Software Tools for Technology Transfer manuscript No. (will be inserted by the editor)
Issues in Distributed Timed Model Checking Building Zeus V´ıctor Braberman1? , Alfredo Olivero2?? , Fernando Schapachnik1 1
2
Computer Science Department, FCEyN, Universidad de Buenos Aires, Buenos Aires, Argentina. e-mail: {vbraber,fschapac}@dc.uba.ar Department of Information Technology, FIyCE, Universidad Argentina de la Empresa, Buenos Aires, Argentina. e-mail:
[email protected]
Received: date / Revised version: date
Abstract. In this work we present Zeus, a Distributed Timed Model Checker that evolves from the TCTL Model Checker Kronos [13] and that currently can handle backwards computation of reachability properties [2] over timed automata [3]. Zeus was developed following a software architecture centric approach. Its conceptual architecture was conceived to be sufficiently modular to house several features such as a priori graph partitioning, synchronous and asynchronous computation, communication piggybacking, delayed messaging and dead-time utilization. Surprisingly enough, early experiments pinpointed the difficulties of getting speedups using asynchronous versions and showed interesting results on the synchronous counterpart, although being intuitively less attractive. Key words: Timed systems Distributed timed model checking Timed automata Kronos Zeus
1 Introduction Real-time systems are often critical, because their failure can lead to human or monetary losses. Being built on many different components with complicated interactions among them, they are in general very hard to prove correct. The designed behavior and many of the properties that would generally be desirable on such systems are expressed in terms of elapsed time between significant events: “Would the controller open the gate in no more than 10 seconds after pressing the emergency stop button? ”. Except for trivial models, checking such ? Research partially supported by ANPCyT, project BID-PICT11738 and by UBACyT, project X405. ?? Research supported by UADE grant ISI03B.
properties is almost impossible for humans, but giving enough computing power, machines can deal with them. The discipline of automatically verifying properties over real-time systems is known as Timed Model Checking. An obstacle for a wide adoption of this promising technology is scalability. Verifying even medium-size designs can quickly exhaust memory or processing capacity of rather powerful computers. This is why research in Model Checking is mainly focused on increasing the size of the models tools can deal with. In recent years, there has been an increasing interest in the use of Distributed Computing, where a cluster of processors work together to solve the problem [24,6,28]. The usefulness of a distributed strategy is often measured by the “speedup” gained. Speedup with n processors is computed as ttn1 where ti is the time it takes to finish the verification with i processors. Usually the goal is to get linear speedups, although the verification of cases where a single computer’s memory is insufficient, is also considered a success. Much successful work has been done to distribute untimed model checkers [28,24,4,17,26,7,19,22,8,20]. However, except for the work of Behrmann, Hune and Vaandrager on a distributed version of UPPAAL [6] and Behrmann [5], not much has been done about parallelizing or distributing Timed Model Checkers. Because of the inherent different data structures involved, the timed and untimed cases lead to inherent different parallelization strategies and challenges. Timed Model Checkers are usually based on Difference Bound Matrices (DBM) [16]. Though they are symbolical representations of state space they conceptually differ from Binary Decision Diagrams which are the basic data structure for a large class of untimed model checking tools and their distributed counterparts. Thus, most of the strategies and ideas for distributing BDD-based model checking algorithms (e.g., slicing large BDDs [22]) seems not to be directly applicable to the timed setting.
2
V. Braberman et al.: Issues in distributed timed model checking
In this work we present Zeus, a Distributed Timed Model Checker that evolves from the monoprocessor Model Checker Kronos [13] and that currently can handle backwards computation of TCTL-reachability properties [2] over timed-automata [3]. Zeus was developed following a software architecture approach with “design for change” in mind. That was a key requirement since there are many degrees of freedom that are very hard to set in advance when building a distributed tool. The rest of the article is organized as follows: we first describe the basics of timed automata and its analysis in section 2. In section 3 we present the most interesting points of our Distributed Model Checker. Section 4 is devoted to the presentation of an architectural view of the tool. Section 5 shows the performance on the examples and, finally, section 6 summarizes the lessons learned, as well as paths to be taken in research to be.
lower {g}
raise app1 {t1}
t1>=11 exit1 t1>=6
t1=3
open raise
t1
