Download presentation

Presentation is loading. Please wait.

Published byJose Raphael Modified over 2 years ago

1
Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings and SAT Victor Khomenko University of Newcastle upon Tyne Supported by IST project 2004-511599 (RODIN)

2
2 Shortest violation traces Can be much shorter than the first computed trace Do not contain incidental system activity unrelated to the found error Facilitate debugging, saving the designer’s time

3
3 Petri net unfolding prefixes Partial-order semantics of PNs Concurrency represented explicitly, using an acyclic PN Alleviate the state space explosion problem Efficient model checking algorithms

4
4 Dining Philosophers P5P5 P 13 T1T1 P3P3 T3T3 P2P2 T2T2 P1P1 T5T5 P6P6 T4T4 P4P4 P7P7 P8P8 P9P9 P 11 P 10 P 14 P 12 T9T9 T7T7 T 10 T6T6 T8T8 T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8

5
5 Model checking on PN unfoldings A Boolean expression is built using the prefix, such that: is unsatisfiable iff the property holds Every satisfiable assignment of gives a violation trace has a form CONF VIOL Some of the variables of are associated with the events of the prefix

6
6 CONF: Causality If an e is executed than its causal predecessors are also executed (it’s enough to require that the direct predecessors of e are executed) T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8 e

7
7 CONF: Conflicts If an e is executed than events in conflict cannot be executed (it’s enough to require that the events in direct conflict with e are not executed) T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8 e

8
8 VIOL: Deadlock For every e: either some direct predecessor is not executed, or an event in direct conflict has fired, or e itself has fired T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8 e

9
9 Computing shortest traces input: - a Boolean expression output: T - a shortest violation trace or UNSAT A SAT_Assignment( ); if A = UNSAT then T UNSAT; stop T Extract_Trace(A); r |T|; l 0; while l < r do t (l + r)/2 ; A SAT_Assignment( Threshold t ); if A = UNSAT then l = t + 1 else T Extract_Trace(A); r |T|;

10
10 Threshold constraint First build a Boolean circuit and then translate it into a boolean expression (linear translation is possible by adding new variables) Try to minimize the changes in the circuit if the threshold changes – good for incremental SAT … n O(log n)

11
11 Implementation of the counter n Size (if n is a power of 2): 4n – 2 log 2 n – 4 auxiliary variables 16n – 10 log 2 n – 16 clauses 52n – 36 log 2 n – 52 literals Linear translation Large multiplicative constants

12
12 Exploiting conflicts Events in a conflict cluster are mutually exclusive An -gate can be used as a counter T1T1 P1P1 T2T2 T3T3 P2P2 P3P3 P4P4 P5P5 T4T4 P6P6 T5T5 P1P1 P7P7 P8P8 P7P7 P8P8 P9P9 T6T6 T7T7 P 10 P 11 T8T8 P 13 P 12 T9T9 P 14 T 10 P9P9 P7P7 P8P8 Conflict cluster

13
13 Implementation of the counter Significant gains if the number of clusters is much smaller than the number of events Need to partition the prefix into the minimum number of conflict clusters An NP-complete problem (reduction from partition into cliques) A greedy algorithm can be used in practice n \/

14
14 Exploiting causality If an event in a cluster has fired, some event in a preceding cluster has also fired If Cl 1

15
15 Implementation of the counter A sort-adder is simpler than a conventional one! 33 22 sort- 1 22 n \/

16
16 Partitioning into chains of clusters Gains if the number of ordered chains of clusters is small Need to partition the conflict clusters into the minimum number of ordered chains The problem can be reduced to maximum matching in bipartite graphs and solved in polynomial time, but this might be inefficient due to the need to work with an implicitly represented graph A greedy algorithm can be used in practice

17
17 Experimental results The first computed violation trace can be much longer than a shortest one – computing shortest violation traces can indeed greatly facilitate the debugging process The number of conflict clusters is by many orders of magnitude smaller than the number of events – significant reductions in the size of threshold constraint

18
18 The ideal case If the adder tree can be implemented as a single -gate: 1 (rather than 4n – 2 log 2 n – 4) auxiliary variables n+1 (rather than 16n – 10 log 2 n – 16) clauses 3n+1 (rather than 52n – 36 log 2 n – 52) literals Improvement ratios for n : variables: clauses: 16 literals: 17⅓

19
19 Experimental results: variables

20
20 Experimental results: clauses

21
21 Experimental results: literals

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google