An Efficient Explicit-time Description Method for Timed Model Checking

L. Brim and J. van d e Pol (Eds.): 8th International W orkshop on Parallel and Distributed Methods in verifiCation 2009 (PDMC’09) EPTCS 14, 2009, pp. 77–91, doi:10.4204 /EPTCS .14.6 c  H. W ang & W . M acCaull This work is licensed under the Creativ e Commons Attribution License. An Efficient Explicit-ti me Description Method f or Timed Model Checking Hao W ang and W endy MacCaull Centre for Logic and Information St. Francis Xavier Uni versi ty Antigoni sh, Canada { hwang, wmaccaul } @ stfx.ca T imed model checking , the method to formally verify real-time systems, is attracting incr easing atten- tion f rom b oth the mo del check ing com munity and the real-time commun ity . Explicit-time descrip- tion methods v erify real-time s ystems using general model constructs found in stand ard un -timed model c heckers. Lampor t prop osed an explicit-time descrip tion meth od [17] using a clock-ticking process ( T ick ) t o simulate the passage of tim e together with a group of global variables to model time requirem ents. T wo m ethods, the S ync-ba sed E xplicit-time Description Method using rendezvous synchro nization steps and the S emapho r e-based Explicit-time Description Meth od using only one global variable were prop osed [27, 26]; th ey both ac hieve better modu larity than Lampor t’ s method in mode ling the real-time systems. In contrast to tim ed au tomata based m odel chec kers like UPP AAL [7], explicit-time d escription methods can access and store the curren t time instant fo r future calcula- tions necessary for many real-time systems, especially those with pre-emptive scheduling. Howev er , the T ic k process in the ab ove three meth ods incr ements the time by one unit in each tick; the state spaces theref ore grow relatively fast as the time par ameters increase, a p roblem wh en the system’ s time period is relatively lo ng. I n this p aper, we pr opose a more efficient method which en ables the T ick process to leap multiple time units in one ti ck. Prelim inary experimental results in a high p erfor- mance computin g environment show that this new m ethod significantly reduce s th e state space and improves both the time and memory efficienc y . 1 Introd uction Model check ing is an automatic analysis method which explore s all possible states of a modeled system to verify whether the system satisfies a formally specified property . It was populari zed in industria l applic ations , e.g., for computer h ardwa re and softwar e, a nd has great p otenti al for m odelin g comple x and distrib uted b usine ss pro cesses . T imed model checki ng, the met hod to formally verify real-time systems, is attract ing increas ing attenti on from both the model ch ecking c ommunity an d the real-time community . Ho wev er , stan dard mode l che cke rs like S PIN [ 15] a nd SMV [19] can generally only represent and veri fy the qualitative relat ions between e vents, which constrains their use for real-time sy stems. Quantified time notions , inc luding time instant and duration, must be taken into account for timed model checking. For example in a safety criti cal appl ication such as in a n emer genc y depart ment, after an emergen cy c ase arri ves at the hospital , standard model checkin g can only ver ify whether “the patie nt receiv es a certa in treatmen t”, b ut to sa ve the patien t’ s life, it should be verified whethe r “the patient recei ves a certain treatmen t within 1 hour”. Many fo rmalisms with time e xtensi ons hav e been pres ented as the bas is for timed model chec ker s. T wo popular ones are: (1) timed automata [4] , whic h is an e xten sion of finite-state a utomata with a se t o f clock variab les t o k eep tra ck of time; (2) time P etri Nets [20], which is a n extensi on of the P etri N ets with timing constra ints on the firings of transitions . V arious translation methods hav e been presented between 78 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking time Petri Nets to timed automata [2 2] in order to apply time-automata-ba sed methods to time Petri Nets. UPP AAL [7 ] and KR ONOS [28] are two well- kno w n timed automata based model check ers; they hav e been successfu lly applied to vari ous real-time control lers and communica tion protoco ls. Con venti onal temporal lo gics like Linear T empor al Logic (L TL) or Comput ation T r ee Logic ( CTL) must be extended [5] to handle the specification of propert ies of timed automata. In order to handle continuou s-time se- mantics, specia lized data structure s are needed to represent real clock v ariables, e.g. D if ferenc e Boun ded Matrices [12] (emplo yed by UPP AAL a nd KR ONOS). The founda tion for t he de cidabi lity results i n timed au tomata is based o n th e n otion o f r e gion equi va- lence ov er the clock ass ignment [8]. Models in a timed auto mata based model checker can not represe nt at which time instan t a transitio n is ex ecuted within a time reg ion; suc h model check ers can only deal with a spec ification in v olvin g a time regio n or a pre-spec ified time in stant an d cannot store the e xact time instant when the transition is exec uted. Ho wev er , m any real-time systems, especi ally tho se with pre-empt i ve sched uling , need this in formatio n for succ eeding calcul ations . For e xample , triage is widely practic ed in medical procedures; the caregi ver C m ay be administering some required bu t non-criti cal treatmen t on patient A w hen another patient B presents with a criti cal si tuation , such as a c ardiac arrest. C then m ust mov e to the highe r priority task of treating B , but it is nece ssary to store the elapsed time of A ’ s treatment to determine how much time is still needed or else the treatment m ust be restarted. The stop-wat ch au tomata [3], an e xtens ion of timed au tomata, is proposed to tackle this; unfortu nately as Krc ´ al and Y i dis cussed in [16], since