1. Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods
Sanjit A. Seshia and Randal E. Bryant
Computer Science Department
Carnegie Mellon University

2. Alur, Courcoubetis, & Dill, ‘90
Timed Automata
Alur, Courcoubetis, & Dill, ‘90
A modeling formalism for timed systems
e.g., Real-time systems, Timed asynchronous circuits
Generalization of finite automaton with:
Non-negative real-valued clock variables
Can only be reset to 0 or another clock
Constraints on clocks as guards on states and transitions
You could highlight different constructs on the diagram as you talk about them. Mention how the overall automaton invariant is constructed from the formulas labeling each discrete state.
Mention discrete and continuous parts of the state space arising from the two types of state variables.
x1 ¸ 3 / x1 := 0
s=false
x1 · 10
x2 · 8
s=true
x1 · 5
x1 ¸ 4 Æ x2 ¸ 6 / x2 := 0

3. Model Checking the Timed m Calculus
System Properties expressed in the Timed m calculus [Henzinger et al. ’94]
Can express Timed CTL
Dense time version of CTL
Two kinds of TCTL formulas:
Reachability properties: Safety and bounded liveness
E.g. AG (file requested  AF· 5 (file received))
Non-reachability properties: Unbounded liveness
E.g. AG . z:= 0 . EF (z = 1) [non-zenoness]
Expand on kinds of properties – I have used the definition of non-zenoness that Henzinger used in his tutorial talk last year

4. Symbolic vs. Fully Symbolic Unbounded Model Checking
State space has Boolean and real-valued components
SYMBOLIC
FULLY SYMBOLIC
Separate representation for real and Boolean components
Combined representation for real and Boolean components
Example: Two symbolic states
(b, x ¸ 3), (: b, x ¸ 3)
Example: Combined state set
x ¸ 3
The problem we’re interested in is Unbounded Model Checking and we can classify existing approaches to fall into two categories…. [expand]
Improve the example
Model Checkers: Uppaal, Kronos
Model Checkers: RED, DDD (Difference Decision Diagram), Our approach

5. Unbounded, Fully Symbolic Model Checking
[Henzinger, Nicollin, Sifakis, Yovine ’94]
Set of states represented as a formula f in separation logic (SL)
Boolean Combinations (Æ, Ç, :) of
Boolean variables: ei
Separation Predicates: xi ¸ xj + c, xi > xj + c
Also called “difference-bound” constraints
0 represented as special variable x0
Adding quantifiers over clock and Boolean variables gives quantified separation logic (QSL)
Fundamental model checking operations
Image computation: Quantifier elimination for QSL
Termination check: Validity checking for SL

6. Our Approach Use Boolean encoding of separation predicates
Quantifier Elimination in QSL:
Eliminating quantifiers over real variables in QSL  Eliminating quantifiers over Boolean variables in quantified Boolean formulas (QBF)
Validity checking of SL:
By translation to SAT [Strichman, Seshia, Bryant, CAV’02]
Make clear that we use quantifier elim engine for QBF not a QSAT solver

7. Talk Outline Pre-image Computation via QSL Quantifier Elimination
QSL Quantifier Elimination  QBF Quantifier Elimination
Exploiting Special QSL Formula Structure
Optimizations
Preliminary Experimental Results
Conclusions & Future work

8. Pre Operator 2 Timed Pre, pret Discrete Pre, pred x1 := 0 b := true
b = false x1 x2
b = true
b = true x2 x1 2
b = true x2 x1
time elapse
b = true x2 x1
Might want to highlight the Boolean part by making it yellow on dark green background

9. Pre Operator pre(f) , pred(f) Ç pret(f)
pred(f) does not require quantifier elimination
pret(f) is expressed in Quantified Separation Logic (QSL)
Define pre operator more generally in model checking – define discrete and timed pre operators pictorially (Henzinger respectively calls them jumps and flows and you could use that terminology if u want)
IMP: make up a backup slide to answer questions why the discrete pre does not require quantifier elimination (because of guarded cmd notation)
Also add backup slide to answer questions about “post” operators

10. Timed Pre Operator in QSLf
Explain axes – 2 clock system. Show intersection of red and blue regions first. Explain what each part of the formula means pictorially.
Say that you won’t go into details of the QSL formula just yet; the main point to take away is that computing pre_t(\phi) needs one to eliminate quantifiers over real variables.
pret(f) , 9 d . d · x0 Æ f [d / x0]

