UPPAAL/DMC – Abstraction-Based Heuristics for
Directed Model Checking
Sebastian Kupferschmid1, Klaus Dr¨ ager2, J¨ org Hoffmann3, Bernd Finkbeiner2,
Henning Dierks4, Andreas Podelski1, and Gerd Behrmann5
1University of Freiburg, Germany
2Universit¨ at des Saarlandes, Saarbr¨ ucken, Germany
3Digital Enterprise Research Institute, Innsbruck, Austria
4OFFIS, Oldenburg, Germany
5Aalborg University, Denmark
Abstract. UPPAAL/DMC is an extension of UPPAAL which provides generic
heuristics for directed model checking. In this approach, the traversal of the state
space is guided by a heuristic function which estimates the distance of a search
state to the nearest error state. Our tool combines two recent approaches to design
such estimation functions. Both are based on computing an abstraction of the
system and using the error distance in this abstraction as the heuristic value. The
abstractions, and thus the heuristic functions, are generated fully automatically
and do not need any additional user input. UPPAAL/DMC needs less time and
memory to find shorter error paths than UPPAAL’s standard search methods.
UPPAAL/DMC is a tool that accelerates the detection of error states by using the di-
rected model checkingapproach[4,5]. Directed modelcheckingtackles the state explo-
sion problem by using a heuristic function to influence the order in which the search
states are explored.A heuristic function h is a functionthat maps states to integers, esti-
mating the state’s distance to the nearest error state. The search then gives preferenceto
states with lower h value.There are manydifferentways of doingthe latter,all of which
we consider the wide-spread method called greedy search . There, search nodes are
explored in ascending order of their heuristic values. Our empirical results show that
this can drastically reduce memory consumption, runtime, and error path length.
Our tool combines two recent approaches to design heuristic functions. Both are
based on defining an abstraction of the problem at hand, and taking the heuristic value
to be the length of an abstract solution. It is important to note that both techniques are
fully automatic, i.e., no user intervention is needed to generate the heuristic function.
UPPAAL has a built-in heuristic mode, but the specification of the heuristic is entirely
up to the user. Inventing a useful heuristic is a tedious job: it requires expert knowledge
and a huge amount of time.
O. Grumberg and M. Huth (Eds.): TACAS 2007, LNCS 4424, pp. 679–682, 2007.
c ? Springer-Verlag Berlin Heidelberg 2007
680S. Kupferschmid et al.
The next two sections give a brief overviewof the abstractions used to build our heuris-
tics, and how heuristic values are assigned to search states.
Our first heuristic  adapts a technique from AI Planning,namely ignoring delete lists
. The idea of this abstraction is based on the simplifying assumption that every state
variable, once it obtained a value, keeps that value forever. I.e., the value of a variable
is no longer an element, but a subset of its domain. This subset grows monotonically
over transition applications – hence the name of the abstraction.
When applying the monotonicity abstraction to a system of timed automata, then
each automatonwill (potentially) be in several locations in a state. The system’s integer
variables will have several possible values in a state. So far clocks are not included in
the computation of heuristic values. If we included clocks in the obvious way, every
guard or invariant involving a clock would be immediately satisfied. The reason for this
is that clock value sets quickly subsume all possible time points.
Our heuristic hmaassigns to each state encountered during search a heuristic value
by solving an abstract problem. Such an abstract problem is obtained by applying the
monotonicity abstraction to the current state. The length of a solution found in this ab-
straction is then used as the heuristic estimate forthe state’s distance to the nearest error
state. In a nutshell, an abstract solution is computed by iteratively applying all enabled
transitions to the initial abstract state (the state for which we want to estimate the dis-
tance), until either the enlarged state subsumes an error state, or a fixpoint is reached.
In the former case, an abstract solution can be extracted by backtracking through the
state enlargement steps. In case of reaching a fixpoint, we can exclude this state from
furtherexploration:the monotonicityabstraction inducesan over-approximation,i.e. so
if there is no abstract error path, then there is no real one either.
The second heuristic  aims at a close representation of the process synchronization
required to reach the error. Each process is represented as a finite-state automaton. The
heuristic haaestimates the error distance d(s) of a system state s as the error distance
of the corresponding abstract state α(s) in an abstraction that approximates the full
product of all process automata. The approximation of the product of a set of automata
is computed incrementally by repeatedly selecting two automata from the current set
and replacing them with an abstraction of their product. To avoid state space explosion,
the size of these intermediate abstractions is limited by a preset bound N: to reach a
reduction to N states, the abstraction first merges bisimilar states and then states whose
error distance is already high in the partial product. In this way, the precision of the
heuristic is guaranteed to be high in close proximity to the error, and can, by setting
N, be fine-tuned for states further away from the error. In our experiments, fairly low
values of N, such as N = 100, already significantly speed up the search for the error,
and therefore represent a good trade-off between cost and precision.
