  x '~' c '     4C max 3
85
Challenge II: coverage estimation of a zone

Encoding in implementation |-3≤x-x’<2| = 3-(-6)+1=10
Assume Cmax is 5
(-∞, -5) -5 -4 -3 -2 -1 0 1 2 3 4 5 (5, ∞)

-10 -8 -6 -4 -2   0   2   4 6 8       10

integer points
-11 -9 -7 -5 -3 -1 1 3 5           7 9        11

86
Open intervals between integers
Challenge III: estimation for a set of zones
• Zones may intersect with one another and
accountability may not be maintained
• DBMs do not work since they may intersect.
x2                    (0<x1≤3  2<x2<4  x2-x1<3)
 (2<x1<5  1<x2<3)

0                         x1
87
Challenge III: estimation for a set of zones

(0<x1≤3  2<x2<4  x2-x1<3)
 (2<x1<5  1<x2<3)
x1
x2                                       (0,2]                    (3,5)
(2,3]

x2                    x2     [3,4)
x2
(1,2)
(2,4)                      [2,3)                (1,3)
x1-x2                 x1-x2
(0,2)
x1-x2                 x1-x2      (-2,0] x1-x2
(-3, 0)                 (-1,1]
(0,4)
0                            x1
true                 88
(4,∞)
recVolumeCDD(D)
if D is true, return 1;
else if (D,R)Φ, return R;
else if D is a BDD (x,(I1,D1),…,(In,Dn)),
R=(Σ1in |Ii| recVolumeCDD(Di))/Ux
else if D is a CDD (x,(I1,D1),…,(In,Dn)),
R=(Σ1in |Ii| recVolumeCDD(Di))/(4Cmax+3)
Φ = Φ (D,R);
return R;
89
Challenge III: estimation for a set of zones

(0<x1≤3  2<x2<4  x2-x1<3)
 (2<x1<5  1<x2<3)
x1
x2                                         (0,2]                 (3,5)
(2,3]
(3/23)*(5/23)            17/529               21/529
x2               x    2   [3,4)
x    2
(1,2)
(2,4)     3/23             [2,3)
4/23               (1,3)
x1-x2             x1-x2
(0,2)
4/23                    7/23
x1-x
5/232               x1-x2        (-2,0] x1-x2
(-3, 0)                (-1,1]
(0,4)
0                             x1
true              90
(4,∞)
Back-and-forth region coverage
metric (RCM)
• RCM may result in low coverability.
• It is difficult to efficiently and tightly estimate
the reachable state-space.

accountability   coverability   efficiency   discernment

ACM        O                O              O            X

RCM        O                X              O            O

91
Triggering-condition coverage
metric (TCM)
• A balance between ACM and RCM
• Function: triggering conditions of all transitions
• Normalized volume of  =
eT normalized volume of abstracte((e))
• abstracte() eliminates constraints irrelevant to (e).
 less portions

92
Triggering-condition coverage
metric (TCM)
accountability   coverability   efficiency   discernment

ACM     O                O              O            X

RCM     O                X              O            O

TCM     O                O              O            O

93
Experiments with Bluetooth L2CAP
• The L2CAP defines the actions performed by
a master and a slave

94
Coverage estimation when there is no fault
1           4/97    0.00           0.167816   7.39           0.004092   0.02
2           8/97    0.00           0.173442   7.39           0.382901   0.02
3           12/97   0.00           0.174279   7.40           0.783131   0.02
4           20/97   0.01           0.175273   7.41           0.799498   0.02
5           36/97   0.02           0.232154   7.41           0.813138   0.03
6           42/97   0.03           0.295386   7.41           0.815525   0.04
7           64/97   0.05           0.408160   7.42           0.884971   0.06
8           76/97   0.08           0.561395   7.43           0.920890   0.08
9           88/97   0.12           0.956820   7.44           0.971241   0.11
10          94/97   0.17           0.965724   7.45           0.975507   0.15
11          94/97   0.22           0.974428   7.46           0.975507   0.18
12          95/97   0.28           0.975538   7.48           0.976530   0.22
13          97/97   0.34           0.975783   7.49           1.000000   0.26
14          97/97   0.40           0.981319   7.50           1.000000   0.29
15          97/97   0.47           0.981338   7.52           1.000000   0.33
16          97/97   0.55           0.982733   7.54           1.000000   0.36
17          97/97   0.63           0.982734   7.56           1.000000   0.40
18          97/97   0.70           0.982734   7.57           1.000000   0.44
95
Coverage estimation when there is a fault
• Six L2CAP faulty models
• Two simulation strategies
strategy        Faulty model   depth   ACM     RCM        TCM        Risk state
reachable?
Depth first     1              66      71/98   0.355262   0.958950   Yes
2              64      71/98   0.354993   0.958950   Yes
3              26      27/97   0.293884   0.437878   Yes
4              96      90/97   0.924978   0.963982   Yes
5              64      63/97   0.355688   0.948209   Yes
6              62      61/97   0.357885   0.936412   Yes
Breadth first   1              11      95/98   0.932724   0.975532   Yes
2              11      95/98   0.943274   0.975532   Yes
3              9       88/97   0.564228   0.971241   Yes
4              7       64/97   0.294859   0.884971   yes
5              10      92/97   0.898077   0.973172   Yes
6              9       79/97   0.660754   0.949243   Yes   96
Testing of real-time systems
• Issues in the design of a good coverage metrics
for dense systems
• Techniques to estimate dense state-space
Groundwork for new research direction
• Test & simulation coverage of dense systems

(input,time)   (010, 3)   (110, 10) (001, 12)   (000, 18)   (100, 22)

Input has to be fed in at the right times to track the suspicious traces.
97

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 9 posted: 5/3/2012 language: pages: 97