11. Timed Pre Operator in QSLf
finv
Explain axes – 2 clock system. Show intersection of red and blue regions first. Explain what each part of the formula means pictorially.
Say that you won’t go into details of the QSL formula just yet; the main point to take away is that computing pre_t(\phi) needs one to eliminate quantifiers over real variables.
pret(f) , 9 d . d · x0 Æ f [d / x0] Æ e ( d · e · x0 ) finv[e / x0] )
finv is the conjunction of all state guards

12. Quantifier Elimination Problem
Start with QSL formula w, where w , 9 xa . f
To handle 8 xa . f, start with 9 xa . : f, and negate the result
Need to find SL formula f’ such that w , f’
Previous approaches:
Enumerate DNF terms in f
Perform Fourier-Motzkin elimination on each
Differ in data structure used to represent f
Problem: Can be exponentially many DNF terms
E.g., Difference Decision Diagrams (DDDs) [Møller et al. ’99], RED [Wang ’03]

13. Example: Difference Decision Diagrams (DDDs) [Møller et al. ’99]
9 x3 . (x1 ¸ x3 Ç x3 ¸ x1+2) Æ x0 ¸ x3-5 Æ x3 ¸ x2
x1 ¸ x3
x3 ¸ x1 + 2
x3 ¸ x2
x0 ¸ x3 - 5 1
x1 ¸ x2
x0 ¸ x2 - 5 1
(x1 ¸ x2 Æ x0 ¸ x2-5) Ç (x0 ¸ x1-3 Æ x0 ¸ x2-5)
x0 ¸ x1 - 3
x0 ¸ x2 - 5
x1 ¸ x3
x3 ¸ x2
x1 ¸ x2

14. QSL Quantifier Elimination via QBF Quantifier Elimination
Start with w , 9 xa . f
Quantifier elimination done in 3 steps:
Translate w to another QSL formula w’ where:
w’ has quantifiers only over Boolean variables
w is equivalent to w’
Encode w’ as a QBF
Eliminate Boolean quantifiers and translate the result back to a SL formula f’

15. Step 1: Real to Boolean Quantification
9 x3 . (x1 ¸ x3 Ç x3 ¸ x1+2) Æ x0 ¸ x3-5 Æ x3 ¸ x2
(e1 Ç e2) Æ e3 Æ e4 e1
x1 ¸ x3 e2
x3 ¸ x1 + 2 e3
x0 ¸ x3 - 5 e4
x3 ¸ x2 Æ
9 e1, e2, e3, e4 .
(e1 Æ e4) ) (x1 ¸ x2)
Æ (e2 Æ e3) ) (x0 ¸ x1 - 3)
Æ (e3 Æ e4) ) (x0 ¸ x2 - 5)
Transitivity Constraints
Rename eij variables to be easier to read, like in DAC?

16. Step 2: Encode Remaining Separation Predicates
(e1 Ç e2) Æ e3 Æ e4 e1
x1 ¸ x3 Æ
9 e1, e2, e3, e4 . e2
x3 ¸ x1 + 2
(e1 Æ e4) ) (x1 ¸ x2)
Æ (e2 Æ e3) ) (x0 ¸ x1 - 3)
Æ (e3 Æ e4) ) (x0 ¸ x2 - 5) e5
x1 ¸ x2 e3
x0 ¸ x3 - 5 e6
x0 ¸ x1 - 3 e7
x0 ¸ x2 - 5 e4
x3 ¸ x2
Rename eij variables to be easier to read, like in DAC?
Transitivity Constraints

17. Step 3: Eliminate Quantifiers and Map back to SL
(e1 Ç e2) Æ e3 Æ e4 Æ
9 e1, e2, e3, e4 . e1
x1 ¸ x3
(e1 Æ e4) ) e5
Æ (e2 Æ e3) ) e6
Æ (e3 Æ e4) ) e7 e2
x3 ¸ x1 + 2 e3
x0 ¸ x3 - 5
(e5 Æ e7) Ç (e6 Æ e7) e4
x3 ¸ x2
Rename eij variables to be easier to read, like in DAC? e5
x1 ¸ x2 e6
x0 ¸ x1 - 3
(x1 ¸ x2 Æ x0 ¸ x2-5) Ç (x0 ¸ x1-3 Æ x0 ¸ x2-5) e7
x0 ¸ x2 - 5

