## Verification of Real Time Systems, CS5270 Guest Lecture

Real-time logic. Graph-theoretic analysis

Stefan Andrei http://www.comp.nus.edu.sg/~andrei

## Overview

- Real-time logic
- Counting true instances
- Incremental verification of the real-time systems specifications

## PART 1. Real-time logic

## References

- Chapter 6 of [Che2002] Cheng, A.M.K.: Real-time systems. Scheduling, Analysis, and Verification. Wiley-Interscience, 2002
- [JaM87] Jahanian, F., Mok, A.: A Graph-Theoretic Approach for Timing Analysis and its Implementation. *IEEE Transactions on Computers.* Vol. C-36, No. 8, 1987
- [RiC99] Rice, L.E.P., Cheng, A.M.K.: Timing Analysis of the X-38 Space Station Crew Return Vehicle Avionics. *Proceedings of the 5-th IEEE-CS Real-Time Technology and Applications Symposium*, pp. 255-264, 1999

## Specification of real-time systems

- Structurally and functionally specification (how the real-time system components work as well as their functions and operations):
  - Mechanical components
  - Electrical components
  - Electronic components
- Behavioral specification
  - Sequences of events in response to actions

Example: real-time anti-lock braking system in an automobile

- Structural-functional specification refers to:
  - Braking system components and sensors
  - How they are interconnected, and
  - How the actions of each component affects the other
  - Example: how to connect the wheel sensors to the central decision-making computer that controls the brake mechanism.
- Behavioral specification refers to:
  - Events and effects
  - Example: when the wheel sensors detect wet road conditions, the decision-making computer will instruct the brake mechanism to pump the brakes at a higher frequency within 100ms.

Timing Constraints

- Behavioral specification without the complexity of the structural specification often suffices;
- We restrict the specification language to handle only timing relations.

## Specification and safety assertion

- An implementation of a real-time system is built from the structural-functional specification;
- An implementation is **correct** (faithful) if
  - the behavioral specification (denoted as SP) implies safety assertions (denoted as SA).
  - In other words, we have to check whether SP →
     SA is a theorem or not.

## Verification of Timing Properties

- In checking  $SP \rightarrow SA$ , we may have the cases:
  - □ (**safe**) *SA* is a theorem derivable from *SP*;
  - (inherently unsafe) SA is unsatisfiable with respect to SP;
  - (safe if additional constraints are added) the negation of SA is satisfiable under certain conditions.

## Event-action model

- [Hen80] Heninger, K.L.: Specifying Software Requirements for Complex Systems: New Techniques and Their Applications. *IEEE Trans. Software Engineering.* vol. SE-6, no. 1 (1980) 2-13
- Heninger captured the data dependency and temporal ordering of computational actions that must be taken in response to events in a real-time application.

Concepts of event-action model

#### Syntax of Actions:

<Action> = <primitiveAction> |

<Action> ; <Action> |

<Action> "||" <Action>

• Examples:

- TRAIN\_APPROACH; DOWN\_GATE is sequential execution of two primitive actions, i.e. a composite action;
- DOWN\_GATE || RING\_BELL is parallel execution of two primitive actions, i.e., a composite action;

#### State predicate: Event x Time → Bool

Example: GATE\_IS\_DOWN is true if the gate is in the down position

## Concepts of event-action model (cont)

#### Event

- External: *APPLY\_BRAKE*
- □ Start: the start of *DOWN\_GATE*
- □ Stop: the end of *DOWN\_GATE*
- Transition: GATE\_IS\_DOWN becomes true when gate is moved down.
- Timing constraint (absolute timing of system events)
  - Example: the timing difference between the start and the end of DOWN\_GATE may take at least 15 seconds.

## Real-Time Logic (RTL)

- Motivation: event-action model cannot be easily manipulated by a computer ([JaM87]);
- RTL = first-order logic with special features to capture the (absolute) timing requirements;
- RTL is based on the event-action model;
- @:: Event x Occurrence → Time, where Occurrence=Nat-{0} and Time=Nat.
- Semantics:
  - $\square$  @(e, i) = t means the *i*-th occurrence of event e occurs at time t.
  - □ ∀e∈Event, ∀i∈Occurrence, @(e,i) < @(e,i+1) if @(e,i+1) is defined.</p>

## Real-Time Logic (cont)

#### Three types of RTL constants:

- Actions: a subaction B<sub>i</sub> of a composite action A is denoted by A.B<sub>i</sub>
- Events constants are temporal markers
  - External Events: Ωevent-name
  - Start Events: *fevent-name*
  - Stop Events: *↓event-name*
  - Transition Events: change in certain attributes of the system state;
- Integers: used for timing constraints.

