Uppaal/DMC- Abstraction-Based Heuristics for Directed Model Checking.
ABSTRACT UPPAAL/DMC is an extension of UPPAAL that provides generic heuris- tics for directed model checking. In this approach, the traversal of the state space is guided by a heuristic function which estimates the distance of a search state to the nearest error state. Our tool combines two recent approaches to design such estimation functions. Both are based on computing an abstraction of the system and using the error distance in this abstraction as the heuristic value. The abstrac- tions, and thus the heuristic functions, are generated fully automatically and do not need any additional user input. UPPAAL/DMC needs less time and memory to find shorter error paths than UPPAAL's standard search methods.
- [show abstract] [hide abstract]
ABSTRACT: The tool Moby/RT supports the design of real-time systems at the levels of requirements, design specications and programs. Requirements are ex- pressed by constraint diagrams (Kleuker, 2000), design specications by PLC-Autom- ata (Dierks, 2000), and programs by Structured Text, a programming language dedi- cated for programmable logic controllers (PLCs), or by programs for LEGO Mindstorm robots. In this paper we outline the theoretical background of Moby/RT by discussing its semantic basis and its use for automatic verication by utilising the model-checkerElectr. Notes Theor. Comput. Sci. 01/2003; 82:346.
- [show abstract] [hide abstract]
ABSTRACT: There is a growing body of work on directed model checking, which improves the falsification of safety properties by providing heuristic functions that can guide the search quickly towards short error paths. Techniques of this kind have also been made very successful in the area of AI Planning. Our main technical contribution is the adaptation of the most successful heuristic function from AI Planning to the model checking context, yielding a new heuristic for directed model checking. The heuristic is based on solving an abstracted problem in every search state. We adapt the abstraction and its solution to networks of communicating automata annotated with (constraints and effects on) integer variables. Since our ultimate goal in this research is to also take into account clock variables, as used in timed automata, our techniques are implemented inside UPPAAL. We run experiments in some toy benchmarks for timed automata, and in two timed automata case studies originating from an industrial project. Compared to both blind search and some previously proposed heuristic functions, we consistently obtain significant, sometimes dramatic, search space reductions, resulting in likewise strong reductions of runtime and memory requirements. This work was partly supported by the German Research Council (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS). See http://www.avacs.org/ for more information.Model checking software : 13th International SPIN Workshop, Springer, 35-52 (2006). 01/2006;
- [show abstract] [hide abstract]
ABSTRACT: We present the explicit state model checker HSF-SPIN which is based on the model checker SPIN and its Promela modeling language. HSF-SPIN incorporates directed search algorithms for checking safety and a large class of LTL-specified liveness properties. We start off from the A* algorithm and define heuristics to accelerate the searchinto the direction of a specified failure situation. Next we propose an improved nested depth-first search algorithm that exploits the structure of Promela Never-Claims. As a result of both improvements, counterexamples will be shorter and the explored part of the state space will be smaller than with classical approaches, allowing to analyze larger state spaces. We evaluate the impact of the new heuristics and algorithms on a set of protocol models, some of which are real-world industrial protocols.Lecture Notes in Computer Science 06/2001; 2057:57-79.
UPPAAL/DMC – Abstraction-Based Heuristics for
Directed Model Checking
Sebastian Kupferschmid1, Klaus Dr¨ ager2, J¨ org Hoffmann3, Bernd Finkbeiner2,
Henning Dierks4, Andreas Podelski1, and Gerd Behrmann5
1University of Freiburg, Germany
2Universit¨ at des Saarlandes, Saarbr¨ ucken, Germany
3Digital Enterprise Research Institute, Innsbruck, Austria
4OFFIS, Oldenburg, Germany
5Aalborg University, Denmark
Abstract. UPPAAL/DMC is an extension of UPPAAL which provides generic
heuristics for directed model checking. In this approach, the traversal of the state
space is guided by a heuristic function which estimates the distance of a search
state to the nearest error state. Our tool combines two recent approaches to design
such estimation functions. Both are based on computing an abstraction of the
system and using the error distance in this abstraction as the heuristic value. The
abstractions, and thus the heuristic functions, are generated fully automatically
and do not need any additional user input. UPPAAL/DMC needs less time and
memory to find shorter error paths than UPPAAL’s standard search methods.
