Upload
jeffery-bareford
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Real-Time Model Checking on Secondary
StorageStefan Edelkamp and Shahid Jabbar Chair for Programming Systems and Compiler ConstructionComputer Science DepartmentUniversity of Dortmund, Dortmund, Germany
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
2
Real-Time Model Checking
Model checking of real time critical systems. Example: A rail-road crossing that has to follow strict time
constraints. Systems are modeled by Timed-Automata
Extension of ordinary automata with clocks and constraints.
s1 s2 s30 ≤ y ≤ 4
y ≤ 4
x ←0
x ←0
x ←0
y ≤ 4
Constraints
Reset
x and y are real-time clocks
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
3
Timed Automata A state in timed automata is a pair (l, u), where
l is the current location/state in the automata u:C IR is the Clock valuation function.
Two types of Transitions: Delay Transition: (l,u) (l, u+d) that increases the values of all clocks by a
positive real d. Edge Transition: (l,u) (l’, u’) that changes the location to l’. u’ is obtained
from u by executing the reset statements on the edges. Only possible if the constraints on the edge are satisfied by the clocks.
s1 s2 s30 ≤ y ≤ 4
y ≤ 4
x ←0
x ←0
x ←0
y ≤ 4Constraints
Reset
x and y are real-time clocks
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
4
Priced Timed Automata Timed Automata extended with cost variables. Each transition can have a cost for taking it. Each location/state can have a cost for staying at it. Used in Scheduling – also in this paper.
s1 s2 s30 ≤ y ≤ 4
y ≤ 4
x ←0
x ←0
x ←0
y ≤ 4Constraints
Reset
x and y are real-time clocks
c = 4c = 2c = c + 1 c = c + 4
Cost per unit time for staying at s1
Cost for taking the transition
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
5
Cost-optimal reachibility using Priced Timed Automata (UPPAAL-CORA) UPPAAL-CORA uses admissible but inconsistent heuristics as
guidance. the first solution found is not optimal. But can be taken as an upper bound to prune the non-promising states
– branch-and-bound.
cost
Search frontier
goal
Pruning value
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
6
Problems
Since clocks are real-values variables infinite state spaces.
Classical approach for proving decidability is to divide the state space into regions.
In practice, tools like KRONOS and UPPAAL use a Zone-based representation – a symbolic representation for sets of states.
Still the combinatorial explosion due to adding new components is inevitable.
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
7
Problem with the Virtual Memory
0x000…000
0xFFF…FFF
Virtual Address Space
Memory Page
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
8
External Memory Model (Aggarwal and Vitter)
Input of size N and N >> M
M
B
Disk
If the input size is very large, running time depends on the I/Os rather than on the number of instructions.
Scan(N) = O(N / B)
Sort(N) = O(N/B log M/B N/B)
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
9
External Breadth-First Search for Explicit Graphs (Munagala & Ranade, SODA-99)
A
t t+1
t+2
BCD
XYZAX
AXYZ
XYZ
Duplicates’ Removal
I: Remove Duplicates by sorting the nodes according to the indices and doing an scan and compaction phase.
II: Subtract layers t and t+1 from t+2.
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
10
External Breadth-First Branch-and-Bound in UPPAAL-CORA Can we use the same approach by Munagala and Ranade
here ? YES and NO Duplicate Elimination is not trivial!
A A
Search frontier
Trivial state spaces
(l,Z1)(l,Z2)(l,Z3)
(l,Z4)(l,Z5)(l,Z6)
A state (l,Z) is a duplicate of (l,Z’) iff Z Z’ and f(Z) f(Z’)
Zone Union – same
location but
different zones
cost
l: active locations in local automata Z: Zone - set of constraints satisfied by clocks
No total order on Zones => O(n^2) comparisons for each location
Real-Time state spaces
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
11
Bucket
A Bucket is a set of states, residing on the disk, having the same
g value, Where, g = number of transitions needed to transform the initial
state to the states of the bucket, No state is inserted again in a bucket that is expanded. If Active (being read or written), represented internally by a small
buffer.
File on disk
Buffer in internal memory
Insert state
when full, sort and flush
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
12
I/O Complexity of Breadth-First Branch-and-Bound Assumption: At least two zone unions can fit into the main
memory.
Expansion: O(scan(|V|)) I/Os Duplicates Removal:
Stage 1: Removal of duplicates within a layer. O(sort(|E|) I/Os for sorting, O(scan(|E|) I/Os for scanning and compacting.
Stage 2: Removal of duplicates wrt previous layers. Depends on the locality of the graph – the longest back-edge locality(G) x scan(|V|) I/Os
Cumulative Complexity: O(sort(|E|) + locality(G) x scan(|V|) I/Os.
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
13
External Breadth-First Branch-and-Bound
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
14
Problems with Breadth-First BnB Too much efforts until some solution is found. Solution:
Explore partial space to search for some solution. Increase the coverage of the space and improve
the solution.
Iterative Broadening External Breadth-First BnB
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
15
Iterative Broadening External Breadth-First BnB
cost
Search frontier
k=20%
40%
60%
80%
100%
Only pick best k% nodes for expansion.
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
16
Selection Criteria How can we guarantee that the
solution will be improved or at least remain the same ? Possible if
Selection Criteria: Best k% of the nodes PLUS All the states that have the same
cost as that of the last state of the selected list PLUS
All the sates that have the cost smaller or equal to the maximum cost selected in the previous iteration.
ll ilayerilayer )()( 1
i: layer number
l: iteration
Select the whole cost plateau
Select all plateaus from the previous
iteration
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
17
Iterative Broadening External BF BnB
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
18
Aircraft Landing Scheduling Problem1 runway 10 planesBeam
Width in %Given Upper
BoundNew Upper Bound Expanded States
1 ∞ 970 91
20 970 970 91
40 970 810 125
60 810 710 281
80 710 700 439
100 700 700 577
100 ∞ 700 31,458
External Breadth-First BnB
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
19
Aircraft Landing Scheduling Problem2 runway 20 planesBeam
Width in %Given Upper
BoundNew Upper Bound Expanded States
0.1 ∞ 1940 1,060
20 1940 1940 1,285
40 1940 1420 18,142
60 1420 1410 69,341
80 1410 1410 147,128
100 1410 1400 195,145
100 ∞ -- --
Out-of-space with External Breadth-First BnB
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
20
Alternate Modeling of Aircraft Landing Scheduling (Dierks, VVPS’05)
•3 runways but 13 clocks
•External Breadth-First BnB
•Harddisk usage = 311 Gigabytes
•RAM usage = 1.8 Gigabytes
•Time = 12 hours
Iterative Broadening did not pay off due to large cost plateaus
Incomplete exploration due to space constraints.
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
21
Issues in External Exploration Error trace:
No predecessor pointers! Save the predecessor with each state. Trace back from the goal state to the start state breadth-
wise. Disk space eaten by duplicate states:
Start “Early” Delayed Duplicate Detection
Edelkamp and Jabbar (Dortmund)
Real-time Model Checking on Secondary Storage
22
Summary & Outlook
Contribution External storage can provide the facility to save open and
closed lists. Iterative broadening strategy can outperform simple
breadth-first branch-and-bound. Future Work
Externality => promising for distributed execution by distributing a layer on multiple processors.
Can pause-and-resume your execution to add more harddisks.
Completely orthogonal - Can be combined with other state-space reduction techniques.