Example of a real-time system: railroad crossing

- Structural-functional specification:
  - Field measurements, mechanical characteristics of the train, train sensor, gate controller, gate;
- The goal of gate controller: when train is crossing the intersection, no car is on the intersection;
- Simplified goal (safety assertion): when train is crossing, the gate is in the down position.

## Behavioral Specification (English)

- When train approaches sensor, a signal will initiate the lowering of gate, and
- Gate is moved to down position within 30s
   from being detected by the sensor, and
- The gate needs at least 15s to lower itself to the down position.

## Safety Assertion (English)

#### lf 🛛

- train needs at least 45s to travel from sensor to the railroad crossing, and
- the train crossing is completed within 60s from being detected by sensor,

#### then

- we are assured that at the start of the train crossing, gate has moved down and
- that the train leaves the railroad crossing within 45s from the time the gate has completed moving down.

## Railroad crossing (animation)



Behavioral Specification (RTL)

- ∀x ( @(TrainApproach, x) ≤ @(↑DownGate, x) ∧ @(↓DownGate, x) ≤ @(TrainApproach, x) + 30
   )
- ∀y ( @(↑DownGate, y) + 15 ≤ @(↓DownGate, y)
   )

## Safety Assertion (RTL)

#### *▶* ∀t ∀u (

 $(TrainApproach, t) + 45 \le @(\uparrow TrainCrossing, u) \land$  $@(\downarrow TrainCrossing, u) < @(TrainApproach, t) + 60 \rightarrow$  $@(\uparrow TrainCrossing, u) \ge @(\downarrow DownGate, t) \land$  $@(\downarrow TrainCrossing, u) \le @(\downarrow DownGate, t) + 45$ 

In a simplified version, we can consider u = t

## Presburger Arithmetic Formulae

- Is built from constraints using:  $\Lambda$ , v,  $\neg$ ,  $\forall$ ,  $\exists$ , (, )
- A constraint is a series of expression lists, connected with: =, !=, <, ≤, >, ≥
- If var is a variable, int is an integer, and e, e<sub>1</sub>, e<sub>2</sub> are expressions, then var, int, e, int e, e<sub>1</sub>+e<sub>2</sub>, e<sub>1</sub>e<sub>2</sub>, int\*e<sub>2</sub>, -e and (e) are expressions;
- Each @(e,i) is replaced by a function f<sub>e</sub>(i), where e is an event and i is an integer or an variable.

Presburger Arithmetic Formulae

Specification (SP)  $\Box \forall x (f(x) \le g_1(x) \land g_2(x) \le f(x) + 30)$  $\Box \forall y (g_1(y) + 15 \le g_2(y))$ Safety Assertion (SA)  $\Box \forall t \forall u ($  $f(t) + 45 \le h_1(u) \land h_2(u) \le f(t) + 60 \rightarrow$  $g_2(t) \le h_1(u) \land h_2(u) \le g_2(t) + 45$ 

## Restricted RTL formulas

- The problem SP → SA is in general undecidable for the full set of RTL formulas.
- [JaM87] motivated that RTL formulas of many realtime systems:
  - Consist in arithmetic inequalities involving two terms and an integer constant in which a term is either a variable or a function (difference constraints).
  - Do not contain arithmetic expressions that have a function taking an instance of itself as an argument.
  - [WaM94] Wang, F., Mok, A. K.: RTL and Refutation by Positive Cycles. *Proceedings of Formal Methods Europe Symposium*, 873, Lecture Notes in Computer Science, pp. 659-680, 1994.

## The path-RTL formulas [JaM87, WaM94]

- The general form of path-RTL formulas: functionOccurrence ± integerConstant ≤ functionOccurrence
- Industrial real-time systems:
  - Railroad crossing [JaM87], [JaS88], [Che2002]
  - Moveable control rods in a reactor [JaM87]
  - Boeing 777 Integrated Airplane Information Management System [MTR96]
  - X-38, an autonomous spacecraft build by NASA [RiC99]

