We investigate a new SMT-based bounded model checking (BMC) method for the existential part of Metric Temporal Logic (MTL). The MTL logic is interpreted over linear dense infinite time models generated by timed automata with dense time. We implemented the new SMT-based bounded model checking technique for MTL and as a case study we applied the technique to the analysis of the Timed Generic Pipeline Paradigm and Timed Train Controller System, both modelled by a network of timed automata.
Timed automata [
Timed automata (TA) are adequate to represent systems, but not that much for
representing properties of systems3. Temporal logics are a well known framework in the
field of specification and verification of computer systems [
Metric Temporal Logic (MTL) [
Bounded model checking [
The satisfiability and model checking problems for MTL are undecidable over the
interval-based semantics [
We evaluate the new BMC method experimentally by means of a timed generic pipeline paradigm (TGPP) and timed train controller system, which are modelled by a network of timed automata with dense time. 2
The model of timed automata has been defined in the 90s by Alur and Dill as a model for representing systems with real-time constraints. A timed automaton is basically a finite automaton which manipulates finitely many variables called clocks.
We assume a finite set X = fx0; : : : ; xn 1g of variables, called clocks. A clock valuation is a total function v : X 7! IR that assigns to each clock x a non-negative real value v(x). The set of all the clock valuations is denoted by IRjX j. For X X , the valuation v0 = v[X := 0] is defined as: 8x 2 X, v0(x) = 0 and 8x 2 X n X, v0(x) = v(x). For 2 IR, v + denotes the valuation v00 such that 8x 2 X ; v00(x) = v(x) + . Let x 2 X , c 2 IN, and 2 f<; 6; =; >; >g. A guard over X is a finite conjunction of expressions of the form x c. We denote by C(X ) the set of guards over X . A clock valuation v satisfies a clock guard cc, written as v j= cc, iff cc evaluates to true using the clock values given by the valuation v.
Definition 1. A timed automaton is a tuple A = (Act; Loc; `0; T; X ; Inv; AP; V ), where – Act is a finite set of actions, – Loc is a finite set of locations, – `0 2 Loc is an initial location, – T Loc Act C(X ) 2X – X is a finite set of clocks, – Inv : Loc 7! C(X ) is a state invariant function,
Loc is a transition relation, – AP is a set of atomic proposition, and – V : Loc 7! 2AP is a valuation function assigning to each location a set of atomic propositions true in this location.
Each element t 2 T is denoted by ` ;c!c;X `0, and it represents a transition from location ` to location `0 on the input action . X X is the set of the clocks to be reset with this transition, and cc 2 C(X ) is the enabling condition for t. 2.1
The semantics of the timed automaton is defined by associating a transition system with it, which we call a concrete model.
Definition 2. Let A = (Act; Loc; `0; T ; X ; I nv; AP ; V ) a timed automaton, and v0a clock valuation such that 8x 2 X , v0(x) = 0.
A concrete model for A is a tuple MA = (Q; q0; !; V ), where – Q = Loc IRn s a set of the concrete states, – q0 = (`0; v0) is the initial state, – ! Q Q is a total binary relation on Q defined by action and time transitions as follows. For a 2 Act and 2 IR+, 1. Action transition: : (`; v) a! (`0; v0) iff there is a transition ` a;c!c;X `0 2 T such that v j= cc ^ I nv(`) and v0 = v[X := 0] and v0 j= I nv(`0), 2. Time transition: (`; v) ! (`; v + ) iff v j= I nv(`) and v + j= I nv(`). – V : Q 7! 2AP is a valuation function such that V ((`; v)) = V (`) for each state (`; v) 2 Q.
A run
in a concrete model for the timed automata A is a infinite sequence of concrete states q0 0!;a0 q1 1!;a1 q2 2!;a2 : : : such that qi 2 Q, ai 2 Act and i 2 IR+, for all i 2 IN. An assumption that i 2 IR+ implies that runs are strongly monotonic. This is because the definition of the run does not permit two consecutive actions to be performed one after the other, i.e., between each two actions some time must pass. 3
MTL logic [
Intuitively, UI and GI are the operators for, respectively, bounded until and bounded always and they are ridden as, respectively, „until in the interval I” and „always in the interval I”. The operators FI and RI are defined in the standard way:
FI d=f true UI
RI df = GI _
UI( _ ).
