Data Structure Choices for On-the-Fly Model Checking of Real-Time Systems Peter Fontana Rance Cleaveland Department of Computer Science Department of Computer Science University of Maryland, College Park University of Maryland, College Park Email: [email protected] Email: [email protected] Abstract—This paper studies the performance of sparse- checking based on proof search: a formula correspond- matrix-based data structures to represent clock zones (con- ing to the assertion that a timed automaton satisfies a vex sets of clock values) in an on-the-fly predicate equation mu-calculus property can be checked in a goal-driven system model checker for timed automata. We analyze the fashion to determine its truth. Zhang and Cleaveland [6] impact of replacing the dense difference bound matrix demonstrated the efficiency of this approach vis a` vis (DBM) with both the linked-list CRDZone and array-list CRDArray data structure. From analysis on the paired- other real-time model-checking approaches. example-by-example differences in time performance, we In this paper we consider the special model check- infer the DBM is either competitive with or slightly faster ing case of timed automata and timed modal equation than the CRDZone, and both perform faster than the systems representing safety properties (also studied in CRDArray. Using similar analysis on space performance, [6]), for which there are still many opportunities for we infer the CRDZone takes the least space, and the DBM performance improvements. One component of such a takes less space than the CRDArray. model checker that has a noticeable influence on perfor- mance is the data structure for the sets of clock values. I. INTRODUCTION When analyzing safety properties, each desired set of Automatic verification of real-time systems is under- clock values forms a convex set of clock values, or clock taken using notations for verifiable programs and check- zone (see Definition 3). The conventional way to store able specifications (see [1]–[6]). One common program a clock zone is as a difference bound matrix (DBM) notation is timed automata [7]. There are specification (see Definition 4) [15], which stores the constraints as notations such as timed computation tree logic (TCTL) a matrix. This approach is used by UPPAAL [16] and [1], [8] and timed extensions of a modal mu-calculus, described in [17]. To potentially save space and time, including one in [3] and another given in [5]. Specifica- instead of representing the set of constraints as a matrix, tions in a timed modal mu-calculus can be written as lists one can represent the set as an ordered linked path of of equations, known as timed modal equation systems constraints where any clock difference not on the path [5], [6], [9]. For information on the untimed modal-mu has the implicit constraint < 1. If we generalize this calculi, see [10]–[12], and see [10], [11] for information to allow for a union of zones to be represented by a on modal equation systems. directed graph of constraints (representing a tree of paths One approach to model checking timed automata as opposed to a single path), we get a clock restriction with timed modal mu-calculus specifications is to use diagram (CRD) [18]. If we compress the nodes to have predicate equation systems (PES), which were invented them represent upper and lower bound constraints as well independently by Groote and Willemse (as parameter- as explicitly encoding both valid and invalid paths, we ized boolean equation systems) [13] and by Zhang and get a clock difference diagram (CDD) [2]. These two Cleaveland [6], [9]. Predicate equation systems provide structures are extensions of binary decision diagrams a general framework for program models including para- (BDDs) (see [19] for information). metric timed automata [6] and Presburger systems [14]. To improve performance, we take the above idea of They also admit a natural on-the-fly approach to model a linked implementation and incorporate the sparseness of the implementation of CRDs while simplifying (or Research supported by NSF Grant CCF-0820072. shrinking) the structure to only support a single clock zone (CRDs and CDDs in general can encode unions of • I : L −! Φ(CX) gives a clock constraint for each clock zones). This simplified structure is a sparse sorted location l. I(l) is called the invariant of l. linked-list implementation of a DBM, the CRDZone (see • E ⊆ L×Σ×Φ(CX)×2CX ×L is the set of edges. Definition 5). We also implement an array-list version In an edge e = (l; a; φ, Y; l0) from l to l0 with action of the CRDZone, the CRDArray (see Definition 6). A a, φ 