verificationformal-verificationmodel-checkingstate-spaceuppaal

What is the difference between Symbolic and Concrete model checking when the search is bounded in time?


Could someone please spend a few words to explain to someone who does not come from a formal methods background what is the difference between verifying a specification using Symbolic Model Checking and doing the same using Concrete Model Checking, when the search is bounded in time? I am referring to the definition of SMC and Concrete MC made in UPPAAL.

In particular, I wrote a program that uses UPPAAL Java API to verify a query against a network of timed automata. If the query is verified, UPPAAL returns a symbolic trace to parse or something else if it is not. If the verification takes too long I decided to halt the verification process, return a message and move on with the next query to verify. Everything is good so far.

Recently, I have been playing around with UPPAAL Stratego which natively offers the possibility of choosing a maximum time or depth of exploration to bound the search. However, this options can be applied only when the verification is carried out using Concrete Model Checking.

My question is : is there any difference in halting the symbolic verification process, as I am doing in my Java program and what UPPAAL Stratego does natively? In both case I don't get an answer (or a trace) but what about the "reliability" of the exploration?

Which would be better (i.e. more complete) between the two options? Halting the symbolic verification or halting the concrete verification?

My understanding so far is that in Symbolic Model Checking, the possible states are defined by using intervals of variables whilst in Concrete Model Checking variables assume an actual value. My view is that, in terms of "completeness", halting the SMC after some time is more "complete" since the exploration of the state space happens systematically using BFS or DFS algorithm and, if I use BFS, I can be "sure" that within N steps nothing bad happens. But again, my background in model checking is not rich, so I might have get it completely wrong.

Also, if could drop any reference to the strategies, it would be really appreciated.

Thanks!


Solution

  • Symbolic model checking is based on symbolic/mathematical techniques and thus is exhaustive and provides qualitative answers (satisfied or unsatisfied). If model includes some stop-watches, then reachability analysis is over-approximate in UPPAAL (it may say "maybe (un)satisfied"). The symbolic exploration can have various orders, like depth-first-search, breadth-first-search or random-depth-first-search, etc..

    Concrete or statistical model checking is based on simulations and numerical techniques and is used for qualitative properties like performance (probability and quantity distributions). Simulations cannot be exhaustive, they are under-approximations at best and need to be bounded (in time, cost or steps) to ensure termination. The simulations are always (random-)depth-first-search.

    Symbolic model checking does not require bounds, because it can explore the state space exhaustively. If you want to enforce some bounds in symbolic model checking, then you can add some global invariant to your model which will effectively cut the state space at the point where the invatiant is no longer valid. Alternatively, if you concerned with reachability property, then you can add your condition as an extra conjunction term.