## References

- This kind of Presburger Formulas was studied in many papers, such as:
  - [Pug94] Pugh, W.: Counting Solutions to Presburger Formulas: How and Why. *PLDI'94. ACM SIGPLAN* 94-6/94 (1994) 121-134
  - [LLP97] Larsen, K.G., Larsson, F., Pettersson, P., Yi, W.: Efficient Verification of Real-Time Systems: Compact Data Structure and State-Space Reduction. *IEEE RTSS'97, CS Press* (1997) 14-24
  - [Min2001] Miné, A.: A New Numerical Abstract Domain Based on Difference-Bound Matrices.
     Program as Data Objects II. LNCS 2053 (2001) 155-172

Behavioral Specification implies Safety Assertions

 SP → SA is tautology iff ¬(SP → SA) is unsatisfiable;

$$\neg (SP \rightarrow SA) \equiv \neg (\neg SP \lor SA) \equiv SP \land \neg SA$$

• Therefore,  $SP \rightarrow SA$  is tautology iff  $SP \land \neg$ SA is unsatisfiable.

## Clausal Form

Specification (SP):  $\Box \forall x \forall y (f(x) \le g_1(x) \land g_2(x) - 30 \le f(x) \land$  $g_1(y) + 15 \le g_2(y)$ Negation of Safety Assertions (¬SA):  $\exists t \exists u (f(t) + 45 \le h_1(u) \land h_2(u) \le f(t) + 60 \land$  $(h_1(u) < g_2(t) \lor g_2(t) + 45 < h_2(u)));$ • Skolem normal form of RTL formulas [T/t][U/u]:  $f(T) + 45 \le h_1(U) \land h_2(U) - 59 \le f(T) \land$  $(h_1(U) + 1 \le g_2(T) \lor g_2(T) + 46 \le h_2(U))$ 

## [JaM87] Strategy

- *F* the initial RTL Formula;
- *F*′ the corresponding Presburger Formula;
- F'' the Clausal Formula corresponding to SP  $\land \neg SA$ , that is:  $C_1 \land C_2 \land \ldots \land C_n$ , where  $C_i = L_{i,1} \lor L_{i,2} \lor \ldots \lor L_{i,n}$  and each  $L_{i,j}$  has the general form:  $v_1 \pm I \leq v_2$ , I being a positive integer constant.

## Constraint Graph Construction

- For each literal v<sub>1</sub> ± I ≤ v<sub>2</sub>, we construct a node labeled v<sub>1</sub>, a node labeled v<sub>2</sub>, and an edge <v<sub>1</sub>, v<sub>2</sub>> with weight ±I from node v<sub>1</sub> to node v<sub>2</sub>;
- If the constraint graph contains a cycle with positive weight, then F" is unsatisfiable.



Positive cycles lead to unsatisfiability

- Let  $X_{i,1}, X_{i,2}, ..., X_{i,n^i}$  the *i*-th positive cycle. The sum of weights of edges is positive, so  $P_i = X_{i,1}$  $\wedge X_{i,2} \wedge ... \wedge X_{i,n^i}$  is unsatisfiable ([JaM87]); therefore,  $\neg P_i$  is tautology;
- Therefore, F" is (un)satisfiable iff F" ∧ {¬P<sub>i</sub>| for all positive cycle i} is (un)satisfiable;

## Railroad Crossing Satisfiability

$$A = f(x) \le g_1(x)$$
  

$$B = g_2(x) - 30 \le f(x)$$
  

$$C = g_1(y) + 15 \le g_2(y)$$
  

$$D = f(T) + 45 \le h_1(U)$$
  

$$E = h_2(U) - 59 \le f(T)$$
  

$$F = h_1(U) + 1 \le g_2(T)$$
  

$$G = g_2(T) + 46 \le h_2(U)$$
  

$$F'' \text{ has the positive clauses: } A, B, C, D, E, F \lor G$$

# Positive cycles lead to unsatisfiability (cont)

- A positive/negative clause contains only positive/negative literals (for example, F v G is a positive clause, whereas ¬B v ¬D v ¬F is a negative clause);
- F" contains positive clauses corresponding to all edges, and negative clauses corresponding to a positive cycle;
- The CNF satisfiability is NP-complete even if each clause is positive or negative ([JaM87]).

## Railroad Crossing Satisfiability (cont)

Three positive cycles in the constraint graph imply that *F*" has the negative clauses:

$$\Box \neg B \lor \neg D \lor \neg F$$

$$\Box \neg F \lor \neg G \lor \neg E \lor \neg D$$

$$\Box \neg A \lor \neg C \lor \neg G \lor \neg E$$

## Search tree

- The Resolution Method works for F", but it is not so efficient;
- More efficient, [JaM87] transformed the set of negative clauses from conjunctive normal form into disjunctive normal form;
- This corresponds to a tree, where each leaf will be checked to at least one positive clause or by itself;
- By considering the negation of unitary clauses as early as possible, the strategy of building the tree can be improved even more.