2 Φ(CX) is the guard of e, and Y represents CRDZone may be seen as a sparse sorted linked-list the set of clocks to reset to 0. implementation of a DBM, and the CRDArray a sparse array-list implementation of the CRDZone. We examine Some sources [6], [23] and our PES checker allow the time and space performance of all three clock zone clock assignments (x1 := x2) in addition to clock resets implementations: the matrix DBM, linked-list CRDZone on edges, other sources [17] allow constraints on clock and array-list CRDArray. differences and other sources [1] allow states to be The contributions of this paper are: labelled with atomic propositions that each state satisfies. Timed automata use clock valuations ν 2 V (V = • We run experiments comparing time and space CX −! ≥0 is the set of all clock valuations), which performance of a model checker (on safety (reach- R at any moment stores a non-negative real value for each ability) properties) with the DBM, CRDZone and clock x 2 CX. The semantics of a timed automaton are CRDArray data structure implementations. described as an infinite-state machine, where each state • We formalize and extend the analysis style per- is a location-valuation pair (l; ν). Transitions represent formed in the model checking experiments of [2], either time advances or edge executions (performing an [6], [9], [18], [20], [21] by utilizing paired data action). For a formal definition of the semantics of a (each implementation checked the same examples) timed automaton, see [7]. and applying descriptive statistics on the paired example-by-example differences on time and space Example 1 (Example of a timed automaton). Consider consumption. See Section VI for details on the the timedReal-Time automaton in Model Figure 1, which Checking models a train statistics and Section VI-B for the analysis. in the generalized railroad crossing (GRC) protocol. After analyzing the experimental results, for time per- exit, x > 1 formance we infer the DBM is either competitive with or 1 slightly faster than the CRDZone and both perform faster 0: far 1: near 2: in than the CRDArray for the examples in this experiment. x < 4 x < 15 approach, x1 := 0 1 in, x1 = 4, 1 In terms of space, we infer the CRDZone takes up the x1 := 0 least space, and the DBM and takes less space than the TCTL (Invalid): AF [near ∨in] CRDArray for the examples in this experiment. Fig. 1. Timed automaton TA<∞1, a model of a train in the generalized railroad crossing (GRC) protocol. TCTL (Valid): AG<∞[near ! AF!TP+TDU[far]] II. PROGRAM MODEL AND SPECIFICATIONS There are three locations—0: far (initial location), A. Timed Automata 1: near and 2: in, with one clock x1. There are the actions 2 A timed automaton encodes the behavior of a real-time approach, in and exit in Σ. Here, location 1 has the system [7], [22]. invariant x1 ≤ 4 while 0 has no invariant. The edge (1: near; in; x1 = 4; fx1g;2: in) has the guard x1 = 4 Definition 1 (Clock constraint φ 2 Φ(CX)). Given a set and resets x1 to 0. of clocks CX, a clock constraint φ is constructed with the following grammar, where xi is a clock and c 2 Z: B. Modal Equation Systems (MES) We use a modal equation system (MES) to represent φ ::= x < c j x ≤ c j x > c j x ≥ c j φ ^ φ i i i i real-time temporal properties that timed automata can Φ(CX) is the set of all possible clock constraints. possess. A MES is an ordered list of equations with variables on the left hand side and basic timed temporal Definition 2 (Timed automaton). A timed automaton logical formulae on the right. Each equation involves a TA = (L; L0; Σ; CX; I; E) is a tuple where: variable X, a basic formula φ and a greatest fixpoint (ν) • L is a finite set of locations with the initial set of or a least fixpoint (µ), and the equation is labeled with ν µ locations L0 ⊆ L. the fixpoint (X = φ or X = φ). For a formal definition • Σ is the set of actions and CX is the set of clocks. of MES syntax and semantics, see [6], [9]. Example 2 (Continuation of Example 1). Again consider While converting to a canonical form takes a consid- the timed automaton in Figure 1. The MES erable amount of time, it is needed to simplify and stan- ν dardize the algorithms for the zone operations includ- X1 = far ^ 8([ − ](X1)) (1) ing time successor (succ(z)) computations and subset represents the safety property “the train is always in checks. For time successor, having the zone in canonical form allows the time elapse operation to simply set all state 0: far”, read as “the variable X1 is the greatest fixpoint of being in state 0: far and for all time advances single-clock upper bound constraints to < 1.