Alpine Verification Meeting 2024

### Abstraction-based model checking for real-time software-intensive system models

Dóra Cziborová







Critical Systems Research Group

# **Model checking**





# **Model checking**





# Model checking – system models





# Model checking – formal models



- Intermediate formalisms:
  - High-level language constructs
  - More **expressive** than low-level formal models
  - Easier mapping from system models
- The XSTS formalism eXtended
   Symbolic Transition System



### **Model checking – abstraction**





#### Steps to verify timed software-intensive models

- I. An **intermediate formalism** is required
  - Existing formalism: timed automata
  - Extending the **XSTS** formalism by **timing**
- II. Supporting the **verification of timed XSTS models** 
  - Usual challenges of timed verification
  - Challenges specific to the timed XSTS formalism



### **The XSTS formalism**

#### Simple statechart model



#### **XSTS representation**

```
type State : {Q}
ctrl var state : State = Q
var x : integer = 0
var y : integer = 0
```

```
trans {
    if (state == Q) {
        choice {
            havoc x;
        } or {
            y := x + 1;
        }
    }
}
```





Assumption

assume y > x;















| Assumption            | Assignment                     | Non-deterministic<br>assignment |
|-----------------------|--------------------------------|---------------------------------|
| assume y > x;         | y := x + 1;                    | havoc x;                        |
| Conditional operation | Non-deterministic<br>operation |                                 |
| if (x > 0) {          | choice {                       |                                 |
| <br>} else {          | <br>} or {                     |                                 |
| }                     | <br>} or {<br>                 |                                 |



| Assumption            | Assignment                  | Non-deterministic<br>assignment |
|-----------------------|-----------------------------|---------------------------------|
| assume y > x;         | y := x + 1;                 | havoc x;                        |
| Conditional operation | Non-deterministic operation | Counting loop                   |
| if $(x > 0)$ {        | choice {                    | for i from 0 to x do {          |
| <br>} else {          | <br>} or {                  | }                               |
| }                     | <br>} or {<br>              |                                 |



• XSTS extended by **clock variables** and **clock operations** 



• XSTS extended by **clock variables** and **clock operations** 

Clock set / reset

c := 500;



• XSTS extended by **clock variables** and **clock operations** 





XSTS extended by clock variables and clock operations













































#### 1<sup>st</sup> approach: transformation of TXSTS to XSTS

- Clocks to rational variables
- Clock operations to data operations





#### 1<sup>st</sup> approach: transformation of TXSTS to XSTS

- Clocks to rational variables
- Clock operations to data operations





### 1<sup>st</sup> approach: transformation of TXSTS to XSTS

- Clocks to rational variables
- Clock operations to data operations



- Existing algorithms can be used without modification
- Efficient time abstraction techniques cannot be used



- Existing abstraction-based techniques: lazy abstraction, CEGAR
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data



- Existing abstraction-based techniques: lazy abstraction, CEGAR
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data







- Existing abstraction-based techniques: lazy abstraction, CEGAR
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data





- Existing abstraction-based techniques: lazy abstraction, CEGAR
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data

Existing algorithms presume that the results of operations can be computed individually for timing and data



- Existing abstraction-based techniques: **lazy abstraction**, **CEGAR**
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data

Existing algorithms presume that the results of operations can be computed individually for timing and data

A problematic example, with data variable x and clock variable c
 if ((x == 0 && c > 500) || (x == 1 && c < 400))</li>
 { ... }



- Existing abstraction-based techniques: **lazy abstraction**, **CEGAR**
- Building on **combined abstraction** 
  - Lazy abstraction for timing, CEGAR for data

Existing algorithms presume that the results of operations can be computed individually for timing and data

- A problematic example, with data variable x and clock variable c
   if ((x == 0 && c > 500) || (x == 1 && c < 400))
   { ... }</pre>
- Solution: control flow splitting



































Boolean vars + constraints: satisfying assignment ↔ control flow

if (b1) { assume x == 0; assume x == 0 && c < 5; if (x == 0 && c < 5) { assume c < 5; x := x + 1;x := x + 1;} } else { if (b2) { c := 0; assume !(x == 0) || !(c < 5); } c := 0; } **Constraints:** • b1 xor b2













![](_page_51_Figure_2.jpeg)

![](_page_51_Picture_3.jpeg)