th e reachability prob lem for this class o f automata is undecida ble, there is no guarant ee for termination in the general case. Lamport [17] adv ocat ed explici t-time description methods using general model const ructs, e.g., global inte ger v ariabl es or synchr onizati on between proces ses commonly found in st andard un-timed m odel check ers, to rea lize timed mod el ch ecking . He p resente d an expl icit-ti me descriptio n m ethod, which we refer to as LEDM, using a clock-tick ing pro cess ( T ic k ) to simulate the passag e of time, and a pair of globa l var iables to sto re the time lo wer and upp er bounds for ea ch modeled sy stem process. The method has been implemented with popula r model checker s SPIN (sequential ) and SMV . W e presented two metho ds, (1) the Sync-based Explicit-time D escript ion Method (SEDM) [2 7] using rendezv ous syn- chroni zation steps bet ween the T ick and each of the syste m processe s; and (2) the Semap hor e-based Explicit- time D escript ion Method (SM EDM) [ 26] usin g only one glob al semaphore v ariable. Both thes e methods en able the time lo wer and upper bound s to be defined locally in system proces ses so tha t they pro vide better m odular ity in system m odelin g and facilitate the use of more complex timing constrai nts. Our experiment s [26, 27] sho wed that the time and memory ef fi cienci es of these tw o methods are com- parabl e to that of LEDM. The explicit- time descrip tion methods ha ve three adv antages over timed-auto mata-bas ed model check- ers: (1) they do not nee d specialized languages or tools for time descrip tion so the y can be applied in standa rd un-timed model check ers. Recently , V an de n Berg e t al. [9] succe ssfully applied LE DM to v er - ify the safety of railw ay inter lockin gs for one o f Austra lia’ s large st railwa y companie s; (2) they enable the accessi ng and storing of the current time [26], a useful feature for pre-empti ve schedu ling p roblems; and (3 ) they enable the usage of large- scale distri b uted model checkers, e.g., D I V I N E , for timed model checki ng. Orthogon ally , model chec king has been studied in pa rallel and distrib uted c omputing platfo rms. Be- cause real world models often come with gigantic state spaces which can not fit into the memory of a standa rd computer , ine vitab ly a portion of the state space needs to be acces sed from the secondary storage and the model che cking algorith m becomes ver y slo w [10]. This p roblem is kno w n as state e xplosion . Lar ge-sca le ana lysis is needed in many practica l ca ses. Distrib uted model checke rs exploit the power of distrib uted comp uting facilitie s s o that much lar ger memory is av ailable to accommodate the state space H. W ang & W . MacCaull 79 of the system model; parall el processi ng of the states can, moreove r , reduce the verificati on time. Our exp eriments [27] compared the time ef ficienc y between the sequent ial SPIN and D I V I N E [2], a well- kno w n d istrib uted model ch eck er . When using th e same e xplic it-time desc riptio n method, D I V I N E can ver ify muc h larg er mod els an d finish the verificati on for models of the same size in significantly less time than SPIN. In this paper , we present a new explic it-time description m ethod called E f ficient Explicit-t ime D e- script ion Method (EED M). W e found that the former three method s (LEDM, SEDM and SMED M) suf fer from one common proble m: as the T ick proces s increments the time by on e unit in each tick, the st ate space grows re lati vely fast a s th e time parameters increase . E.g., in ou r e xperimen t [26] usin g LEDM, the number of states doubl es as time bounds gro w from 12 to 14. In the ne w EEDM , the T ick can increment the time in two mode s: the standa r d mode and the leaping mode. When it is necessa ry to store the current time to al lo w access for future ca lculati ons, it ticks in the standard mod e; otherwise, it ticks in the lea ping mode. For each sy stem process, we define on e glob al v ariable ind icatin g whether the proc ess needs to sto re and acce ss the curre nt time, allo wing the T ic k process to s witch between the standa rd mode and the leapin g m ode. For the e xperimen ts, we continue using D I V I N E (t he method is also applica ble to other standard model check ers); the results s ho w t hat: in the le aping mod e, the number of states ca n be reduc ed significantl y , so it is much less af fected by the incre ase of time para meters; in the standa rd m ode, the time and memory ef fi ciencies are comparab le w ith the former method s. The remai nder of th e pap er is or ganized as fol lo ws. Section 2 gi ves back groun d information with re- spect to the D I V I N E mod el check er . T he ne w e xplicit-time descri ption method impleme nted in D I V I N E is prese nted in Section 3; for comparison , LE DM is als o briefly descri bed in the same section. Section 4 descri bes our experimen ts and the results. S ection 5 conclu des the paper . 2 Pr eliminaries Section 2.1 is adapted f rom [25]; the syntax outlin ed in Sect ion 2.2, while incomple te, is meant fo r the presen tation of the time-expl icit description methods; the complete descripti on ca n be found in [2]. 