real-time model checking on secondary storage

Real-Time Model Checking on Secondary

StorageStefan Edelkamp and Shahid Jabbar Chair for Programming Systems and Compiler ConstructionComputer Science DepartmentUniversity of Dortmund, Dortmund, Germany

Edelkamp and Jabbar (Dortmund)

Real-time Model Checking on Secondary Storage

2

Real-Time Model Checking

Model checking of real time critical systems. Example: A rail-road crossing that has to follow strict time

constraints. Systems are modeled by Timed-Automata

Extension of ordinary automata with clocks and constraints.

s1 s2 s30 ≤ y ≤ 4

y ≤ 4

x ←0

x ←0

x ←0

y ≤ 4

Constraints

Reset

x and y are real-time clocks



3

Timed Automata A state in timed automata is a pair (l, u), where

l is the current location/state in the automata u:C IR is the Clock valuation function.

Two types of Transitions: Delay Transition: (l,u) (l, u+d) that increases the values of all clocks by a

positive real d. Edge Transition: (l,u) (l’, u’) that changes the location to l’. u’ is obtained

from u by executing the reset statements on the edges. Only possible if the constraints on the edge are satisfied by the clocks.

s1 s2 s30 ≤ y ≤ 4

y ≤ 4

x ←0

x ←0

x ←0

y ≤ 4Constraints

Reset




4

Priced Timed Automata Timed Automata extended with cost variables. Each transition can have a cost for taking it. Each location/state can have a cost for staying at it. Used in Scheduling – also in this paper.

s1 s2 s30 ≤ y ≤ 4

y ≤ 4

x ←0

x ←0

x ←0

y ≤ 4Constraints

Reset


c = 4c = 2c = c + 1 c = c + 4

Cost per unit time for staying at s1

Cost for taking the transition



5

Cost-optimal reachibility using Priced Timed Automata (UPPAAL-CORA) UPPAAL-CORA uses admissible but inconsistent heuristics as

guidance. the first solution found is not optimal. But can be taken as an upper bound to prune the non-promising states

– branch-and-bound.

cost

Search frontier

goal

Pruning value



6

Problems

Since clocks are real-values variables infinite state spaces.

Classical approach for proving decidability is to divide the state space into regions.

In practice, tools like KRONOS and UPPAAL use a Zone-based representation – a symbolic representation for sets of states.

Still the combinatorial explosion due to adding new components is inevitable.



7

Problem with the Virtual Memory

0x000…000

0xFFF…FFF

Virtual Address Space

Memory Page



8

External Memory Model (Aggarwal and Vitter)

Input of size N and N >> M

M

B

Disk

If the input size is very large, running time depends on the I/Os rather than on the number of instructions.

Scan(N) = O(N / B)

Sort(N) = O(N/B log M/B N/B)



9

External Breadth-First Search for Explicit Graphs (Munagala & Ranade, SODA-99)

A

t t+1

t+2

BCD

XYZAX

AXYZ

XYZ

Duplicates’ Removal

I: Remove Duplicates by sorting the nodes according to the indices and doing an scan and compaction phase.

II: Subtract layers t and t+1 from t+2.



10

External Breadth-First Branch-and-Bound in UPPAAL-CORA Can we use the same approach by Munagala and Ranade

here ? YES and NO Duplicate Elimination is not trivial!

A A

Search frontier

Trivial state spaces

(l,Z1)(l,Z2)(l,Z3)

(l,Z4)(l,Z5)(l,Z6)

A state (l,Z) is a duplicate of (l,Z’) iff Z Z’ and f(Z) f(Z’)

Zone Union – same

location but

different zones

cost

l: active locations in local automata Z: Zone - set of constraints satisfied by clocks

No total order on Zones => O(n^2) comparisons for each location

Real-Time state spaces



11

Bucket

A Bucket is a set of states, residing on the disk, having the same

g value, Where, g = number of transitions needed to transform the initial

state to the states of the bucket, No state is inserted again in a bucket that is expanded. If Active (being read or written), represented internally by a small

buffer.

File on disk

Buffer in internal memory

Insert state

when full, sort and flush



12

I/O Complexity of Breadth-First Branch-and-Bound Assumption: At least two zone unions can fit into the main

memory.

Expansion: O(scan(|V|)) I/Os Duplicates Removal:

Stage 1: Removal of duplicates within a layer. O(sort(|E|) I/Os for sorting, O(scan(|E|) I/Os for scanning and compacting.

Stage 2: Removal of duplicates wrt previous layers. Depends on the locality of the graph – the longest back-edge locality(G) x scan(|V|) I/Os

Cumulative Complexity: O(sort(|E|) + locality(G) x scan(|V|) I/Os.



13

External Breadth-First Branch-and-Bound



14

Problems with Breadth-First BnB Too much efforts until some solution is found. Solution:

Explore partial space to search for some solution. Increase the coverage of the space and improve

the solution.

Iterative Broadening External Breadth-First BnB



15

Iterative Broadening External Breadth-First BnB

cost

Search frontier

k=20%

40%

60%

80%

100%

Only pick best k% nodes for expansion.



16

Selection Criteria How can we guarantee that the

solution will be improved or at least remain the same ? Possible if

Selection Criteria: Best k% of the nodes PLUS All the states that have the same

cost as that of the last state of the selected list PLUS

All the sates that have the cost smaller or equal to the maximum cost selected in the previous iteration.

ll ilayerilayer )()( 1

i: layer number

l: iteration

Select the whole cost plateau

Select all plateaus from the previous

iteration



17

Iterative Broadening External BF BnB



18

Aircraft Landing Scheduling Problem1 runway 10 planesBeam

Width in %Given Upper

BoundNew Upper Bound Expanded States

1 ∞ 970 91

20 970 970 91

40 970 810 125

60 810 710 281

80 710 700 439

100 700 700 577

100 ∞ 700 31,458

External Breadth-First BnB



19

Aircraft Landing Scheduling Problem2 runway 20 planesBeam

Width in %Given Upper

BoundNew Upper Bound Expanded States

0.1 ∞ 1940 1,060

20 1940 1940 1,285

40 1940 1420 18,142

60 1420 1410 69,341

80 1410 1410 147,128

100 1410 1400 195,145

100 ∞ -- --

Out-of-space with External Breadth-First BnB



20

Alternate Modeling of Aircraft Landing Scheduling (Dierks, VVPS’05)

•3 runways but 13 clocks

•External Breadth-First BnB

•Harddisk usage = 311 Gigabytes

•RAM usage = 1.8 Gigabytes

•Time = 12 hours

Iterative Broadening did not pay off due to large cost plateaus

Incomplete exploration due to space constraints.



21

Issues in External Exploration Error trace:

No predecessor pointers! Save the predecessor with each state. Trace back from the goal state to the start state breadth-

wise. Disk space eaten by duplicate states:

Start “Early” Delayed Duplicate Detection



22

Summary & Outlook

Contribution External storage can provide the facility to save open and

closed lists. Iterative broadening strategy can outperform simple

breadth-first branch-and-bound. Future Work

Externality => promising for distributed execution by distributing a layer on multiple processors.

Can pause-and-resume your execution to add more harddisks.

Completely orthogonal - Can be combined with other state-space reduction techniques.

real-time model checking on secondary storage

Documents

germanyrealtime model

transitionrealtime model

s1s2s30 y

unit time

strict time constraints

real time critical systems

onb log mb nbrealtime

realtime clocksc