UPPAAL/DMC is a tool that accelerates the detection of error states by using the di-
rected model checkingapproach[4,5]. Directed modelcheckingtackles the state explo-
sion problem by using a heuristic function to influence the order in which the search
states are explored.A heuristic function h is a functionthat maps states to integers, esti-
mating the state’s distance to the nearest error state. The search then gives preferenceto
states with lower h value.There are manydifferentways of doingthe latter,all of which
we consider the wide-spread method called greedy search . There, search nodes are
explored in ascending order of their heuristic values. Our empirical results show that
this can drastically reduce memory consumption, runtime, and error path length.
Our tool combines two recent approaches to design heuristic functions. Both are
based on defining an abstraction of the problem at hand, and taking the heuristic value
to be the length of an abstract solution. It is important to note that both techniques are
fully automatic, i.e., no user intervention is needed to generate the heuristic function.
UPPAAL has a built-in heuristic mode, but the specification of the heuristic is entirely
up to the user. Inventing a useful heuristic is a tedious job: it requires expert knowledge
and a huge amount of time.
O. Grumberg and M. Huth (Eds.): TACAS 2007, LNCS 4424, pp. 679–682, 2007.
c ? Springer-Verlag Berlin Heidelberg 2007
680S. Kupferschmid et al.
The next two sections give a brief overviewof the abstractions used to build our heuris-
tics, and how heuristic values are assigned to search states.
Our first heuristic  adapts a technique from AI Planning,namely ignoring delete lists
. The idea of this abstraction is based on the simplifying assumption that every state
variable, once it obtained a value, keeps that value forever. I.e., the value of a variable
is no longer an element, but a subset of its domain. This subset grows monotonically
over transition applications – hence the name of the abstraction.
When applying the monotonicity abstraction to a system of timed automata, then
each automatonwill (potentially) be in several locations in a state. The system’s integer
variables will have several possible values in a state. So far clocks are not included in
the computation of heuristic values. If we included clocks in the obvious way, every
guard or invariant involving a clock would be immediately satisfied. The reason for this
is that clock value sets quickly subsume all possible time points.
Our heuristic hmaassigns to each state encountered during search a heuristic value
by solving an abstract problem. Such an abstract problem is obtained by applying the
monotonicity abstraction to the current state. The length of a solution found in this ab-
straction is then used as the heuristic estimate forthe state’s distance to the nearest error
state. In a nutshell, an abstract solution is computed by iteratively applying all enabled
transitions to the initial abstract state (the state for which we want to estimate the dis-
tance), until either the enlarged state subsumes an error state, or a fixpoint is reached.
In the former case, an abstract solution can be extracted by backtracking through the
state enlargement steps. In case of reaching a fixpoint, we can exclude this state from
furtherexploration:the monotonicityabstraction inducesan over-approximation,i.e. so
if there is no abstract error path, then there is no real one either.
The second heuristic  aims at a close representation of the process synchronization
required to reach the error. Each process is represented as a finite-state automaton. The
heuristic haaestimates the error distance d(s) of a system state s as the error distance
of the corresponding abstract state α(s) in an abstraction that approximates the full
product of all process automata. The approximation of the product of a set of automata
is computed incrementally by repeatedly selecting two automata from the current set
and replacing them with an abstraction of their product. To avoid state space explosion,
the size of these intermediate abstractions is limited by a preset bound N: to reach a
reduction to N states, the abstraction first merges bisimilar states and then states whose
error distance is already high in the partial product. In this way, the precision of the
heuristic is guaranteed to be high in close proximity to the error, and can, by setting
N, be fine-tuned for states further away from the error. In our experiments, fairly low
values of N, such as N = 100, already significantly speed up the search for the error,
and therefore represent a good trade-off between cost and precision.
UPPAAL/DMC – Abstraction-Based Heuristics 681
We compare the performance of UPPAAL/DMC’s1greedy search and UPPAAL’s ran-
domized depth first search (rDF), which is UPPAAL’s most efficient standard search
method across many examples. The results for rDF in Table 1 are averaged over 10
runs. The Ciexamples stem from an industrial case study called “Single-tracked Line
Segment”  and the Miexamples come from another case study, namely “Mutual Ex-
clusion” . An error state was made reachable by increasing an upper time bound in
The results in Table 1 clearly demonstrate the potential of our heuristics. The heuris-
tic searches consistently find the error paths much faster. Due to the reduced search
space size and memory requirements, they can solve all problems. At the same time,
they find, by orders of magnitude, much shorter error paths in all cases.