2.1 Distribu ted Model Checking Algorithms in D I V I N E D I V I N E is an explici t-state L TL model checke r based on th e automata-bas ed proce dure by V ardi and W olper [2 4]. The property to be specified is describ ed by an L TL formula. In L TL m odel checking, all efficient sequentia l algo rithms are based on the postor der explo ration as computed by a depth-first search (DFS) of the stat e space. H o wev er , compu ting DFS postor der is P-complete [23], so no b enefit in terms of either time or space will result from paralle lizatio n of this type of algori thm. T wo algorithms, O WCTY and MAP [6], are introduced in D I V I N E . T he seque ntial comple xity of each is worse than that of the DFS -based algorit hms but both can be efficientl y implemented in parallel. O WCTY , or One W ay to Catch Them Y oung , is based on the f act that a directe d graph can be topolog ically sorted if and only if it is acyclic. The algorithm applies a standard linear topolog ical sort algorithm to the graph. Failur e in the sorting means the graph contai ns a cy cle. Accepting cycl es are detected with multiple rounds of the sorting. MAP , or Maximal Accepting P r edecessor s , is based on the fact that each accepting verte x in an accepting cycle is its own predecesso r . T o impro ve memory ef ficienc y , the algo rithm only store s a single repres entati ve acceptin g predecessor for each v erte x by choo sing the maximal one in a linear orderi ng of vertices . These t wo al gorith ms are pr eferabl e in dif ferent cases. If th e pro perty of a model is expe cted to hold, 80 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking and the state space can fit completely into (distr ib uted) m emory , OWCTY is prefe rable as it is three times faste r than MAP to explore the whole state space. On the other hand, MA P can gener ally find a counte rex ample (i f it exists ) m ore quic kly as it works on-th e-fly . 2.2 D I V I N E Modeling Language D VE is the m odelin g lang uage of D I V I N E . Like in Prome la (the model ing la nguage of SPIN), a m odel descri bed in D V E con sists of pro cesses , message chann els and v ariabl es. Each pr ocess, identified by a uniqu e name pr ocid , consists of lists o f loca l v ariabl e declarati ons and state dec laratio ns, the initial state declar ation and a list of transitions . A transition transfers th e process state from s t at eid 1 to st a t eid 2 . The trans ition may contain a guard (which decides whe ther the transition can be exec uted), a synchroni zation (which communicates data with another process ) a nd an ef fect (which assigns ne w v alues to local or globa l varia bles). S o we ha ve Transiti on ::= s t at eid 1 -> st at eid 2 { G uard Sync Effect } The Guard contains the k ey word guar d foll o wed by a boolean e xpression a nd the E ffect contai ns the keyw ord e ffect follo wed by a li st of assig nments. The Sy nc follo ws t he denotation for communi- cation i n CSP , ‘!’ for th e sen der a nd ‘? ’ for th e rece i ver . The s ynchro nizati on can be either async hronou s or rendezv ous. V alue(s) is transfer red in the channel identified by chanid . So we ha ve Sync ::= sync cha nid ! SyncValu e | cha nid ? SyncValu e ; A pr operty pr ocess is automatica lly generat ed for the correspondi ng propert y written as an L TL formula. Modeled system proces ses and the proper ty process progress synchro nousl y , so the latte r can observ e the syst em’ s behav ior step by step and catch errors. 3 Explicit-T ime Description Methods W ith e xplic it-time descrip tion methods , th e passag e of time and timed qu antified v alues can be expres sed in un-timed lang uages and prope rties to be specified can be expresse d in co n ventio nal temporal logics. This section describ es L amport’ s LE DM befo re detailing our new EEDM. At the end of this secti on, we study a small pre-empti ve example with respect to exp licit-ti me d escript ion meth ods. 3.1 The Lamport Explicit-time Description Method In LEDM, curren t time is represente d with a global var iable now that is incremen ted by an adde d T ick proces s. As we mentioned earl ier , standard model check ers can only deal with i nteg er var iables , and a real-ti me sy stem can only be modeled in discrete -time usin g an explici t-time description . S o the T ic k proces s incremen ts now by 1. Note that in exp licit-t ime descrip tion metho ds for standard mod el check- ers, the real-v alued time v ariables must be replaced by integer -valu ed ones. Therefore, these methods in genera l do not preser ve the continu ous-t ime semantics; otherwise an inherentl y infinite-stat e speci fica- tion will be pro duced and the verifica tion will be undeci dable. Howe ver , they are so und for a commonly used class of real-time systems and their prope rties [14]. Placing lower -bound and u pper -bound timing con strain ts on tra nsitio ns in pr ocesse s is th e common way to model real-time systems. Figure 1 sho ws a simple exa mple of only two transitio ns: tran sition H. W ang & W . MacCaull 81 Figure 1: States and Time line of process P i τ A : s t a t eid l -> st at eid m is follo wed by the transition τ B : s t at eid m -> s t at eid n . An u pper -bound timing constr aint o n when transition τ B must occur is express ed by a guard on the transitio n in the T ick process so as to prev ent an increase in time from violating the constraint. A lower -bound co nstrai nt on when transit ion τ B may occur is expr essed by a guard on τ B so it ca nnot be e xe cuted earlier tha n it sho uld be . Each system pro cess P i has a pa ir of count-do w n timers denoted a s global variab les ub t imer i and l bt imer i for the timing constrain ts on its trans itions . A lar ge enough integer constan t, d enoted as INFI NITY , is defined. All upper bound timers are initialized to IN FINITY and all lo wer bound timers are initial ized to zero. Uppe r bound timers with the valu e of INFI NITY are not activ e and the T ick process will not decremen t them. For transition τ B , the timers will be set to the correct va lues by τ A : st at eid l -> st at eid m . As n ow is increment ed by 1, eac h non -INFINITY u btimer and non -zero lbtime r is decremen ted by 1. process P Tick { state tick; init tick; trans tick -> tick { guard al l ub t imers > 0; effect now = now + 1, d ecr emen t s a l l t imers ; } ; } Figure 2: T ick process in D VE for L EDM In Figure 1, initiall y , ( ub t imer i , l b t imer i ) is set to ( INFINITY , 0 ) . T ransition τ A is ex ecut ed at time instan t t 0 , and ( ub t imer i , l b t imer i ) is set to ( ξ 2 , ξ 1 ) . After ξ 1 time units , i.e., at time in