

## Slicing for UPPAAL

Claus Thrane, Uffe Sørensen and Kim G. Larsen

NWPT'08

#### **Modeling Real-Time Systems**



## **Communicating FSA**

#### Gate

#### Train





## **Communicating FSA**

Gate

Train



### UPPAAL

|                                                                                                  | \varTheta 🔿 🔿 /Users/us/D                                                                           | Oocuments/Studie/Universite | t/Dat 6/Instantiated Uppaal M    | lodels/train-gate.xml     |
|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------|----------------------------------|---------------------------|
|                                                                                                  |                                                                                                     | q R Q > X                   |                                  |                           |
|                                                                                                  |                                                                                                     | Editor                      | Simulator Verifier               |                           |
|                                                                                                  | Drag out                                                                                            | Name: Train1                | Parameters:                      |                           |
|                                                                                                  | <ul> <li>Project</li> <li>Declarations</li> <li>N Train1</li> <li>Train2</li> <li>Train2</li> </ul> | prf                         | )fCrosses++                      |                           |
|                                                                                                  | ▶ ﷺ Train3<br>▶ ﷺ Train4<br>▶ ﷺ Train5<br>▶ ﷺ Gate                                                  | app                         | afe O                            | Cross<br>x<=5             |
|                                                                                                  | UPPSALA<br>UNIVERSITET                                                                              | Apj                         | x > = 10<br>x = 0                | x > = 7<br>x = 0<br>Start |
| UPP                                                                                              | <pre>list[los++] = element;</pre>                                                                   | ×<                          | =20<br>x<=10<br>stop[1]?<br>Stop | (1)?<br>0                 |
| Scall Marth Sale                                                                                 | <pre>len ( list[i] = list[i + 1]; i++;</pre>                                                        |                             | stop                             | 4<br>•<br>•               |
| Copyright 1995-2006 by Uppsala University and Aalbo<br>More Information at http://www.uppaal.com | rg University. All rights reserved.                                                                 |                             |                                  |                           |

### Imperative code















![](_page_9_Figure_2.jpeg)

#### Motivation

Model-checking Timed Automata is PSPACE-Complete

State-space explosion problem

![](_page_10_Figure_3.jpeg)

M1 x M2

![](_page_10_Figure_5.jpeg)

## We propose

Static analysis, specifically slicing can be used on the "hybrid" modeling language of UPPAAL
to improve the tool's performance.

## Slicing

Weiser: "a slice corresponds to the mental abstractions made by people while debugging programs"

Traditionally used for removing irrelevant components during debugging and testing

- Slicing for TA w. simple data Janowska and Janowski
- Used in SPIN and IF (KRONOS) to reduce the syntactic size of models prior to verification

#### System Dependency Graph

[S. Horwitz, T. Reps, and D. Binkley]

![](_page_13_Figure_2.jpeg)

## Dependencies

## Control Dependencies - Control Edges Control Flow Graph Data Dependencies - Data Flow Edges

Reaching (or Use/Def chains)

#### Control-Flow Graph • Explicit and Implicit Control-Flow

![](_page_15_Figure_1.jpeg)

12

# Dependency Graphs Multi Graph - composed of Control Graph Data Flow Graph

![](_page_16_Figure_1.jpeg)

![](_page_16_Figure_2.jpeg)

# Dependency Graphs Multi Graph - composed of Control Graph Data Flow Graph

![](_page_17_Figure_1.jpeg)

![](_page_17_Figure_2.jpeg)

# Dependency Graphs Multi Graph - composed of Control Graph Data Flow Graph

while (a < 42)a = b \* c;if(z > 1). . .

