Re-Using the State-Space

In chapter 5 a technique that re-uses the generated state-space to speed up verication. This approach would obviously suer bad performance due to swapping as well. There are other reasons as well for traversing PAST or WAIT without e deallocating them. In chapter 5 we discussed the possibility to dynamically adjust the size of the hash table used. This would Involve a traversal of the structures and rehashing them. The same reasoning that was used to nd a better deallocation order of states may be used here as well since it is not the deallocation that is time consuming but rather the badly distributed accesses to the pages containing the symbolic states. The same thing will occur for any traversal of the state-space with bad locality if swapping is involved. Measurements on the speed-up in verication time of multiple properties are presented in [LPY00].

Conclusions and Future Work

7.1 Conclusions

During the work of implementing ^Uppaal many discussions and decisions arises that are worth paying extra attention to. We summarise a few of the most important here.

One of the most important conclusions is that today's techniques and technology allow us to build tools that are capable of handling industrial-sized case-studies. In order to fully utilise the new possibilities that now arises a more important problem for the future seems to be of educational and pedagogical nature. How can we incorporate formal methods in the development cycle of real-time systems?

Another very important conclusion is that there is a quite huge gap between the formal notation used when reasoning in logic and the available constructs in the implementation language. A relatively simple mathematic expression may require very complex code in the implementation language. An example is the reduction ofDBMs discussed in chapter 4 that would require us to replace the memory manager used in the operating system to get results that corresponds to the theoretically computed measures. To summarise it is important to choose appropriate algorithms and data structures but at least as important to implement them in a correct way in the programming language.

Complex Modelling Language vs Primitive

When developing a modelling language one often gets into discussions about what to incorpo-rate in the modelling language and what to provide as external translators. Data variables and the operations performed on them may be modelled as automata with states and transitions but the users would nd it inconvenient. Data variables are very useful to incorporate in the language but we could still provide them and translate them to automata before verifying the model. However, it is more ecient to support data variables even in the verier and get rid

of states, transitions and synchronisations which are more dicult to deal with eciently.

On the other hand, we choose to support other constructs such as complex data types and hierarchical design of components externally and translate them to plain timed automata.

The reason is that these constructs are too complex to handle in the verier at least as long as compositional techniques that utilise the hierarchical design in the verication process are developed.

The issue of a complex user-friendly expressive modelling language versus a more primitive language easy to verify eciently must be carefully considered. What shall be supported in the language? What shall be supported in the verier? What shall be supported using external translators? We may make an analogy with compilers for high-level languages and byte code.

While high-level languages are more user-friendly and allow the programmer/designer to express more easily what shall be performed they would not be ecient to interpret and execute directly. Instead the program is compiled to some primitive language which is ecient to execute but not useful to write programs and develop models in.

We believe that the approach of translation to a more primitive language works well. It is then also possible to support many dierent modelling languages as long as their semantics is expressible with timed automata.

Time and Space - Not Only a Trade-o

It is often claimed that there is a trade-o between time and space utilisation. One may save computation time by use of more space to save intermediate results or save space by recomputing partial results instead of storing them. While this is true for applications with a small or medium memory consumption things are dierent when the memory consumption is huge, and swapping is involved. It is almost always the case that an optimisation that saves space also leads to a gain in verication time.

Static or Dynamic Analysis of the Model

It is well worth the eort of spending time and space on static analysis to be able to speed up verication. Even though static analysis of a dynamic behaviour does not give the most accurate information its time and space consumption is negligible compared to the verication time. Examples of this is the pre-processing of the network, described in chapter 3, to sort the transitions and build the data structures used by the

sync

predicate and the test for transitions with urgent channels. Another example worth mentioning is the depth-rst search to nd loop entry states described in chapter 5.

Even Small Optimisations Pay O

The major part of the execution time of^Uppaal is spent during verication on operations on symbolic states, either during state-space traversals or computation of successor states.

These operations are called at least one time for every symbolic state generated. Even if these operations consumes very little time one by one they are called so many times that a small speed-up of such an operation will increase the performance quite noticeably. Therefore even small optimisations pay o. Five or six optimisations that reduce the verication time about 10% each will together cut down the verication time by a factor of two.

Imposing Restrictions

Improvements in performance may be achieved if dynamic memory allocation is kept to a minimum. It is better to impose restrictions on how many components that can be veried, how many clocks may a DBM contain, how large may domains of data variables be, etc.

In chapter 4 we studied the result of compressing the discrete part of a symbolic state. By restricting the number of reachable states the tool can handle we were able to use the built-in data types and operators in the implementation language more eciently. We might loose the possibility of verifying all possible timed automata, which we cannot do anyway, but we obtain good performance for many examples. One way of achieving the goal of ecient mapping to static data types and still keep generality would be to use partial evaluation and given a model and set of properties produce a verier optimised for exactly that model and set of properties.

In document Efficient Implementation of Model-Checkers for Networks of TimedAutomata (Page 85-89)