stant t 1 when ( ub t imer i , l b t imer i ) is equal to ( ξ 2 − ξ 1 , 0 ) , transi tion τ B is enable d. Both timers will be reset or set to ne w time bou nds a fter the e xe cution of τ B . If transition τ B is still no t execut ed when the time re aches t 2 and ub t imer i is equal to 0, the transi tion in the T ick process is disabled. This for ces transition τ B (it is the only transition pos sible at th is time) to set the ub t imer i ; then the T ick process can start aga in. In this way , the time upper -bound constraint is realized . The T ick proces s and the system proces s P i in D VE are descri bed in F igure 2 and Figure 3. W e obse rve that the v alue of now is limited by the size o f ty pe integer and careles s incrementing can cause over flow error . This can be a voi ded b y incrementin g now using modular arithmetic, i.e., setting 82 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking process P i { state ..., state l, state m, state n; init ...; trans ... -> ... , state l -> state m { ...; effect se t t imers f or t r ansi t ion τ B ; } , state m -> state n { guard lbtim er [ i ] ==0 ; effect ... ; } , ... -> ... ; } Figure 3: System process P i in D VE for LE DM now = ( now + 1 ) m od MAXIMAL ( MA XIMAL is the maximal integer v alue suppo rted by the model checke r). The valu e l imit can also be increased by linking se ve ral integers, i.e., e ve ry time ( in t 1 +1) mod MAXIMAL becomes zero again , in t 2 incremen ts by 1, and so on. Note that the varia ble now is only incremented in the T ick pr ocess an d doe s not appear in any other proc ess. So for general syste m models in which time lo wer and upper bound s suffice, the v ariable now should be remov ed. 3.2 The New Efficient Explicit-T ime Description Method This sec tion is organi zed as foll o ws. First, we des cribe the le aping mode and the stand ard mode of the ne w EEDM in section 3.2.1 and 3.2.2 respecti vely . Second , we present some discussions (clarifications) of issues on EDMs and EE DM in section 3 .2.3. Fina lly , a pre-empti ve sched uling m odelin g example using EEDM is describe d in section 3.2.4. 3.2.1 Leaping Tic ks All aforemention ed ex plicit -time descriptio n metho ds (LEDM, SEDM and SMED M) incre ase now by 1 each tick . On the other hand , consider Figure 4: we obser ve that when the syst em contain s only on e proces s, P i , after t 0 , τ B canno t be execu ted unt il time reaches t 2 . Therefo re, the ticks between t 0 and t 1 serv e no purpo se; optimally , the T ic k proce ss shou ld di rectly “leap ” to t 2 . Similarly , τ B is enabled between t 2 and t 4 , so eithe r τ B is ex ecuted before t 4 or time reac hes t 4 and τ B ’ s ex ecut ion is forced; therefo re, the T ick process can le ap to t 4 from t 2 . When w e include P j , after t 0 , the T ic k should first leap to t 1 so P j can enable transit ion τ C ; then it should leap to t 2 and so on. Based on t hese observ ations, in the ne w E EDM, we us e one g lobal count-do w n timer for each sy stem proces s, e.g ., t imer i for P i in Figure 4 is set to ξ 1 on t 0 and to ξ 2 − ξ 1 on t 2 . The T ick process increments now by the va lue of the smallest timer on condi tion that no timer equals zero and at least one timer is non -INFINITY . In fact, the T ic k process, leaping in this way , is running in the leapin g m ode; the T ick proces s in leaping mode and the correspond ing system process P i in D VE are described in Figure 5 and Figure 6 ( N is the number of system processes ). 3.2.2 T o Know the Curr ent T ime Instant Careful rea ders may noti ce that ther e is one p enalty fo r T ick to leap: the actual time instant when τ B is ex ecute d is unkno wn unless it is at t 4 . In fa ct, in the le aping mode, it is only kno wn that a transition is H. W ang & W . MacCaull 83 Figure 4: Ti meline of proce ss P i and P j process P Tick { state tick; init tick; trans tick -> tick { guard ( ∧ 1 .. N ( timer [ i ] > 0 )) ∧ ( ∨ 1 .. N ( timer [ i ] 6 = INFINITY )) ; effect now = now + min 1 .. N ( timer [ i ]) , d ecr emen t al l t imers by min 1 .. N ( timer [ i ]) ; } ; } Figure 5: T ick process in leaping mode in D VE for EEDM process P i { state state l, state m1, state m2, sta te n, ...; init ...; trans ... -> ... , state l -> sta te m1 { ...; effect timer [i]= ξ 1 ; } , state m1 -> state m2 { guard timer[ i]=0; effect timer[i]= ξ 2 − ξ 1 ; } , state m2 -> state n { ex ecu t es τ B and rese t s timer [ i ] ; } , ... -> ... ; } Figure 6: System process P i in D VE for EE DM ex ecute d be tween th e two closest ticks that nest the tran sition. C onside r the example in Figure 4; the T ick will sequen tially leap f rom t 0 throug h t 4 ; τ B may be execut ed on: (1) some time instant bet ween t 2 and t 3 ; or (2) some time instan t between t 3 and t 4 ; or (3) the time insta nt of t 4 . Howe ver , as we discussed earlier in S ection 1 and in [26], in m any systems, esp ecially th ose with pre-empt i ve sc heduli ng, it is nec essary to kno w the actual time instan t when the transition is exec uted. T o o vercome this pr oblem, we allo w the T ick p rocess to r un in the standa r d mode . W e define a glo bal signal v aria ble for each system proces s. All signals are set to 0 at th e initial state. Whenev er a syste m proces s P i requir es the curren t time for future calc ulation , signal i should be set to 1; the T ick process 84 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking process P Tick { state tick; init tick; trans tick -> tick { guard ( ∧ 1 .. N ( timer [ i ] > 0 )) ∧ ( ∨ 1 .. N ( timer [ i ] 6 = INFINITY )) ∧ ( ∧ 1 .. N ( signal [ i ] == 0 )) ; effect now = now + min 1 .. N ( timer [ i ]) , d ecr emen t al l t imers by min 1 .. N ( timer [ i ]) ; } , tick -> tick { guard ( ∧ 1 .. N ( timer [ i ] > 0 )) ∧ ( ∨ 1 .. N ( timer [ i ] 6 = INFINITY )) ∧ ( ∨ 1 .. N ( signal [ i ] == 1 )) ; effect now = now + 1 , d ecr emen t al l t imers by 1 ; } ; } Figure 7: T ick process in standard mode in D VE for EEDM process P i { state state l, state m1, state m2, sta te n, ...; init ...; trans ... -> ... , state l -> state m1 { ...; eff ect timer[i]= ξ 1 ; } , state m1 -> state m2 { guard timer[ i]=0; effect timer[i] = ξ 2 − ξ 1 , signal [i]=1; } , state m2 -> state n { ex ecu t es τ B and res e t s timer [ i ] , signal[i]=0 ; } , ... -> ... ; } Figure 8: System process P i to illustrat e t he standard mode in turn will run in the standar d mode with which it will increment now by 1 in each tick. E.g., when time reaches t 2 in F igure 4 , P i ’ s signal signal i is set to 1 in order to store the time insta nt at which τ B is ex ecute d; when time reaches t 4 , signa l i is set back to 0 so that the T ic k switches bac k to leaping mode. Both the T ic k proc ess and the system proc ess need to be upda ted to in corpo rate the standa rd mode, see Figure 7 and Figure 8. 