## Search tree for Railroad Crossing



- $F'' = A \land B \land C \land D \land E \land (F \lor G) \land (\neg B \lor \neg D \lor \neg F) \land (\neg F \lor \neg G \lor \neg E \lor \neg D) \land (\neg A \lor \neg C \lor \neg G \lor \neg E)$
- F'' is unsatisfiable, so  $SP \rightarrow SA$  is tautology;

#### Conclusions of Part 1

- So far, the presentation was based on [JaM87] and [Che2002];
- We discuss another strategy based on counting the number of true instances of F". This will tell us how "far away" is the current specification from satisfying the safety assertion;
- The addition of a new positive cycle may result from a modification of the specification and/or safety assertions. This is useful for incremental debugging, in which bugs in problematic areas are fixed one at a time until the system is correct.
- Special thanks to Professor Albert M. K. CHENG.

#### PART 2. Counting true instances

#### Counting true instances

- [Iwa89] Iwana, K.: CNF Satisfiability Test by Counting and Polynomial Average Time. Siam J. Comput. 18, No. 2 (1989) 385-391
- [Dub91] Dubois, O.: Counting the number of solutions for instances of satisfiability. *Theoretical Computer Science*. 81 (1991) 49-64
- [Tan91] Tanaka, Y.: A dual algorithm for the satisfiability problem. *Information Processing Letters* 37 (1991) 85-89
- [And95] Andrei, S.: The Determinant of the Boolean Formulae, Analele Universitatii Bucuresti, Informatica (1995) 83-92
- [And99] Andrei, S.: Weak Equivalence in Propositional Calculus. Proceedings of European Summer School on Logic, Language and Information, pp.79-89, Universiteit Utrecht, August 1999

#### Notations ([And95])

- *F*|<sub>V</sub>={*C*<sub>1</sub>,...,*C*<sub>I</sub>} a clausal formula over *V*={*A*<sub>1</sub>,...,*A*<sub>n</sub>}.
  Example: *F*|<sub>V</sub>={*C*<sub>1</sub>, *C*<sub>2</sub>, *C*<sub>3</sub>, *C*<sub>4</sub>}, *V*={*p*,*q*,*r*}, where *C*<sub>1</sub>={*p*, ¬*r*}, *C*<sub>2</sub>={¬*q*, *r*}, *C*<sub>3</sub>={*q*, ¬*r*}, *C*<sub>4</sub>={¬*p*, *q*, *r*}.
  If *C*<sub>1</sub>',...,*C*<sub>s</sub>' ∈ *F*|<sub>V</sub> and s ≤ *I*, then:
  - $m(C_1, ..., C_s)$  = number of atomic formulae from *V* which do not occur in  $C_1, ..., C_s$ . For example:  $m(C_1)=1, m(C_2)=1, m(C_3)=1, m(C_4)=0, m(C_1, C_2)=0, m(C_1, C_3)=0, m(C_1, C_4)=0$ , etc.

#### Dual Resolution Theorem ([And95])

# dif(C<sub>1</sub>',...,C<sub>s</sub>')= 0 if ∃ i, j ∈ {1,...,s}, i ≠ j, ∃L literal such that L ∈ C<sub>i</sub>' and ¬L ∈ C<sub>j</sub>' 2<sup>m(C1',...,Cs')</sup> otherwise

- Example:  $dif(C_1)=2$ ,  $dif(C_2)=2$ ,  $dif(C_3)=2$ ,  $dif(C_4)=1$ ,  $dif(C_1, C_2)=0$ ,  $dif(C_1, C_3)=1$ ,  $dif(C_1, C_4)=0$ , etc.
- $det(F|_V)=2^n \sum_{s=1}^{I} (-1)^{s+1*} \sum_{1 \le i1 \le ... \le is \le I} dif(C_1', ..., C_s')$  is called the **determinant** of  $F|_V$  ([And95]).
- **Theorem.**  $F|_V$  has  $det(F|_V)$  truth assignments. So,  $F|_V$  is satisfiable iff  $det(F|_V) \neq 0$ .
- Example: det(F|<sub>V</sub>)=2<sup>3</sup>-(2+2+2+1-1)=2, so F|<sub>V</sub> is satisfiable having 2 truth assignments.

