Abstractions for timed automata B. Srivathsan Chennai Mathematical - - PowerPoint PPT Presentation

Abstractions for timed automata

• B. Srivathsan

Chennai Mathematical Institute Joint work with

• F. Herbreteau, I. Walukiewicz (LaBRI, Bordeaux)

1/35

Reachability for timed automata Observation 1 Observation 2

2/35

Timed Automata

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y} q0 q1 q3 q2

Run: finite sequence of transitions

q0 q1 0.4 q3 0.9 0.5

0.4 0.5

x y

◮ accepting if ends in green state

3/35

Reachability problem

Given a TA, does it have an accepting run

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y} q0 q1 q3 q2

Theorem [Alur, Dill’90] This problem is PSPACE-complete

4/35

Is accepting state reachable?

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

5/35

Is accepting state reachable? No

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

5/35

Is accepting state reachable? No

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

Exhibit a proof for unreachability

5/35

Is accepting state reachable? No No acc. state

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

Exhibit a proof for unreachability

5/35

Is accepting state reachable? No No acc. state

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

Exhibit a proof for unreachability

5/35

Is accepting state reachable? No

x ≥ y

No acc. state

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

Exhibit a proof for unreachability

5/35

Is accepting state reachable? No

x ≥ y

No acc. state Inconsistent!

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

Exhibit a proof for unreachability

5/35

Goal of this talk

Computing short proofs for (un)-reachability

6/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y

···

q0, x − y = 0 q1, x − y = 0 q1, x − y = 1

. . .

7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y

···

q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106

. . .

7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y

···

q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106

× . . .

7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y

···

x y

···

q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q3, x − y = 1 q4, x − y = 0 ∧ y ≥ 5 q4, x − y = 1 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q5, x − y = 1 ∧ x ≥ 106

× × × . . . . . . . . . . . .

7/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y

···

x y

···

q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q3, x − y = 1 q4, x − y = 0 ∧ y ≥ 5 q4, x − y = 1 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q5, x − y = 1 ∧ x ≥ 106

× × × . . . . . . . . . . . .

Zone Graph

7/35

Zones and zone graph

◮ Zone: set of valuations defined by conjunctions of constraints:

x ∼ c x − y ∼ c e.g. (x − y ≥ 1) ∧ (y < 2)

◮ Representation: by DBM [Dill’89]

Sound and complete [Daws, Tripakis’98] Zone graph preserves state reachability

8/35

Zones and zone graph

◮ Zone: set of valuations defined by conjunctions of constraints:

x ∼ c x − y ∼ c e.g. (x − y ≥ 1) ∧ (y < 2)

◮ Representation: by DBM [Dill’89]

Sound and complete [Daws, Tripakis’98] Zone graph preserves state reachability

But zone graph could be infinite!

8/35

Coming next: Finite abstractions of the zone graph

9/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 , 10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 ,

a(Z0)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 ,

× ×

a(Z0)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 q0 , q1 ,

× ×

a(Z0)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 q0 , q1 ,

× ×

a(Z0) a(W1)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1) a(W2) a(W3)

10/35

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1) a(W2) a(W3) Question: How do we choose these abstraction functions?

10/35

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

11/35

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

, Coming next: Simulation relations

11/35

(q,v) (q,v′)

12/35

(q,v) (q,v′)

• is simulated by

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• 12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• q1

q2 q3 q4 x ≥ 1 y ≤ 3 y ≥ 2 x ≤ 3

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• q1

q2 q3 q4 x ≥ 1 y ≤ 3 y ≥ 2 x ≤ 3 (q1,〈x = 0.5,y = 2.1〉)

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• q1

q2 q3 q4 x ≥ 1 y ≤ 3 y ≥ 2 x ≤ 3 (q1,〈x = 0.5,y = 2.1〉) (q1,〈x = 0.5,y = 2.9〉)

12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• q1

q2 q3 q4 x ≥ 1 y ≤ 3 y ≥ 2 x ≤ 3 (q1,〈x = 0.5,y = 2.1〉) (q1,〈x = 0.5,y = 2.9〉)

• 12/35

(q,v) (q,v′)

• is simulated by

g R

(q1,v1)

g R

(q1,v′

1)

• q1

q2 q3 q4 x ≥ 1 y ≤ 3 y ≥ 2 x ≤ 3 (q1,〈x = 0.5,y = 2.1〉) (q1,〈x = 0.5,y = 2.9〉)

• (q1,〈x = 0.5,y = 2.1〉)

(q1,〈x = 0.5,y = 1〉)

• 12/35

Abstractions from simulations

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

13/35

Abstractions from simulations

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

◮ a(W) = aq(W) :

{ v | exists v′ ∈ W s.t.