3.2.3 Issues on EDMs and EEDM Readers may be co ncerne d about th e v erification capabilit y of e xplici t-time desc ription methods. As in our earlier dis cussio n, EDMs simulate a discr ete timer by making us e of e xistin g con struct s in s tandar d un-timed model che cke rs; in ot her words, time is ju st another normal v ariabl e in an un -timed m odel. Therefore , EDMs are not aff ected by ver ification issues such as whether the property is specified as an L TL or CTL formula or whether the property is verified usi ng explicit -state based (e.g., Spin) or symbolic model checking (e.g., SMV) algorithms. These verification issues depend on w hat standar d un-timed model check er is used. Discrete timed model checke rs suf fer from a common problem: ho w to find the righ t time quantum H. W ang & W . MacCaull 85 (granu larity) that does not mask errors. E.g., for process es in a hospital, a time unit define d as a day will definitely mask an er ror which violates the pro perty “the patient rec ei ve s a ce rtain treatment withi n 1 hour”. On the other hand, the state space can easily bl o w up if a fi ner time unit is used. Readers may be concer ned that the int roduct ion of leaping ticks may add to th is pro blem. Actually , leaping ticks do not musk errors in this aspect. The dif ferenc e between LE DM and EEDM in leapin g mode is that EEDM in leaping mod e cannot reco rd and use the exact time in stant w hen a transition is ex ecute d in the model or the specified propertie s. For example, the L TL pro perty that b becomes true befo re 10 time un its ha ve elapsed since τ B is execu ted canno t be verified u sing E EDM in leapin g mode. For this reas on, we introd uce the mode-switching m echanis m in E EDM. T o redu ce the state space, Lamport [17] proposed the use of vie w symmetry , which is equi valent to ab stracti on for a symmetric specification S . Abstr action consists of checking S by model che cking a dif ferent specification A ca lled an abstractio n of S . This technique ha s two restricti ons: (1) the now v ariabl e must be eliminated, which means the curren t time instan t is not accessible in this case; (2) if the model che cke r does not su pport checki ng under view sy mmetry or abstra ction, the abs tractio n specifica tion A must be co nstruc ted by hand . In addition, this redu ction technique is orthogo nal to our EEDM, i.e., we can use Lamport’ s ab stracti on technique in conjunctio n with EEDM. The idea of leapin g ticks in EEDM is qu ite similar to the notio n of time regions in time-au tomata- based model checkers , which advan ces time up to the point w here a transition must be exe cuted in order no t to violate the in varia nt defined on the cor respon ding state. Howe ver , the imp lementati ons are fundame ntally differ ent: time-aut omata-ba sed model chec ker s introduce specialized data structures [16] to store time regio ns and use symbolic m odel check ing algorithms exten ded for time; on the other hand, EEDM, as with LE DM, only uses an explici t tic k process and so me g lobal varia bles, and the leaping way of adv ancing time is obtained by letting the tick leap to the next clo sest time bou nd of al l syste ms proces ses. 3.2.4 T o Know The Curr en t Time Inst ant: A P r e-emptiv e Scheduling Example Follo wing the triage e xample described in Section 1 , we consid er a system of multiple p aralle l tasks w ith dif feren t priorities, assuming that the right to an e xclu si ve resourc e is depri vab le, i.e., a higher priority task B may depriv e the r esourc e from t he cur rently runn ing task A . In this case, the elapsed ti me of A ’ s ex ecuti on must be stored for a future resumed exec ution. Figure 9 shows a po rtion of a state transition di agram for ta sk A , as suming A needs the exclusi ve resour ce R for 10 time units; when R becomes av ailab le at time instan t t 0 , A starts its exe cution by enterin g the state E xec ; at time ins tant t 1 , B depriv es A ’ s right to R , and A ch anges to th e state D eprived and sto res the elaps ed t 1 − t 0 time un its; when R b ecomes a v ailab le again, A res umes it e xecution to sta te Exec for the remai ning 10 − ( t 1 − t 0 ) units. Implementa tion of this example us ing any one of the th ree exp licit-ti me descriptio n methods is straight forwar d. Figure 10 sho ws the process for task A in D VE using EEDM (assumin g A has the lowest prio rity). 