#### Ordered labelled standard tree

- A node in OLST is labelled with the clause  $C_{i,k}$  and  $dif(C_{i,1}, ..., C_{i,k})$ , where  $C_{i,1}, ..., C_{i,k}$  is the sequence of nodes from the root  $C_{i,1}$  to the current node  $C_{i,k}$
- The total number of nodes is 2<sup>'</sup>.

#### Ordered labelled standard tree (cont)



- The total number of nodes is  $2^4$ =16 (there are 4 clauses).
- $det(F|_V) = 2^3 (2 + 2 + 2 + 1) + (0 + 1 + 0 + 0 + 0) (0 + 0 + 0 + 0) + 0 = 2.$

## Ordered labelled reduced tree (cont)

• If  $dif(C_1', ..., C_s') = 0$  then  $dif(C_1', ..., C_s', C_{s+1}') = 0$ .



- The nodes labelled with *dif(...)=0* need not be generated!
- Now, the total number of nodes is 6.
- $det(F|_V)=2^3-(1+2+2+2)+(1)=2.$

# PART 3. Incremental verification of the real-time systems specifications

Our Incremental Approach for Systematic Debugging [AnC04]

Input: SP, SA such that  $\neg SA$  is satisfiable;

Output:  $SP_{new}$ ,  $SA_{new}$  such that the system is safe; Method:

1. 
$$k = 1$$
;  $SP_1 = SP$ ;  $SA_1 = SA$ ;  
2. while  $(SP_k \rightarrow SA_k)$  is not a tautology)  
3. let  $SP_{new}$  and  $SA_{new}$  be new constraints  
4.  $SP_{k+1} = SP_k \oplus SP_{new}$ ;  
5.  $SA_{k+1} = SA_k \oplus SA_{new}$ ;  
6.  $k = k + 1$ ; }  
7.  $SP_{new} = SP_k$ ;  $SA_{new} = SA_k$ ;

#### Past Work [AnC04]

- The satisfiability of  $SP_{k+1} \rightarrow SA_{k+1}$  is expressed incrementally from the satisfiability of  $SP_k \rightarrow SA_k$
- The **manual** debugging from step 3 is correlated with the satisfiability of  $SP_k \rightarrow SA_k$
- We use #SAT problem rather than SAT problem:
  - □ To know how "far away" is *SP* from satisfying *SA*;
  - The modification of SP and/or SA is useful for incremental debugging, in which bugs are fixed one at a time until the system is correct.
- Andrei, S., Chin, W.-N.: Incremental Satisfiability Counting for Real-Time Systems. *The 10<sup>th</sup> IEEE Real-Time and Embedded Technology and Applications Symposium (<u>RTAS'04</u>)*, Toronto, Canada, 25 May – 28 May, 482-489, 2004

#### Past Work [ACCL05]

- The debugging from step 3 is done **systematically**, not manually.
- Since the industrial real-time systems may have large specifications, it is impracticable for the designer to find the proper missing or wrong constraints.
- Efficient Java implementation of systematic debugging (<u>http://www.comp.nus.edu.sg/~andrei/SDRTL/</u>). Examples of realtime systems have also been successfully tested by SDRTL.
- We simulated a real-life scenario, supposing that the designer may forget to include some constraints or may give some incorrect constraints.
- Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Systematic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. *The* 11<sup>th</sup> IEEE Real-Time and Embedded Technology and Applications Symposium (<u>RTAS'05</u>), San Francisco, United States, 7 March - 10 March, 10 pages, 2005

#### Re-design of Railroad Example

- We consider new events and new constraints.
- We add to SP:
  - (English) A car needs at most 10 seconds to cross the railroad;
  - □ (RTL) @( $\downarrow$ CarCrossing, z) 10 ≤ @( $\uparrow$ CarCrossing, z)
- We add to SA:
  - (English) If the train starts to cross the railroad crossing, there is no car crossing in the last 5 seconds;
  - $\square (RTL) @((CarCrossing, v) + 5 \le @((TrainCrossing, u)))$

Re-design of Railroad Example -Presburger Arithmetic Formulas

```
SP₁:
   \Box \forall x (f(x) \le g_1(x) \land g_2(x) \le f(x) + 30)
   \Box \forall y (g_1(y) + 15 \le g_2(y))
   \Box \forall Z (\eta_2(Z) - 10 \le \eta_1(Z))
■ SA<sub>1</sub>:
   \Box \forall t \forall u \forall v (
           f(t) + 45 \le h_1(u) \land h_2(u) \le f(t) + 60 \rightarrow
           g_2(t) \le h_1(u) \land h_2(u) \le g_2(t) + 45 \land \eta_2(v) + 5 \le h_1(u)
```