(q,v) (q,v′) }

13/35

Standard algorithm: covering tree

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ^ a(W3) ⊆ a(W1)?

14/35

Standard algorithm: covering tree

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ^ a(W3) ⊆ a(W1)?

Coarser the abstraction, smaller the abstracted graph

14/35

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

15/35

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

Why not add all valuations simulated by W?

15/35

Theorem [Laroussinie, Schnoebelen’00]

Deciding coarsest simulation relation for a given automaton is EXPTIME-hard

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y}

s0 s1 s3 s2

16/35

Theorem [Laroussinie, Schnoebelen’00]

Deciding coarsest simulation relation for a given automaton is EXPTIME-hard

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

16/35

Theorem [Laroussinie, Schnoebelen’00]

Deciding coarsest simulation relation for a given automaton is EXPTIME-hard

M-bounds [Alur, Dill’90] M(x) = 6, M(y) = 3 v M v′

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

16/35

Theorem [Laroussinie, Schnoebelen’00]

Deciding coarsest simulation relation for a given automaton is EXPTIME-hard

M-bounds [Alur, Dill’90] M(x) = 6, M(y) = 3 v M v′ LU-bounds Behrmann et al’06 L(x) = 6, L(y) = −∞ U(x) = 4, U(y) = 3 v LU v′

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

16/35

Abstractions in literature [Behrmann, Bouyer, Larsen, Pelanek’06]

aLU ClosureM (M) (LU)

17/35

Abstractions in literature [Behrmann, Bouyer, Larsen, Pelanek’06]

Non-convex

aLU ClosureM (M) (LU)

17/35

Abstractions in literature [Behrmann, Bouyer, Larsen, Pelanek’06]

Non-convex Convex

aLU ClosureM Extra+

M

Extra+

LU

ExtraLU ExtraM (M) (LU) Only convex abstractions used in implementations!

17/35

Getting LU-bounds

Smaller the LU bounds, bigger is the abstraction

18/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 106 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 106 U(x) = 1 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 106 U(x) = 1 L(x) = 106,U(x) = 1 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 106 U(x) = 1 L(x) = 106,U(x) = 1 L(x) = 106,U(x) = 1 L(y) = 5,U(y) = 1 19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y 106

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03] −∞ 106 U(x) = 1 L(x) = 106,U(x) = 1 L(x) = 106,U(x) = 1 L(y) = 5,U(y) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q1, x > 106 q2, true q3, x − y = 0 q3, x − y = 1 q3, x > 106 q4, true q5, x > 1

× × × . . . . . .

19/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 x y 106

bounds by Static analysis

[Behrmann, Bouyer, Fleury, Larsen’03]

Zone graph + ExtraLU+ +

−∞ 106 U(x) = 1 L(x) = 106,U(x) = 1 L(x) = 106,U(x) = 1 L(y) = 5,U(y) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q1, x > 106 q2, true q3, x − y = 0 q3, x − y = 1 q3, x > 106 q4, true q5, x > 1

× × × . . . . . .

19/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1 Observation 2

20/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1

Non-convex abstractions

Observation 2

20/35

Step 1: We can use abstractions without storing them

21/35

Using non-convex abstractions

Standard algorithm: covering tree

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

• 22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

• 22/35

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5 a(Z0) a(Z1) a(Z2) a(Z3) a(Z4) a(Z5)

q3 = q1 ∧ a(Z3) ⊆ a(Z1)?

22/35

Using non-convex abstractions

Need to store only concrete semantics

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5

q3 = q1 ∧ a(Z3) ⊆ a(Z1)?

22/35

Using non-convex abstractions

Use Z ⊆ a(Z′) for termination

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5

q3 = q1 ∧ Z3 ⊆ a(Z1)?

22/35

Step 1: We can use abstractions without storing them Step 2: We can do the inclusion test efficiently

23/35

Efficient inclusion testing

Main result Z ⊆ aLU(Z′) if and only if there exist 2 clocks x,y s.t. Projxy(Z) ⊆ aLU(Projxy(Z′))

24/35

Efficient inclusion testing

Main result Z ⊆ aLU(Z′) if and only if there exist 2 clocks x,y s.t. Projxy(Z) ⊆ aLU(Projxy(Z′)) Complexity: (|X|2), where X is the set of clocks

24/35

Efficient inclusion testing

Main result Z ⊆ aLU(Z′) if and only if there exist 2 clocks x,y s.t. Projxy(Z) ⊆ aLU(Projxy(Z′)) Complexity: (|X|2), where X is the set of clocks Same complexity as Z ⊆ Z′!

