Shortest Violation Traces in Model Checking Based on Petri Net Unfoldings
and SAT
Victor Khomenko
University of Newcastle upon Tyne Supported by IST project 2004-511599
(RODIN)
2
Shortest violation traces
• Can be much shorter than the first computed trace
• Do not contain incidental system activity unrelated to the found error
• Facilitate debugging, saving the designer’s time
3
Petri net unfolding prefixes
• Partial-order semantics of PNs
• Concurrency represented explicitly, using an acyclic PN
• Alleviate the state space explosion problem
• Efficient model checking algorithms
4
Dining Philosophers
P5 P13
T1
P3 T3
P2 T2
P1 T5 P6 T4
P4
P7
P8
P9
P11
P10
P14
P12
T9
T7
T10 T6
T8
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
5
Model checking on PN unfoldings
• A Boolean expression is built using the prefix, such that: is unsatisfiable iff the property holds Every satisfiable assignment of
gives a violation trace has a form CONFVIOL
• Some of the variables of are associated with the events of the prefix
6
CONF: Causality
If an e is executed than its causal predecessors are also executed (it’s enough to require that the direct predecessors of e are executed)
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
)fe(/\/\ efe
e
7
CONF: Conflicts
If an e is executed than events in conflict cannot be executed (it’s enough to require that the events in direct conflict with e are not executed)
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
)fe(/\/\}{\)(
eefe
e
8
VIOL: Deadlock
For every e: either• some direct predecessor is not executed, or
• an event in direct conflict has fired, or
• e itself has fired
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
)f\/f\/(/\)(
efefe
e
9
Computing shortest tracesinput: - a Boolean expressionoutput: T - a shortest violation trace or UNSAT
A SAT_Assignment();if A = UNSAT then T UNSAT; stop
T Extract_Trace(A);r |T|; l 0;while l < r do
t (l + r)/2;A SAT_Assignment( Thresholdt );if A = UNSAT then l = t + 1else
T Extract_Trace(A);r |T|;
10
Threshold constraint
• First build a Boolean circuit and then translate it into a boolean expression (linear translation is possible by adding new variables)
• Try to minimize the changes in the circuit if the threshold changes – good for incremental SAT
Comparator
Counter
…
n
O(log n)
11
Implementation of the counter
3
2 2
1 1 1 1
n
Size (if n is a power of 2):
4n – 2 log2n – 4 auxiliary variables
16n – 10 log2n – 16 clauses
52n – 36 log2n – 52 literals
Linear translation Large multiplicative constants
12
Exploiting conflicts
• Events in a conflict cluster are mutually exclusive
• An -gate can be used as a counter
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
Conflict cluster
13
Implementation of the counter• Significant gains if
the number ofclusters is muchsmaller than thenumber of events
• Need to partition the prefix into theminimum numberof conflict clusters
• An NP-completeproblem (reductionfrom partition intocliques)
• A greedy algorithm can be used in practice
2
1 1
n
\/\/ \/ \/
14
Exploiting causality
• If an event in a cluster has fired, some event in a preceding cluster has also fired
• If Cl1<Cl2<…<Cln, then the outputs of the corresponding -gates are ordered
T1P1
T2
T3
P2
P3
P4
P5
T4 P6 T5
P1
P7
P8P7
P8
P9T6
T7P10
P11
T8 P13
P12
T9 P14 T10P9
P7
P8
15
Implementation of the counterA sort-adder is simpler than a conventional one!
3
2 2
sort-1 sort-1 sort-1 sort-1
n
\/\/ \/ \/\/ \/ \/ \/\/
16
Partitioning into chains of clusters
• Gains if the number of ordered chains of clusters is small
• Need to partition the conflict clusters into the minimum number of ordered chains
• The problem can be reduced to maximum matching in bipartite graphs and solved in polynomial time, but this might be inefficient due to the need to work with an implicitly represented graph
• A greedy algorithm can be used in practice
17
Experimental results
• The first computed violation trace can be much longer than a shortest one –computing shortest violation traces can indeed greatly facilitate the debugging process
• The number of conflict clusters is by many orders of magnitude smaller than the number of events – significant reductions in the size of threshold constraint
18
The ideal case• If the adder tree can be implemented as a
single -gate: 1 (rather than 4n – 2 log2n – 4) auxiliary
variables n+1 (rather than 16n – 10 log2n – 16)
clauses 3n+1 (rather than 52n – 36 log2n – 52)
literals• Improvement ratios for n:
variables: clauses: 16 literals: 17⅓
19
Experimental results: variables
1.0
10.0
100.0
1000.0
1 10 100 1000 10000 100000
|E\Ecut|
Imp
rove
men
t ra
tio
fo
r v
aria
ble
s
20
Experimental results: clauses
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
18.0
1 10 100 1000 10000 100000
|E\Ecut|
Imp
rov
em
en
t ra
tio
fo
r c
lau
se
s
21
Experimental results: literals
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
18.0
1 10 100 1000 10000 100000
|E\Ecut|
Imp
rove
men
t ra
tio
fo
r lit
era
ls
17,3
Top Related