### Re-design of Railroad Example – Clausal Form

■ *SP*<sub>1</sub>:

- $\forall x \forall y \forall z (f(x) \le g_1(x) \land g_2(x) 30 \le f(x) \land g_1(y) + 15 \le g_2(y) \land \eta_2(z) 10 \le \eta_1(z) )$
- Negation of Safety Assertions ( $\neg SA_1$ ):
  - $f(T) + 45 \le h_1(U) \land h_2(U) 59 \le f(T) \land$  $(h_1(U) + 1 \le g_2(T) \lor g_2(T) + 46 \le h_2(U) \lor h_1(U) - 4 \le \eta_2(V))$



#### Re-design of Railroad Crossing – PF<sub>1</sub>

#### Literals:

- $\ \ \, \square \ \, A=f(x)\leq g_1(x), \ B=g_2(x)-30\leq f(x), \ C=g_1(y)+15\leq g_2(y),$
- $\Box \ D = f(T) + 45 \le h_1(U), \ E = h_2(U) 59 \le f(T),$
- $\square \ F = h_1(U) + 1 \le g_2(T), \ G = g_2(T) + 46 \le h_2(U),$

 $\square \ H = \eta_2(z) - 10 \le \eta_1(z), \ I = h_1(U) - 4 \le \eta_2(V)$ 

- PF<sub>1</sub> has the positive clauses: A, B, C, D, E, H, F v G v I
- $PF_1$  has the negative clauses:
  - □ ¬*B v* ¬*D v* ¬*F*
  - $\Box \neg F \lor \neg G \lor \neg E \lor \neg D$

$$\neg A \lor \neg C \lor \neg G \lor \neg E$$

#### Re-design of Railroad Crossing – Satisfiability

- We get  $det(PF_1) = 3 > 0$ , hence  $PF_1$  is satisfiable;
- So, the real-time system may be unsafe;
- Is it necessary to have at least one more positive cycle containing *H* and *I*;
- Going back to  $SA_1$ , we add:
  - (English) If the gate starts to go down, then no car will start to cross the railroad
  - □ (RTL) @( $^CarCrossing, v$ )  $\leq$  @( $^DownGate, t$ )
  - (Presburger)  $\eta_1(v) \le g_1(t)$



#### Re-design of Railroad Crossing – PF<sub>2</sub>

- Literals:
  - $\ \ \, \square \ \ \, A=f(x)\leq g_1(x), \ B=g_2(x)-30\leq f(x), \ C=g_1(y)+15\leq g_2(y),$
  - $\square D = f(T) + 45 \le h_1(U), E = h_2(U) 59 \le f(T), F = h_1(U) + 1 \le g_2(T),$

$$\Box \quad G = g_2(T) + 46 \le h_2(U), \ H = \eta_2(z) - 10 \le \eta_1(z),$$

- $\Box \ I = h_1(U) 4 \le \eta_2(V), \ J = \eta_1(V) \le g_1(T)$
- PF<sub>2</sub> has the positive clauses: A, B, C, D, E, H, J, F v G v I
- $PF_2$  has the negative clauses:
  - □ ¬*B* ∨ ¬*D* ∨ ¬*F*
  - $\Box \neg F \lor \neg G \lor \neg E \lor \neg D$
  - □ ¬A v ¬C v ¬G v ¬E
  - $\Box \neg I \lor \neg H \lor \neg J \lor \neg C \lor \neg B \lor \neg D$

#### Incremental #SAT

- Problem: Knowing the number of true instances of PF, what is the number of true instances of PFu{C}, for any arbitrary clause C?
- Incremental computation: we use  $det_V(PF_1)$  to get  $det_V(PF_2)$ , without recomputing the common parts of  $PF_1$  and  $PF_2$

#### The Increment of a Clausal Formula

- **Definition:** Given  $PF = \{C_1, ..., C_j\}$  over V and C an arbitrary clause, then  $inc_V(C, PF) = \sum_{s=0}^{l} (-1)^{s+1} \cdot \sum_{1 \le i1 \le ... \le l} dif_V(C, C_{i1}, ..., C_{is})$ is called the **increment** of *PF* with *C* over *V*.
- inc<sub>V</sub>(C, PF) is represented as an ordered labeled reduced clausal incremental tree: CIT<sub>red</sub>(C,PF).