Semantics Over dense time the logic has traditionally been interpreted in either of two
ways which have come to be known as the “pointwise” and the “continuous”
semantics [
In the presented method we use the pointwise semantics.
Let A be a time automata, MA = (Q; q0; !; V) be a concrete model for the timed
automata A, : q0 !0 q00 a!0 q1 !1 q10 a!1 q2 !2 q20 a!2 : : : be a run in A, which
can be written in the shorter way: : q0 0!;a0 q1 1!;a1 q2 2!;a2 : : :. Each of the runs
determines the path : q0; q00; q1; q10; q2; q20 : : : in an unambiguous way. Given a run
one can define a function : IN 7! IR+ such that, for all the position j > 0, (j) is
a sum of all the time transitions along the run till the position j. For all j > m, the
function (j) returns the value of the global time (in [
To make the definition more clear we use a notation ( ; m)j=EMTL' instead of M; ( ; m)j=EMTL', for each MTL formula '.
Definition 3. Let and be MTL formulae. The satisfaction relation j=EMTL, which indicates truth of an MTL formula in the concrete model MA along a path starting at position m 2 IN, is defined inductively as follows: ( ; m) j=EMTL true, ( ; m) 6 j=EMTL false, ( ; m) j=EMTL p iff p 2 V( (m)), ( ; m) j=EMTL :p iff p 62 V( (m)), ( ; m) j=EMTL ^ iff ( ; m) j=EMTL ( ; m) j=EMTL _ iff ( ; m) j=EMTL ( ; m) j=EMTL UI iff (9j m)( (j) and (8m 6 j0 < j)( ; m + j0) j=EMTL ), ( ; m)j=EMTL GI iff (8j m)( (j) and ( ; m) j=EMTL , or ( ; m) j=EMTL ,
(m) 2 I and ( ; m + j) j=EMTL (m) 2 I implies ( ; m + j) j=EMTL ).
As ( ; 0) = , we shall write MA; j=EMTL ' for MA; ( ; 0) j=EMTL '. An MTL formula ' is existentially valid in the model MA, denoted MA j=EMTL E', if, and only if MA; j=EMTL ' for some path starting in the initial state of MA. Determining whether an MTL formula ' is existentially valid in a given model is called an existential model checking problem. 4
The verification method presented in this paper is based on the translation of MTL
formulae to LTLq formulae defined in [
The SMT-based bounded model checking can be described in the following steps:
1. Since the concrete model is infinite we have to abstract the model to be able to
applied bounded model checking technique. It is a well-known technique [
In this section we experimentally evaluate the performance of our new translation.
We have conducted the experiments using the slightly modified timed generic pipeline
paradigm (TGPP) and timed train controller system (TTCS) [
The Timed Generic Pipeline Paradigm (TGPP) timed automata model shown in Figure 1 consists of a Producer producing data within the certain time interval ([a; b]) or being inactive, a Consumer receiving data within the certain time interval ([c; d]) or being inactive within the certain time interval ([g; h]), and a chain of n intermediate Nodes which can be ready for receiving data within the certain time interval ([c; d]), processing data within the certain time interval ([e; f ]) or sending data. We assume that a = c = e = g = 1 and b = d = f = h = 2 n + 2, where n represents a number of nodes in the TGPP.
To compare our experimental results with [
The Timed Train Controller System (also known as Fischer’s mutual exclusion protocol) consists of n (for n 2) trains T1; : : : ; Tn, each one using its own circular track for travelling in one direction and containing its own clock xi, together with controller C used to coordinate the access of trains to the tunnel through which all trains have to pass at certain point. There is only one track in the tunnel, so trains arriving from each direction cannot use it in this same time. There are signals on both sides of the tunnel, which can be either red or green. All trains notify the controller when they request entry to the tunnel or when they leave the tunnel. The controller controls the colour of the displayed signal, and the behaviour of the scenario depends on the values and ( makes it incorrect - the mutual exclusion does not hold).
Controller C has n + 1 states, denoting that all trains are away (state 0), and the numbers of trains, i.e., 1; : : : ; n. Controller C is initially at state 0. The action Starti of train Ti denotes the passage from state away to the state where the train wishes to obtain access to the tunnel. This is allowed only if controller C is in state 0. Similarly, train Ti synchronises with controller C on action approachi, which denotes setting C to state i, as well as outi, which denotes setting C to state 0. Finally, action ini denotes the entering of train Ti into the tunnel.