4 Experiments 4.1 Overview For the con veni ence of compariso n with LEDM in DiV inE, w e use the Fischer’ s mutual excl usion al- gorith m as in [27] [26]; this algorithm is a well-kno wn bench mark for timed model checking. The descri ption of the algorithm belo w is adapted from [17]. Our expe riment is to model the algorithm in 86 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking Figure 9: An Example Case of Pre-empti ve Schedu ling byte isROccupie d=0; // 0 means available process A { default( Tag, t ag A ) int timeToGo =10; state s i, s Exe c, s Deprived, ...; init ...; trans ... -> ... ; s i -> s Exe c { guard isROcc upied==0 ; effect isROccup ied=Tag, timer[A]=timeT oGo, si gnal[A]= 1; s Exec -> s Depri ved { guard isROcc upied =Tag && timer[A]>0; effect timeToGO =timer[A ]; } , s Deprived -> s Exec { guard isROcc upied==0 ; effect isROccup ied=Tag, timer[A]=timeT oGo; } , s Exec -> s Next { guard timer[ A]==0; effect isROccup ied=0, signal[A ]=0; } , ... -> ... ; } Figure 10: Process in D VE for Pre-empti ve Scheduling E xample us ing EED M D I V I N E using EEDM in both standard and leaping mo des, an d co mpare th e time and me mory efficienc y and size of state spac e with that of LED M (we o mit the exper iments for SEDM and SMEDM becaus e the y are comparable with LED M in the afore mentione d thre e numeric criteria). H. W ang & W . MacCaull 87 Fischer’ s algo rithm is a shared-memory , multi- thread ed alg orithm. It uses a shared vari able x whose v alue is either a thread i dentifier (star ting from 1) or zer o; its init ial v alue is zero. For t he co n venie nce of specifica tion of th e s afety pr operty i n ou r e xperiments, we us e a counter c to cou nt th e numb er of threads that are in the critica l section. The program for thread t is described in F igure 11. ncs : noncri tical section; a : wait until x = 0; b : x := t ; c : if x 6 = t then goto a ; cs : critical section ; d : x := 0; goto ncs ; Figure 11: Program of thread t in Fischer’ s algo rithm The t iming constraints are: fi rst, s tep b must b e execut ed at most δ u b time units (as an uppe r bou nd) after the prec eding execu tion of ste p a ; secon d, step c ca nnot be e xecuted until at least δ l c time units (a s a lower bound) after the precedi ng exec ution of step b . For step c , there is an addition al up per bound δ u c to ensure fairness, i.e., step c will ev entual ly be exec uted. The al gorith m is tested for 6 threads. T he safety pr operty to be v erified, “ no more than one pr oces s can be in the crit ical secti on” , is s pecified as G ( c < 2 ) for the model. V er sion 0.8.1 o f the D I V I N E-C luster is used. This versio n has th e new feature of pre-compiling the model in D VE into dynamicall y linked C func tions; this fea ture spe eds up the st ate sp ace generation significa ntly . A s th e e xample p ropert y is kno wn to hold , the OWCTY algorithm is cho sen for better time ef ficienc y . All e xperiments are e x ecuted o n the Mahone clu ster of ACEnet [1], the high perfo rmance computi ng conso rtium for uni ver sities in Atlantic Can ada. T he cl uster is a P arallel Sun x4100 AMD Opteron (du al- core) cluster equipped with Myri-10 G intercon nectio n. Parallel jobs are assigned using the Open MPI library . 4.2 Experiment 1 For the first experimen t, we use the sa me v alue for three cons traints , i.e., δ u b = δ l c = δ u c = T . F igure 12 compares time and memory ef ficienc y for the two expli cit-time descriptio n met hods with 16 CPUs. W e can see the significant adv anta ge of EE DM in leap ing mode: the number of state s, veri fication time an d memory usage remai n virtua lly the sa me fo r all T s. Remark that all timing bo unds are the same for all th reads; the T ic k process alwa ys leaps T time u nits in each tick ( it ticks only whe n there is at least one acti ve timer). Therefore, chang ing the value of T will not change the number of states. No w we compare LEDM and E EDM in standard mode. Let states ( X ) be the number of sta tes of method X . W e can see that, after T = 3, st ates ( EEDM standard ) > sta tes ( LEDM ) . As T increas es from 2 to 9, states ( EEDM standard ) in crease s by a fac tor of 564.9 while sta tes ( LEDM ) increases by a fact or of only 82 .2; a comparison of the v erificat ion ti me yi elds similar resu lts. The system pro cess in EEDM has more transitions than LE DM because there is only one timer for each system process and a timer needs to be assi gned twice if the next transi tion has both lo wer and upper bounds (e.g. τ B of P i in Figure 4, timer[i] is assig ned to be ξ 1 and ξ 2 − ξ 1 at t 0 and t 2 respec ti vel y); on the o ther hand, LEDM has two timers for each system proce ss so assigning both bounds can be made in one step. 88 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking LEDM EEDM standa rd leapin g T States T ime Memory States T ime Memory States T ime Memory 2 644,987 1.8 4,700.1 626,312 1.9 4,689.6 141,695 1.4 4,606.2 3 1,438,204 2.4 4,822.3 2,375,451 3.4 4,982.7 141,695 1.5 4,612.8 4 3,048,515 3.3 4,942.8 7,363,766 5.0 5,820.9 141,695 1.5 4,603.6 5 6,033,980 4.2 5,603.4 19,471 ,191 10.4 7,855.2 141,695 1.4 4,604.9 6 11,201,179 7.2 6,343.4 45,552,0 76 24.4 12,241.1 141,695 1.4 4,620.6 7 19,671,092 11.1 7,885.7 96,87 1,373 52.1 20,663 .7 141,695 1.6 4,605.7 8 32,952,899 18.6 9,958.9 190,941 ,594 133.0 3 7,503.6 141,695 1.4 4,601.8 9 53,025,700 30.2 13,288.7 353,811 ,115 246.5 6 3,572.8 141,695 1.4 4,622.4 Figure 12: Number of states, Ti me (in secon ds) and m emory usag e (in M B) for Experimen t 1 4.3 Experiment 2 For the s econd experimen t, w e set δ u b and δ l c to 4 and v ary δ u c . Figure 13 compares the number of states, time and memory efficienc y for the two e xpli cit-time descrip tion m ethods with 16 CPU s. Figure 14 sho w s ho w the size of the state spa ce and verifica tion time gro w as δ u c increa ses. T he ex tra ex periment al data for δ u c = { 13 , 14 , 15 , 16 } are in tended to art iculate th e growing pattern of the state s pace o f E EDM in leaping mode. LEDM EEDM Standard Leaping δ u c States T ime Memory States T ime Memory States T ime Memory 5 3,659,317 3.5 5,199.1 10,865,877 7.2 6,415.6 1,122,491 2.2 4,771.0 6 6,783,455 4.2 5,770.2 15,221,140 10.2 7,150.3 1,046,759 2.0 4,758.0 7 12,907,36 9 7.2 6,754.2 21,451 ,024 13.2 8,198.5 3,516,193 3.6 5,182.7 8 25,723,69 7 13.3 8,898.8 31,934 ,332 20.2 9,946 .8 365,279 1.6 4,651.1 9 50,500,73 9 28.2 13,047.6 48,889 ,270 31.2 12,721.1 10,99 8,335 7.1 6,434.9 10 93,349 ,553 52.3 20,146 .1 73,501,090 50.7 16,858 .4 3,828,687 3.8 5,228.0 11 161,886 ,059 