The Incremental Splitting of the Clausal Tree



#### Incremental Computing is Optimal

- **Theorem:** Let  $PF = \{C_1, \dots, C_k\}$  be a clausal formula and  $PF' = \{C_{l+1}, \dots, C_{l+k}\}$ . Then:
  - $\Box \ det_{V}(PF \ \cup \ PF') = det_{V}(PF) + inc_{V}(C_{l+1}, \ PF) + inc_{V}(C_{l+2}, \ PF \cup \{C_{l+1}\}) + ... + inc_{V}(C_{l+k}, \ PF \ \cup \{C_{l+1}, ..., \ C_{l+k-1}\})$
  - □  $N'=N+N_{l+1}+...+N_{l+k}$ , where N', N,  $N_{l+1}$ , ...,  $N_{l+k}$  are the number of nodes of the reduced clausal trees of  $det_V(PF \cup PF')$ ,  $det_V(PF)$ ,  $inc_V(C_{l+1}, PF)$ , ...,  $inc_V(C_{l+k}, PF \cup \{C_{l+1}, ..., C_{l+k-1}\})$ .
- Incremental computing is optimal.

#### Properties of $det_V(PF)$ and $inc_V(C,PF)$

- Let  $PF = \{C_1, ..., C_l\}$  be a clausal formula over V. Then:
  - If A is an atomic variable, A∉V, then inc<sub>VU{A}</sub>({A}, PF) = inc<sub>VU{A}</sub>({¬A}, PF) = -det<sub>V</sub>(PF);
  - If V' is an alphabet such that V⊆V' and C an arbitrary clause over V, then det<sub>V</sub>(PF)=2<sup>|V'|-|V|</sup> det<sub>V</sub>(PF) and inc<sub>V</sub>(C,PF)=2<sup>|V'|-|V|</sup> inc<sub>V</sub>(C,PF).

Satisfiability of the Railroad Crossing

- PF<sub>1</sub> = {{A}, {B}, {C}, {D}, {E}, {H}, {F,G,I}, {¬B,¬D,¬F}, {¬ F,¬G,¬E,¬D}, {¬A,¬C,¬G,¬E} over V<sub>1</sub> = {A, B, C, D, E, F, G, H, I}
- $PF_2 = PF_1 \cup \{\{J\}, \{\neg I, \neg H, \neg J, \neg C, \neg B, \neg D\}\}$  over  $V_2 = V_1 \cup \{J\}$
- $det_{V2}(PF_2) = det_{V2}(PF_1) + inc_{V2}(\{J\}, PF_1) + inc_{V2}(\{\neg I, \neg H, \neg J, \neg C, \neg B, \neg D\}, PF_1 \cup \{\{J\}\}) =$ 
  - $= 2 * det_{V1}(PF_1) det_{V1}(PF_1) 3 = 3 3 = 0$
- The real-time system is safe now!

#### Experimental results

#### Denote

- $CT_{red}(F \cup \{C_{l+1}\} \cup \{C_{l+2}\})$  by  $CT_{red}^{new}$
- $CIT_{red}(C_{l+1},F)$  by  $CIT_{red}^{1}$
- $CIT_{red}(C_{l+2}, FU\{C_{l+1}\})$  by  $CIT_{red}^{2}$
- n the number of variables, I the number of clauses

|           | $CT_{red}^{new}$ |        | $CT_{red}(F)$ |        | $CIT^{1}_{red}$ |        | $CIT_{red}^2$ |        |
|-----------|------------------|--------|---------------|--------|-----------------|--------|---------------|--------|
| (n,l)     | Number           | Time   | Number        | Time   | Number          | Time   | Number        | Time   |
|           | of nodes         | (sec.) | of nodes      | (sec.) | of nodes        | (sec.) | of nodes      | (sec.) |
| (10, 20)  | 28831            | 0.16   | 12655         | 0.06   | 1760            | 0.01   | 14416         | 0.05   |
| (15, 25)  | 70255            | 0.37   | 17799         | 0.13   | 17800           | 0.11   | 34656         | 0.21   |
| (20, 40)  | 136714           | 3.32   | 99671         | 2.48   | 19832           | 0.39   | 17211         | 0.41   |
| (25, 45)  | 78468            | 2.18   | 49800         | 1.50   | 6258            | 0.16   | 22410         | 0.71   |
| (30, 60)  | 178531           | 7.70   | 141663        | 6.03   | 12700           | 0.83   | 24168         | 1.28   |
| (40, 75)  | 150693           | 11.64  | 111837        | 8.77   | 13667           | 1.42   | 25189         | 2.19   |
| (50, 100) | 312276           | 39.26  | 268790        | 33.57  | 3701            | 0.67   | 39785         | 5.66   |