UPPAAL/DMC – Abstraction-Based Heuristics681
We compare the performance of UPPAAL/DMC’s1greedy search and UPPAAL’s ran-
domized depth first search (rDF), which is UPPAAL’s most efficient standard search
method across many examples. The results for rDF in Table 1 are averaged over 10
runs. The Ciexamples stem from an industrial case study called “Single-tracked Line
Segment”  and the Miexamples come from another case study, namely “Mutual Ex-
clusion” . An error state was made reachable by increasing an upper time bound in
The results in Table 1 clearly demonstrate the potential of our heuristics. The heuris-
tic searches consistently find the error paths much faster. Due to the reduced search
space size and memory requirements, they can solve all problems. At the same time,
they find, by orders of magnitude, much shorter error paths in all cases.
Table1.Experimental resultsof UPPAAL’srDFand UPPAAL/DMC’sgreedysearchwithhmaand
haa. The results are computed on an Intel Xeon with 3Ghz and 4GB of RAM. Dashes indicate
out of memory.
runtime in sexplored states
0.9 118341 30742 46337
0.8 102883 18431 42414
1.9 543238 76785 126306
1.8 892327 40147 25206
4.0 8.0e+6 237600 155669 295
memory in MB
– 595 676
– 2.5G 1.6G
11 1072 169
11 3875 431 190
11 3727 231
14 15K 731 105
19 760 109 198
23 1644 125 297
28 2425 393 350
– 1506 672
Exp rDF hma
0.25656 127801 74
Other heuristics, proposed by Edelkamp et al. [4,5] in the context of SPIN are based
on graph distances. The underlying abstraction of these heuristics preserves only edges
and locations of an automata system. For an automaton a let d(a) be the distance of a’s
start location to its target location. Then, the hgd
Note that hgd
For example, they completely ignore variables and synchronization. In contrast, the
maxheuristic is defined as maxad(a).
sumheuristic is defined as?
sumare rather crude approximations of the systems semantics.
1Two different versions of UPPAAL/DMC (both Linux executables) are available under
http://www.informatik.uni-freiburg.de/˜kupfersc/uppaal dmc/. One
is optimized for Intel Pentium 4 processors, the other one was compiled with default optimiza-
tion. The page also provides a short description of the used benchmarks, and all used model
and query files.
682 S. Kupferschmid et al. Download full-text
hmaand haaheuristics do not do this. Our approximationsare more costly, i.e. one call
of hmaor haatakes more runtime than one call of hgd
typically pays off: for example, in the case studies shown in Table 1, greedysearch with
sum. The additional effort
ad(a) performs only slightly better than rDF, and much worse than
our heuristics; e.g. it cannot solve any of C6, C7, C8, and C9.
tion refinement life cycle. The basic idea is to use heuristics to address the intermediate
iterations where (spurious) errors still exist. As our results show, this has the potential
to speed up the process and yield shorter,and thus more informativeerrorpaths. Hence,
our technique for error detection will be able to help with actual verification.
This work was partly supported by the German Research Council (DFG) as part of the
Transregional Collaborative Research Center “Automatic Verification and Analysis of
ComplexSystems” (SFB/TR 14AVACS). See http://www.avacs.org/formore
1. Blai Bonet and H´ ector Geffner. Planning as heuristic search. Artificial Intelligence, 129
2. Henning Dierks. Comparing model-checking and logical reasoning for real-time systems.
Formal Aspects of Computing, 16(2):104–120, 2004.
3. Klaus Dr¨ ager, Bernd Finkbeiner, and Andreas Podelski.
distance-preserving abstractions. In Proceedings of the 13th International SPIN Workshop
on Model Checking of Software, 2006.
4. Stefan Edelkamp, Alberto Lluch-Lafuente, and Stefan Leue. Directed explicit model checking
with HSF-Spin. In Proceedings of the 8th International SPIN Workshop on Model Checking
of Software, pages 57–79, 2001.
5. Stefan Edelkamp, Alberto Lluch-Lafuente, and Stefan Leue. Directed explicit-state model
checking in the validation of communication protocols. International Journal on Software
Tools for Technology Transfer, 2004.
6. Bernd Krieg-Br¨ uckner, Jan Peleska, Ernst-R¨ udiger Olderog, and Alexander Baer. The Uni-
ForM Workbench, a universal development environment for formal methods. In FM’99 –
Formal Methods, volume 1709 of LNCS, pages 1186–1205. Springer, 1999.
7. Sebastian Kupferschmid, J¨ org Hoffmann, Henning Dierks, and Gerd Behrmann. Adapting an
AI planning heuristic for directed model checking. In Proceedings of the 13th International
SPIN Workshop on Model Checking of Software, 2006.
8. Judea Pearl. Heuristics: Intelligent search strategies for computer problem solving. Addison-
Directed model checking with