111.9 31,722.6 108,005,92 6 78.5 23,104.9 46,149 ,106 24.9 12,313.8 12 266,256 ,377 199.2 49,154.8 154,662,94 6 112.2 30,045.6 857,773 1.9 4,735.3 13 92,147,1 98 48.4 19,928.2 14 12,275,8 35 7.3 6,650.4 15 180,459 ,742 114.1 34,098.7 16 1,847,39 5 2.7 4,911.5 Figure 13: Number of states, Ti me (in secon ds) and m emory usag e (in M B) for Experimen t 2 As oppo sed to the res ults in e xper iment 1, in th is ex periment EEDM in standard mode perfor ms better than LEDM. W e can see th at after δ u c = 9, stat es ( EEDM standard ) < sta tes ( LEDM ) ; as t he model becomes larger , s tates ( EEDM standard ) increases more slowly than states ( LEDM ) . In fact , as δ u c in- crease s from 5 to 12, states ( LEDM ) increases by a f acto r of 72.8 whi le states ( EED M standard ) increas es by a facto r of only 14.2; w e can see similar compa rison results in terms of the verificati on time. H. W ang & W . MacCaull 89 Figure 14: Number of states and Time (in seconds ) f or Experimen t 2 EEDM in leaping mode still sho ws much better perf ormance th an LED M and EEDM in stand ard mode; sta tes ( EEDM leaping ) also shows an interestin g phenomen on as δ u c increa ses. The numbe r of states of b oth EE DM in standard mode and L EDM increase a t a relat i vel y more steady spe ed: as δ u c in- crease s by 1, states ( EEDM standard ) increases by a f actor of about 1.45 and states ( LEDM ) increa ses by a fact or of about 1.8. On the other hand , th e increments of states ( EEDM leaping ) are groupe d by the valu e of s = ( δ u c mod δ l c ) . W e can see that, for the same ⌊ δ u c δ l c ⌋ , stat es ( EEDM leaping ) s = 0 < states ( EED M leaping ) s = 2 < states ( EED M leaping ) s = 1 < stat es ( EEDM leaping ) s = 3 . For s = 0, whene ver there is more t han one activ e timer , their value s are in tege r m ultiple s of δ l c (4 in this experimen t), so the T ick stil l leaps at leas t 4 time un its each tick ; in the ca se of s = 2, the T ic k leaps at le ast 2 time un its each tick. On the other hand, for s = 1 and s = 3, in the worst case, the T ick leaps only 1 time units each tick. From these observ ations, we can conclude that EEDM in leaping mode performs better the greater the gr eatest common divisor (gcd ) of all timing bounds of all system processe s. 5 Conclusion In this paper , we present a ne w explici t-time description method, Efficient Explic it-time D escript ion Method (EE DM) which i s significantly more ef ficient than LEDM, SED M and S MEDM. In add ition to the improved efficie ncy , E EDM still retai ns the ability to store an d acc ess the current time for future calcul ations in the sys tem model. Altoget her , w e ha ve de vise d methods that h a ve a dv antag es in dif fere nt aspect s of real-time mod eling: SE DM a nd SMEDM hav e bet ter modular ity and ada ptabil ity; E EDM is more ef ficient. The se expli cit-time descriptio n methods pro vide systematic ways to represen t disc rete time in un-timed model check ers like SPIN, SMV and D I V I N E . In f act, the explicit-t ime descriptio n m ethods ar e inte nded to of fer more op tions for the verifica tion of real-time systems . First, as V a n den Ber g et al. mention in [9], in some real-world scenarios when significa nt resour ces hav e been in v ested into the model for a standa rd model check er , it is much easier and therefo re preferab le to extend the existi ng model to represent time notions rather than re-modeling the entire system for a spec ialized ti med model checker . S econd, explicit- time des criptio n metho ds provide a solution for access ing and storing the current clock value for timed-automat a-based model check ers. Last and most impor tant, exp licit-ti me descrip tion m ethods , especia lly the EEDM, ena ble the usage of 90 An Efficie nt Explicit-ti me D escript ion M ethod for T imed Mode l Checking lar ge-s cale d istrib uted model chec kers so that we can verify much bigg er real-time systems. This research is part of an ambitious research and dev elop ment project , Building Decision-supp ort throug h Dynamic W orkflow Systems fo r Health Car e [ 21]. Real world wo rkflo w processes can be hi ghly dynamic and comple x in a health care setting. V erifica tion tha t the system meets its sp ecificatio ns is essent ial. Standard work flow patterns are widely used in b usiness processe s m odelin g, so we ha ve trans- lated m ost o f t he co ntrol-flo w patterns into DVE and applie d them in verif ying tw o small p rocess mod els [18]. As a continu ous ef fort, we will incorpo rate explic it-time description methods into workflow pat- terns’ D VE specification an d verify a larger model of the real-wo rld healthcare processes with timing informat ion. As a more comple x case study of EED M, we are no w b uilding a pre-emp ti ve scheduling model in the setting of the Dynamic V o ltage Scaling (D VS) techniqu e. W e also plan to study the possibil ity of applyi ng d if ferent abstractio n tec hniqu es to the explicit -time de script ion method s: Dutertre and Sorea [13] and C lark e et al. [11 ] recently presented two differe nt abstractio n tech nique s for timed automata and the abstrac tion outcome can be verified using un-timed model check ers. Ackno wledgment This resea rch is spons ored by Natural Scien ces and Engine ering Research Council of C anada (NSERC), an Atlantic Comput ationa l Excellence Netw ork (A CEnet) Post Doct oral R esearc h Fello wship and the Atlantic Canada Opportun ities A genc y (A C O A) thro ugh an Atlantic Innov ation Fund project. The com- putati onal facilit ies are pro vided by A CEnet. W e thank Jiri Barnat, Keith Miller and the anon ymous re vie w ers of PDMC ’09 for th eir valu able comments. Refer ences [1] Atlantic Computation al Excellence network (ACEnet). http://www . ace-net. ca/. L ast accessed on N ov . 2009 . [2] D I V I N E pr o ject. http://divine.fi.mu ni.cz/. Las t accessed on N ov . 