![](_page_18_Figure_2.jpeg)

#### **Example Function Dependency Graph**

- Identify place of relevance
- and irrelevant code
- Inter-procedural slicing [S. Horwitz, T. Reps, and D. Binkley]

int x = 0: int z = 0: int foo(int a, int b) while (a < 42)a = b \* x;if(z > 1)Z--; return a; void bar() z = 42: x = foo(x,z);}

#### **Example Function Dependency Graph**

- Identify place of relevance
- and irrelevant code
- Inter-procedural slicing [S. Horwitz, T. Reps, and D. Binkley]

int x = 0: int z = 0: int foo(int a, int b) while (a < 42)a = b \* x;if(z > 1)Z--; return a; void bar() z = 42: x = foo(x,z);

#### **Example Function Dependency Graph**

- Identify place of relevance
- and irrelevant code
- Inter-procedural slicing [S. Horwitz, T. Reps, and D. Binkley]

![](_page_21_Figure_4.jpeg)

![](_page_22_Figure_0.jpeg)

![](_page_22_Figure_1.jpeg)

![](_page_23_Figure_0.jpeg)

## System Dependency Graph

![](_page_24_Figure_1.jpeg)

## System Dependency Graph

![](_page_25_Figure_1.jpeg)

## **Slicing Extended TA**

- Starts at a point of interest e.g. a location in the TA
- Search backwards in the SDG (marking pp)
  - Computes the fixed-point of dependencies in the ADG
  - Searches backward in the called FDGs
- Delete all un-marked statements.

#### **Conservative Automata slicing**

![](_page_27_Figure_1.jpeg)

![](_page_28_Figure_1.jpeg)

![](_page_29_Figure_1.jpeg)

![](_page_30_Figure_1.jpeg)

![](_page_31_Figure_1.jpeg)

![](_page_32_Figure_1.jpeg)

![](_page_33_Figure_1.jpeg)

![](_page_34_Figure_1.jpeg)

![](_page_35_Figure_1.jpeg)

![](_page_36_Figure_1.jpeg)

![](_page_37_Figure_1.jpeg)

#### **Bisimulation based Correctness**

• Reachability preserving slices (CTL)

**Lemma 1.** If s  $R_{\varphi}$  s' for some  $E \diamond \varphi$ -Bisimulation then:

 $s\models E \diamondsuit \varphi \iff s'\models E \diamondsuit \varphi$ 

**Theorem 1.** The relation  $\simeq \subseteq S \times S'$  is a  $E \diamond \varphi$ -Bisimulation between two structures  $M = (S, \mathcal{I})$  and  $M' = (S', \mathcal{I}')$ .

|                | Mapper Example |         |            |    |    |  |
|----------------|----------------|---------|------------|----|----|--|
| Deadlock free  | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | N/A            | 4GB+    | 85587630 + | 12 | 6  |  |
| After Slicing  | 11.12sec *     | 66572KB | 786391     | 6  | 3  |  |
| After Fix      | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | 0.11sec        | 2862KB  | 2074       | 12 | 6  |  |
| After Slicing  | 0.10sec        | 2852KB  | 199        | 6  | 3  |  |

|                 | Train-Gate Example |        |            |    |    |  |
|-----------------|--------------------|--------|------------|----|----|--|
| Deadlock free   | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | N/A                | 4GB+   | 77636326 + | 34 | 14 |  |
| After Slicing   | $0.2 \mathrm{sec}$ | 2848KB | 413        | 28 | 10 |  |
| Train may cross | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | 0.11sec            | 2856KB | 14         | 34 | 14 |  |
| After Slicing   | 0.10sec            | 2848KB | 14         | 28 | 10 |  |

|                | Mapper Example |         |            |    |    |  |
|----------------|----------------|---------|------------|----|----|--|
| Deadlock free  | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | N/A            | 4GB+    | 85587630 + | 12 | 6  |  |
| After Slicing  | 11.12sec *     | 66572KB | 786391     | 6  | 3  |  |
| After Fix      | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | 0.11sec        | 2862KB  | 2074       | 12 | 6  |  |
| After Slicing  | 0.10sec        | 2852KB  | 199        | 6  | 3  |  |

|                 | Train-Gate Example |        |            |    |    |  |
|-----------------|--------------------|--------|------------|----|----|--|
| Deadlock free   | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | N/A                | 4GB+   | 77636326 + | 34 | 14 |  |
| After Slicing   | $0.2 \mathrm{sec}$ | 2848KB | 413        | 28 | 10 |  |
| Train may cross | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | 0.11sec            | 2856KB | 14         | 34 | 14 |  |
| After Slicing   | 0.10sec            | 2848KB | 14         | 28 | 10 |  |