#### Related Work: Incremental Approaches

- An incremental positive cycle detection algorithm [MTR96] is also based on the constraint-graph technique and uses an algorithm for single source with positive weight in the graph.
- An incremental algorithm for model checking using transition systems in the alternation-free fragment of the modal µ-calculus was presented in [SoS94].
- Instead, our incremental approach is applied to propositional formulas.

#### History of SAT and #SAT problems

| <ul> <li>The SAT problem</li> <li>[Cook, 1971]</li> </ul>               | <ul> <li>The #SAT problem</li> <li>[Valiant, 1979]</li> </ul>                           |
|-------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
| <ul> <li>The incremental SAT problem</li> <li>[Hooker, 1993]</li> </ul> | <ul> <li>The incremental<br/>#SAT problem</li> <li>[Andrei &amp; Chin, 2004]</li> </ul> |

### Automatic Debugging [ACCL06]

- Motivation: The embedding and the integration of our debugger in autonomous systems where the specifications must meet timing constraints, but without human interaction.
- The idea is to consider in advance all the necessary information such as the designer's guidance.
- Efficient Java implementation for automatic debugging.
- [ACCL06] Andrei, S., Chin, W.-N., Cheng, A.M.K., Lupu, M.: Automatic Debugging of Real-Time Systems based on Incremental Satisfiability Counting. *IEEE Transaction on Computers*, vol. 55(7), pp. 830-842 (2006) Selected as July issue's Feature Article for 'hot' topic and fast publication.

#### Optimization of Specifications[AnC06']

- Motivation: After verifying SP -> SA, and the system implementing SP is deployed, performance changes as a result of power-saving, faulty components, and cost-saving in the processing platform for the tasks specified in SP.
- This leads to a different but related *SP*.
- It is desirable to determine an optimal SP with the slowest possible computation times for its tasks such that SA holds.
- The idea: relax SP and tighten SA such that SP -> SA is still a theorem.
- [AnC06'] Andrei, S., Cheng, A.M.K.: Optimization of Real-Time Systems Timing Specifications. *Proceedings of the 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications (<u>RTCSA 2006</u>), 7 pages, IEEE Computer Society, Sydney, August 16-18, 2006*

#### Extension of Path-RTL [AnC06"]

 We shall present an extension of the path RTL class by allowing inequalities like

 $\forall i @(e_1, i) + @(e_2, i) \le k$ 

and

 $\forall i @(e_1, i) + @(e_2, i) \ge k$ 

to be part of the specification.

- Obviously, equalities like ∀i @(e<sub>1</sub>, i) + @(e<sub>2</sub>, i) = k may be also part of the extended path RTL specification.
- Then a new and fast algorithm based on a translation to an extended constraint graph is described, too.
- [AnC06''] Stefan Andrei, Albert M.K. Cheng: Faster Verification of RTL-Specified Systems via Decomposition and Constraint Extension, *Real-Time Systems Symposium (RTSS'06)*, December 5-8, 2006, Rio de Janeiro, 10 pages

#### Divide and Conquer [AnC06"]

- For real-time systems with large specifications, there is a lot of room for improvement in the algorithms used for verification and debugging.
- There is a need of an efficient method to perform verification and debugging of real-time systems specifications using decomposition techniques.
- The idea is to decompose the constraint graph, used in existing approaches, into independent sub-graphs so that it is no longer necessary to analyze the entire specification at once, but rather its individual and smaller components.
- Efficient implementation of this method in the Javabased tool and tested it on several industrial realtime systems.

#### Future Work

- Identify new subclasses of timing formulae for which the satisfiability problem is decidable:
  - by considering a non-unit scalar integer, e.g.,
     ± a \* @(X, i) ± b \* @(Y, j) ≤ c
  - by considering more than two variables, e.g.,
  - $\pm @(X, i) \pm @(Y, j) \pm @(Z, k) \le c$

#### Summary

- Real-time logic
- Counting true instances
- Incremental verification of the real-time systems specifications

#### Thank you for your attention!

#### Questions?