2009 . [3] Y asmina Abdedda¨ ım & Od ed Maler (2002 ): Pr eemptive Job-Shop Schedu ling Using S topwatch A utomata . In: Joost-Pieter Katoen & Perdita Ste vens, ed itors: T A CAS , Lecture Notes in Computer Scien ce 2280. Springer- V erlag, pp. 113–126 . [4] Rajee v Alur & David L. Dill (1994 ): A Theory of T imed A utomata . Theor . Comput. S ci. 126(2 ), pp. 183–2 35. [5] Rajee v Alur & Th omas A. Hen zinger (19 91): Logics and Mod els of R eal T ime: A Surve y . In: J. W . de Bakker, Cornelis Huizing, Wil lem P . de Roever & Gr zegorz Rozenberg, editors: REX W orkshop , Lecture Notes in Computer Science 600. Springer-V erlag, p p. 74–106 . [6] Jiri Barnat, Lubo s Brim & Ivana Cern ´ a (200 5): Cluster -Based L TL Mod el Checking of Lar ge S ystems . In: Frank S. de Boer , Marcello M . Bonsang ue, Susanne Graf & W illem P . d e Roever , ed itors: FMCO , Lecture Notes in Computer Science 4111. Springer-V erlag, pp . 259–2 79. [7] Johan Bengtsson, Kim Guldstrand Larsen, Fred rik Larsson, Paul Pettersson & W ang Y i (1995 ): UPP AAL - a T o ol Suite for Automatic V erifi cation of R eal-T ime Systems . In: Rajeev Alu r , Thomas A. Hen zinger & Eduard o D. Sontag, editors: Hybrid Systems , Lecture Notes in Computer Scien ce 1066. Springer-V erlag, pp . 232–2 43. [8] Johan Bengtsson & W ang Y i (2003 ): T ime d Automata: S emantics, Algorith ms and T ools . In: J ¨ o rg Desel, W olfgan g Reisig & Grzegorz Rozenberg, editors: Lectures on Concur rency and Petri Nets , Lecture Notes in Computer Science 3098. Springer-V erlag, pp. 87–124. H. W ang & W . MacCaull 91 [9] Lionel v an den Berg, Paul A. Strooper & Kirsten W inter (2007): I ntr od ucing T ime in an Industrial App li- cation o f Mo del-Checking . In: Stefan Leue & Pedro Mer ino, ed itors: FMICS , Lecture Notes in Computer Science 4916. Springe r-V erlag, pp. 56–67. [10] Lubos Brim (200 4): P arallel Model Checking . ERCIM News 2004( 58), pp. 35–36 . [11] Edmun d M. Clarke, Flavio Lerd a & Mu ralidhar T alupur (2007 ): An Ab straction T echnique for Rea l-time V erifica tion . In: S. Ramesh & P . Sam path, ed itors: Next Genera tion Desigh and V erification Methodo logies for Distributed Emb edded Control System s: Proceed ings of the General M otors Research and Development W orksho p , Lecture Notes in Compu ter Science. Springer-V e rlag, pp. 1–17 . [12] David L. Dill (1989): T imin g Ass umptions an d V erifica tion of F inite-State Concu rr en t Systems . In : Joseph Sifakis, ed itor: Automatic V erificatio n Methods for Finite State Systems , Lecture Notes i n Co mputer S cience 407. Springer-V erlag , p p. 197– 212. [13] Bruno Du tertre & Mar ia Sorea (2 004) : Modeling and V erification of a F au lt-T olerant Re al-T ime Startu p Pr otoc ol Using Calendar Automata . In: Y assine Lakhn ech & Sergio Y ovine, ed itors: FORMA TS/FTR TFT , Lecture Notes in Computer Science 3253. Springer-V erlag, pp. 199–214 . [14] Thomas A. Henzin ger, Zohar Manna & Amir Pnu eli (1 992): What Go od A r e Digital Cloc ks? In : W erner Kuich, editor: ICALP , Lecture Notes in Computer Science 623. Springer-V erlag , p p. 545– 558. [15] Gerard J. Holzmann (199 1): Design and V alid ation of Computer Pr otocols . Prentice Hall. [16] Pa vel Krc ´ al & W ang Y i (2004 ): Decidab le and Undecidable Pr ob lems in Schedulab ility Analysis Using T imed Automata . In: Kurt Jensen & Andr eas Podelski, editors: T A CAS , Lecture Notes in Computer Science 2988. Springe r-V erlag, pp. 236–25 0. [17] Leslie Lampor t (2005 ): R eal-T ime Model Checking I s R eally S imple . In : Dominiqu e Borrione & W olfgan g J. Paul, editors: CHARME , Lecture Notes in Computer Science 3725. Springe r-V erlag, pp. 162–17 5. [18] Nazia Leyla, Ahmed Mashiyat, Hao W an g & W endy Mac Caull (200 9): W orkflow V erification with DiV inE . In: Parallel and Distributed Method s in verifiCation, 8th I nternation al W or kshop, PDMC 2009, Held a s Part of the Formal Methods W eek 2009, Eindhoven, the Netherlands, November 2-6, 2009 . Short paper . [19] Ken L. McMillan (19 92): Sy mbolic model checking - an ap pr oa ch to the state explosion pr o blem . Ph.D. thesis, Carnegie Mellon Uni versity . [20] Philip M. Merlin (19 74): A study o f the recover ability o f computing systems . Ph. D. thesis, Department of Inform ation and Computer Science, University of Califor nia, Irvine, CA. [21] Keith Miller & W endy MacCaull (2009 ): T o war d W eb-b ased Careflow Management Systems . Journal of Emerging T echnolog ies in W eb Intellig ence (JETWI) Special Issue, E-health : T ow ards System I nteroper- ability throug h Process Integration and Performance Management. Acce pted. [22] W ojciech Penczek & Ag ata P ´ olrola (200 4): S pecifica tion and Mod el Checking of T emporal Pr o perties in T ime P etri Nets and T ime d Automata . In: Jordi Cortadella & W olf gang Reisig, editors: ICA TPN , Lecture Notes in Computer Science 3099. Springer-V erlag, pp. 37–76. [23] John H. Reif (198 5): Depth-Fir st Searc h is Inher e ntly Sequential . Inf. Process. Lett. 20(5) , pp. 229– 234. [24] Moshe Y . V ardi & Pierre W olper ( 1986) : An Automata-Theo r etic Appr oach to Automatic Pr ogram V erifica- tion (Pr eliminary Report) . I n: LICS . IEEE Computer Society , pp. 332–34 4. [25] Kees V erstoep, Henri E. Bal, Jiri Barn at & Lubos Brim (20 09): E fficient lar ge-scale mode l c hecking . In: IPDPS . IEEE, pp. 1–12. [26] Hao W ang & W end y M acCaull (2 009) : T imed Model Checking with Explicit-time Description Methods . T echnical Report StFX-CLI-TR-2009 -03, Centr e for Logic and Inform ation, St. Francis Xavier Uni versity . [27] Hao W ang & W end y MacCaull (2009 ): V erifying Rea l-T ime Systems using Explicit-time Description Meth- ods . In: 16th I nternation al Symposium on Formal Metho ds W ork shop, Quantitative Formal Me thods: Theo ry and Application s, QFM 2009 , Eindhoven, the Neth erlands, Nov ember 3, 2009 . [28] Sergio Y ovin e (1997): KR ONOS: A V erification T ool for Real-T ime Systems . STTT 1(1-2 ), pp. 123–1 33.