|                | Mapper Example |         |            |    |    |  |
|----------------|----------------|---------|------------|----|----|--|
| Deadlock free  | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | N/A            | 4GB+    | 85587630 + | 12 | 6  |  |
| After Slicing  | 11.12sec *     | 66572KB | 786391     | 6  | 3  |  |
| After Fix      | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | 0.11sec        | 2862KB  | 2074       | 12 | 6  |  |
| After Slicing  | 0.10sec        | 2852KB  | 199        | 6  | 3  |  |

|                 | Train-Gate Example |        |            |    |    |  |
|-----------------|--------------------|--------|------------|----|----|--|
| Deadlock free   | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | N/A                | 4GB+   | 77636326 + | 34 | 14 |  |
| After Slicing   | 0.2sec             | 2848KB | 413        | 28 | 10 |  |
| Train may cross | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | 0.11sec            | 2856KB | 14         | 34 | 14 |  |
| After Slicing   | 0.10sec            | 2848KB | 14         | 28 | 10 |  |

|                | Mapper Example |         |            |    |    |  |
|----------------|----------------|---------|------------|----|----|--|
| Deadlock free  | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | N/A            | 4GB+    | 85587630 + | 12 | 6  |  |
| After Slicing  | 11.12sec *     | 66572KB | 786391     | 6  | 3  |  |
| After Fix      | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | 0.11sec        | 2862KB  | 2074       | 12 | 6  |  |
| After Slicing  | 0.10sec        | 2852KB  | 199        | 6  | 3  |  |

|                 | Train-Gate Example |        |            |    |    |  |
|-----------------|--------------------|--------|------------|----|----|--|
| Deadlock free   | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | N/A                | 4GB+   | 77636326 + | 34 | 14 |  |
| After Slicing   | $0.2 \mathrm{sec}$ | 2848KB | 413        | 28 | 10 |  |
| Train may cross | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | 0.11sec            | 2856KB | 14         | 34 | 14 |  |
| After Slicing   | 0.10sec            | 2848KB | 14         | 28 | 10 |  |

|                | Mapper Example |         |            |    |    |  |
|----------------|----------------|---------|------------|----|----|--|
| Deadlock free  | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | N/A            | 4GB+    | 85587630 + | 12 | 6  |  |
| After Slicing  | 11.12sec *     | 66572KB | 786391     | 6  | 3  |  |
| After Fix      | VT             | MU      | SS         | NS | NV |  |
| Before Slicing | 0.11sec        | 2862KB  | 2074       | 12 | 6  |  |
| After Slicing  | 0.10sec        | 2852KB  | 199        | 6  | 3  |  |

|                 | Train-Gate Example |        |            |    |    |  |
|-----------------|--------------------|--------|------------|----|----|--|
| Deadlock free   | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | N/A                | 4GB+   | 77636326 + | 34 | 14 |  |
| After Slicing   | $0.2 \mathrm{sec}$ | 2848KB | 413        | 28 | 10 |  |
| Train may cross | VT                 | MU     | SS         | NS | NV |  |
| Before Slicing  | 0.11sec            | 2856KB | 14         | 34 | 14 |  |
| After Slicing   | 0.10sec            | 2848KB | 14         | 28 | 10 |  |

### Conclusion

- Slicing is highly beneficial for UPPAAL
- Conservative reachability preserving algorithm
   Prototype implementation
- Supports iterative Development / Design
- Side-effect: "encourage" new users

## Future

- Further Experiments
- Consolidation of Library (production ready code)
- Complete SSA Form Transformation (C-code)
- Integration in UPPAAL
- Integrate value range propagation (on int vars)
- Visualization of slices in UPPAALs GUI
- Research "Manual" Slicing

## Thank you

- Summary:
  - Applied the SDG for imperative code and TA
  - Proof that slicing preserves (CTL) reachability
  - Prototype implementation
    - Generic static analysis library for Uppaal
  - Future work (highlights)
    - Further empirical studies
    - Consolidation of library code