Boolean vars + constraints: satisfying assignment ↔ control flow

if (b1) { assume x == 0; if (x == 0 && c < 5) { assume c < 5; x := x + 1;x := x + 1;} else { c := 0; if (b2) { } if (b3) { assume !(x == 0); **Constraints:** } • b1 xor b2 if (b4) { • b2  $\Rightarrow$ assume !(c < 5);(¬b3∧b4)∨(b3∧¬b4) •  $\neg b2 \Rightarrow \neg b3$ c := 0; •  $\neg b2 \Rightarrow \neg b4$ 

![](_page_52_Picture_3.jpeg)

## Example – control flow with an SMT solver

```
assume x == 0;
if (x == 0 \&\& c < 5) {
                                assume c < 5;
  x := x + 1;
                                x := x + 1;
} else {
    c := 0;
                           if (b2) { b2 = true
}
                                if (b3) { b3 = true
                                    assume !(x == 0);
                                                              Constraints:
                                }
                                                              • b1 xor b2
                                if (b4) { b4 = false
                                                              • b2 ⇒
                                    assume !(c < 5);
                                                                 (\neg b3 \land b4) \lor (b3 \land \neg b4)
                                                              • \neg b2 \Rightarrow \neg b3
                                c := 0;
                                                              • \neg b2 \Rightarrow \neg b4
```

![](_page_53_Picture_3.jpeg)

# Example – control flow with an SMT solver

```
assume x == 0;
if (x == 0 \&\& c < 5) {
                              assume c < 5;
  x := x + 1;
                              x := x + 1;
} else {
   c := 0;
                          if (b2) { b2 = true
}
                              if (b3) { b3 = true
                                  assume !(x == 0);
                                                           Constraints:
                              }
                                                           • b1 xor b2
                              if (b4) { b4 = false
                                                           • b2 ⇒
                                  assume !(c < 5);</pre>
     assume !(x == 0);
                                                              (¬b3∧b4)∨(b3∧¬b4)
     c := 0;
                                                           • \neg b2 \Rightarrow \neg b3
                              c := 0;
                                                            • \neg b2 \Rightarrow \neg b4
```

![](_page_54_Picture_3.jpeg)

# Example – control flow with an SMT solver

```
assume x == 0;
if (x == 0 \&\& c < 5) {
                               assume c < 5;
  x := x + 1;
                               x := x + 1;
} else {
   c := 0;
                          if (b2) { b2 = true
}
                               if (b3) { b3 = true
     assume x == 0;
                                   assume !(x == 0);
                                                            Constraints:
     assume c < 5;
                               }
                                                            • b1 xor b2
     x := x + 1;
                               if (b4) { b4 = false
                                                            • b2 ⇒
                                   assume !(c < 5);
     assume !(x == 0);
                                                               (¬b3∧b4)∨(b3∧¬b4)
     c := 0;
                                                            • \neg b2 \Rightarrow \neg b3
                               c := 0;
     assume !(c < 5);
                                                            • \neg b2 \Rightarrow \neg b4
     c := 0;
                                                                                   itsra
                                          18
```

# Preliminary evaluation of the approaches

- Implemented in the **Theta** open source verification framework
- Two TXSTS models from Gamma engineering models:
  - Example model demonstrating the capabilities of Gamma: crossroad
  - Industrial case study: model of a **safety-critical railway protocol**
- 30 reachability properties, analyzed in two ways:
  - Reachability of a given state
  - Timed reachability: reachability of given state under a given time limit

![](_page_56_Picture_8.jpeg)

# Preliminary evaluation of the approaches

- 3 CPU cores, time limit of 20 minutes, memory limit of 15 GB
- Best configurations of both approaches compared: number of verified properties, with mean CPU time

| Approach                                         | Verified properties with time limit of 20 minutes |                        |
|--------------------------------------------------|---------------------------------------------------|------------------------|
|                                                  | Reachability                                      | Timed reachability     |
| Time $\rightarrow$ data transformation           | 30/30 (100%)<br>7.48 s                            | 12/30 (40%)<br>2.26 s  |
| Combined abstraction with control flow splitting | 30/30 (100%)<br>11.09 s                           | 18/30 (60%)<br>40.99 s |

- **Reachability**: same success rate, **time→data transf.** is faster
- Timed reachability: control flow splitting is more successful

![](_page_58_Figure_0.jpeg)

![](_page_58_Picture_1.jpeg)