– – – 1 = F[0;7)(Win=11 Wn
j=i+1(tunneli ^tunnelj )). It states that the mutual exclusion property is violated, i.e. for some path some two trains are in the tunnel at the same time. The formula is existentially valid in the model if and only if . 2 = G[0;1)(F[0;9)(Wn
i=1(tunneli))). It states that always eventually some of the trains enters the tunnel. The formula is existentially valid in the model regardless of the values of and .
3 = F[0;1)(Win=1(tunneli)). It states that eventually all the trains are in the tunnel. The formula is existentially valid in the model if ndonlyif . 5.3
We have performed our experimental results on a computer equipped with I7-5500U processor, 12 GB of RAM, and the operating system Linux with the kernel 5.2.9. Our SMT-based BMC algorithm is implemented as standalone programs written in the programming language C++. We used the state of the art SMT-solver Z3 (program version 8.4.5).
The number of considered k-paths (fk) for the translation is always equal to 1. The length of the witness for the formula '1 is equal to 4 (n + 1) ; for the formula '2 is equal to 8 n + 6; for the formula '3 and is equal to 8 n + 6; for the formula '4 is equal to 8 n + 15; for the formula '5 is equal to 8 n + 6.
The experimental results presented on the Fig. 3 show total time usage. We can observe that the SMT-based method is sensitive to scaling up the size of the benchmarks. For more complicated formulae time usage grows very fast with the size of the benchmark.
The maximum memory usage for all the formulae showed on the Fig. 4 is not very big. The biggest memory usage was for the formula '5 and it amounts 375 MB.
Fig. 5 shows time usage for bounded model checking algorithm ( translation of the model and the formula to SMT format) and for the SMT-solver. We can observe that almost the whole time were consumed by the SMT-solver (the y axis has different scale on both figures). Generating a quantifier-free first-order formula in every case took less than 45 sec.
Fig. 6 shows memory usage for the BMC algorithm and SMT-solver. We can observe that for the formulae '1 and '3 the BMC algorithm did not use a lot of memory and the SMT-solver consumed almost the whole memory in this case. For other formulae the memory usage for BMC and SMT-solver is almost the same.
Total time usage for the TGPP 5
6
Number of Nodes 2 3 4 7 8 9 10
BMC memory usage for the TGPP
SMT memory usage for the TGPP
As we mentioned before, the number of considered k-paths (fk) for the translation is always equal to 1. The length of the witness for the formula 1 is equal to 12 and for the formula 2 is equal to 7. For the formula 3 the length of the witness is equal to 12 for two trains, 18 for three trains, 32 for four trains, and 38 for five trains.
Total time usage for the TTCS 7000 ψψ21 6000 ψ3 5000 .ce 4000 s n i iem3000 T 2000 1000 0 2 3 4 5 10 20 30 40 50 60 70 80 90 100 110 120 130 140 145
Number of Trains
trains we have the opposite situation. The reason of this situation is the heuristic of the
SMT-solver. Z3 solver found the valuation faster. We think that the interesting future
work will be finding the optimal SMT file for SMT-solvers [
Total memory usage for the TTCS
1 1600 ψψ3
2 1400 1200 B inM1000 y rom 800 e M 600 400 200 0 2 3 4 5 10 20 30 40 50 60 70 80 90 100 110 120 130 140 145
Number of Trains 0 2 3 4 5 10 20 30 40 50 60 70 80 90 100110120130140145
Number of Trains 0 2 3 4 5 10 20 30 40 50 60 70 80 90 100110120130140145
Number of Trains
Fig. 9: SMT and BMC time usage for TTCS.
BMC memory usage for the TTCS 0 2 3 4 5 10 20 30 40 50 60 70 80 90 100110120130140145
Number of Trains
SMT memory usage for the TTCS We have implemented and experimentally evaluated an SMT-based BMC method for real-time systems, which are modelled by timed automata with dense time, and for properties expressible in MTL with the semantics over timed automata. We have experimentally evaluated the method. The method is based on a translation of the existential model checking for MTL to the existential model checking for LTLq, and then on the translation of the existential model checking for LTLq to the satisfiability modulo theories problem.
In the future we would like to develop a corresponding SAT-based method. Developing the SMT-based method as a first method was a natural way to solve the problem. SMT encoding is easier to implement. However, the SAT encoding in many cases is more precise, what may give better experimental results.