Table1.Experimental resultsof UPPAAL’srDFand UPPAAL/DMC’sgreedysearchwithhmaand
haa. The results are computed on an Intel Xeon with 3Ghz and 4GB of RAM. Dashes indicate
out of memory.
runtime in sexplored states
0.9 118341 30742 46337
0.8 102883 18431 42414
1.9 543238 76785 126306
1.8 892327 40147 25206
4.0 8.0e+6 237600 155669 295
14.9– 207845 1.2e+6
14.5 155.3 –
memory in MB
– 2.5G 1.6G
11 1072 169
11 3875 431 190
11 3727 231
14 15K 731 105
19760 109 198
23 1644 125 297
28 2425 393 350
Exp rDF hma
0.25656 127801 74
9 95 191
Other heuristics, proposed by Edelkamp et al. [4,5] in the context of SPIN are based
on graph distances. The underlying abstraction of these heuristics preserves only edges
and locations of an automata system. For an automaton a let d(a) be the distance of a’s
start location to its target location. Then, the hgd
Note that hgd
For example, they completely ignore variables and synchronization. In contrast, the
maxheuristic is defined as maxad(a).
sumheuristic is defined as?
sumare rather crude approximations of the systems semantics.
1Two different versions of UPPAAL/DMC (both Linux executables) are available under
http://www.informatik.uni-freiburg.de/˜kupfersc/uppaal dmc/. One
is optimized for Intel Pentium 4 processors, the other one was compiled with default optimiza-
tion. The page also provides a short description of the used benchmarks, and all used model
and query files.
682S. Kupferschmid et al.
hmaand haaheuristics do not do this. Our approximationsare more costly, i.e. one call
of hmaor haatakes more runtime than one call of hgd
typically pays off: for example, in the case studies shown in Table 1, greedysearch with
sum. The additional effort
ad(a) performs only slightly better than rDF, and much worse than
our heuristics; e.g. it cannot solve any of C6, C7, C8, and C9.
tion refinement life cycle. The basic idea is to use heuristics to address the intermediate
iterations where (spurious) errors still exist. As our results show, this has the potential
to speed up the process and yield shorter,and thus more informativeerrorpaths. Hence,
our technique for error detection will be able to help with actual verification.
This work was partly supported by the German Research Council (DFG) as part of the
Transregional Collaborative Research Center “Automatic Verification and Analysis of
ComplexSystems” (SFB/TR 14AVACS). See http://www.avacs.org/formore
1. Blai Bonet and H´ ector Geffner. Planning as heuristic search. Artificial Intelligence, 129
2. Henning Dierks. Comparing model-checking and logical reasoning for real-time systems.
Formal Aspects of Computing, 16(2):104–120, 2004.
3. Klaus Dr¨ ager, Bernd Finkbeiner, and Andreas Podelski.
distance-preserving abstractions. In Proceedings of the 13th International SPIN Workshop
on Model Checking of Software, 2006.
4. Stefan Edelkamp, Alberto Lluch-Lafuente, and Stefan Leue. Directed explicit model checking
with HSF-Spin. In Proceedings of the 8th International SPIN Workshop on Model Checking
of Software, pages 57–79, 2001.
5. Stefan Edelkamp, Alberto Lluch-Lafuente, and Stefan Leue. Directed explicit-state model
checking in the validation of communication protocols. International Journal on Software
Tools for Technology Transfer, 2004.
6. Bernd Krieg-Br¨ uckner, Jan Peleska, Ernst-R¨ udiger Olderog, and Alexander Baer. The Uni-
ForM Workbench, a universal development environment for formal methods. In FM’99 –
Formal Methods, volume 1709 of LNCS, pages 1186–1205. Springer, 1999.
7. Sebastian Kupferschmid, J¨ org Hoffmann, Henning Dierks, and Gerd Behrmann. Adapting an
AI planning heuristic for directed model checking. In Proceedings of the 13th International
SPIN Workshop on Model Checking of Software, 2006.
8. Judea Pearl. Heuristics: Intelligent search strategies for computer problem solving. Addison-
Directed model checking with