18. Evaluating Our Approach
Our approach avoids enumerating DNF terms of f
Can use either BDD or SAT methods for quantifier elimination (or a combination)
BDD-based method: Can exploit quantifier scheduling heuristics
SAT-based method: Rely on SAT solver to enumerate DNF terms in f’
Number of transitivity constraints is at most O(m2) where m is number of separation predicates in f

19. Exploiting Structure of pret
Consider QSL formulas of the form:
9 e . e · x0 Æ f [e / x0]
Recall that x0 stands for 0
Can exploit special structure to generate fewer quantified Boolean variables
Can similarly handle 9 e . e ¸ x0 Æ f [e / x0]
Half of all quantifier elimination operations

20. A Region in R2 f

21. Shifting the Region by e
x1= x0 + c
x1= e + c x2 e e
f [e / x0] for e · 0 x1

22. Geometric Interpretation of Quantified Formula
9 e . e · x0 Æ f [e / x0] is shaded region plus f
x1 ¸ c
x2 · c’
x2 - x1 ¸ c’’ x2
45° x1
Observation:
Only lower bounds on f are eliminated;
Upper bounds and diagonals remain intact

23. Quantifier Elimination Strategy
To eliminate e from 9 e . { e · x0 Æ f [e / x0] }
Introduce existential quantifiers only over Boolean variables encoding lower bound predicates in f (bounds of the form xi ¸ c)
Generate only those transitivity constraints involving lower bound predicates
Empirically, results in times speedup
Back up second bullet with numbers, or make more precise

24. Optimization: Checking if Bounds are Conjoined
Avoid generating transitivity constraints wherever possible
9 x2 . x1 ¸ x2 Ç x2 ¸ x3
x1 ¸ x2 and x2 ¸ x3 not conjoined, hence no transitivity constraint generated
“Conjunctions matrix” [Strichman, FMCAD’02]
9 x2 . (x1 ¸ x2 Æ x2 ¸ x3) Ç x3 > x2
x1 ¸ x2 and x2 ¸ x3 not conjoined in minimized DNF of quantifier-free part
9 x2 . x1 ¸ x2 Ç x3 > x2
Can check easily using BDDs
Improve the explanation of transitivity constraints generating new BDD vars
Make backup slides to explain each of the two optimizations (for the second you could show how DDD structure achieves reduction while we don’t)

25. Optimization for a BDD-based Implementation
Suppose we use BDDs to represent the Boolean encodings of SL formulas
Some BDD paths might be infeasible (as in the case of DDDs)
Use “Restrict” operator to eliminate paths in the BDD that violate transitivity constraints
Problems:
Not all infeasible paths eliminated due to BDD variable ordering constraints
Imposes an overhead
Improve the explanation of transitivity constraints generating new BDD vars
Make backup slides to explain each of the two optimizations (for the second you could show how DDD structure achieves reduction while we don’t)

26. Experimental Setup
Benchmark: Fischer’s timed mutual exclusion protocol, for increasing numbers of processes
Compared against DDD and RED fully symbolic model checkers
For 1 reachability property and 1 non-reachability property
Our model checker used the CUDD package as the Boolean (quantification) engine

27. Results (1) Results for non-reachability formula (non-zenoness)
TMV: Our model checker
Kronos & Red are the only other model checkers that can handle non-reachability properties
Number of Processes
Kronos Time (sec.)
Red Time (sec.)
TMV Time (sec.) 3
0.03
0.28
0.24 4
0.23
1.30
0.44 5
1.98
5.05
0.80 6 *
17.80
2.15 7
57.95
6.61
Title could be changed to Results -- nonzenoness

28. Results (2) Results for reachability property (mutual exclusion)
Num. Proc
Red Time (sec.)
DDD Time (sec.)
TMV Time (sec.) 3
0.21
0.06
0.11 4
1.13
0.38 5
4.53
0.33
1.85 6
15.11
0.90
17.41 7
46.31
2.65 *
Reason: DDD’s local node elimination operations
x1 ¸ x2
x1 ¸ x2 + 2 1
x1 ¸ x2 Ç x1 ¸ x2+2
Delete the reach set stuff if not needed; instead give how DDD reductions are done with a small example
x1 ¸ x2 1
x1 ¸ x2

29. Conclusions & Ongoing Work
New fully symbolic model checking technique based on Boolean methods
Solving QSL via translation to QBF can
Outperform other fully symbolic approaches
Check any property in Timed m calculus
Leverage advances in SAT/QBF
Ongoing Work
Using a SAT-based QBF solver
Improving BDD-based implementation
Lazy vs eager Boolean encoding tradeoffs