24/35

Efficient inclusion testing

Main result Z ⊆ aLU(Z′) if and only if there exist 2 clocks x,y s.t. Projxy(Z) ⊆ aLU(Projxy(Z′)) Complexity: (|X|2), where X is the set of clocks Same complexity as Z ⊆ Z′! Slightly modified comparison works!

24/35

Step 1: We can use abstractions without storing them Step 2: We can do the inclusion test efficiently ⇒ new algorithm for reachability

25/35

Non-convex Convex

aLU ClosureM Extra+

M

Extra+

LU

ExtraLU ExtraM (M) (LU)

26/35

Non-convex Convex

aLU ClosureM Extra+

M

Extra+

LU

ExtraLU ExtraM (M) (LU) Question: Can we do better than aLU?

26/35

Optimality

LU-automata: automata with guards determined by L and U Theorem The aLU abstraction is the coarsest abstraction that is sound and complete for all LU-automata.

27/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1

Non-convex abstractions Optimality

Observation 2

28/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1

Non-convex abstractions Optimality

Observation 2

Better LU-bounds

28/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1

Non-convex abstractions Optimality

Observation 2

Better LU-bounds Smaller the LU-bounds, bigger is the aLU abstraction

28/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ q0, x − y = 0 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ q0, x − y = 0 q1, x − y = 0 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q2, x − y = 0 ∧ x ≥ 106 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106

No disabled edge ⇒ all states seen ⇒ no need for bounds!

29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0

No disabled edge ⇒ all states seen ⇒ no need for bounds!

29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5

No disabled edge ⇒ all states seen ⇒ no need for bounds!

29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106

No disabled edge ⇒ all states seen ⇒ no need for bounds!

29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 ×

No disabled edge ⇒ all states seen ⇒ no need for bounds!

29/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 ×

No disabled edge ⇒ all states seen ⇒ no need for bounds! What to do when a disabled edge is seen?

29/35

q0 q1 q2 q3 q4

x ≥ 5 y ≥ 5 y > 100 w ≤ 2

(q0,x = y = w ≥ 0) (q1,x = y = w ≥ 5) (q2,x = y = w ≥ 5) (q3,x = y = w > 100)

w ≤ 2

L(x) = 5, U(w) = 2

30/35

q0 q1 q2 q3 q4

x ≥ 5 y ≥ 5 y > 100 w ≤ 2

(q0,x = y = w ≥ 0) (q1,x = y = w ≥ 5) (q2,x = y = w ≥ 5) (q3,x = y = w > 100)

w ≤ 2 x ≥ 5 is responsible

L(x) = 5, U(w) = 2

30/35

(q0,Z0 (q1,Z1) (qn−2,Zn−2) (qn−1,Zn−1) (qn,Zn)

g1 gn−1 gn gn+1

. . .

31/35

(q0,Z0 (q1,Z1) (qn−2,Zn−2) (qn−1,Zn−1) (qn,Zn)

g1 gn−1 gn gn+1

. . .

LnUn φn := aLnUn(Zn) gn+1 is disabled from φn

31/35

(q0,Z0 (q1,Z1) (qn−2,Zn−2) (qn−1,Zn−1) (qn,Zn)

g1 gn−1 gn gn+1

. . .

LnUn φn := aLnUn(Zn) gn+1 is disabled from φn Ln−1Un−1 φn−1 := aLn−1Un−1(Zn−1) if Zn−1 ⊆ φn, don’t take gn

31/35

(q0,Z0 (q1,Z1) (qn−2,Zn−2) (qn−1,Zn−1) (qn,Zn)

g1 gn−1 gn gn+1

. . .

LnUn φn := aLnUn(Zn) gn+1 is disabled from φn Ln−1Un−1 φn−1 := aLn−1Un−1(Zn−1) if Zn−1 ⊆ φn, don’t take gn Ln−2Un−2 φn−1 := aLn−2Un−2(Zn−2) if Zn−2 ⊆ φn−1, don’t take gn−1 L1U1 φ1 := aL1U1(Z1) if Z1 ⊆ φ2, don’t take g2 L0U0 φ1 := aL0U0(Z0) if Z0 ⊆ φ1, don’t take g1

31/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ −∞ q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 × 32/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ −∞ U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 × 32/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ −∞ U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 × 32/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 × 32/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q3, x − y = 1

×

32/35

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q3, x − y = 1

×

32/35

Lazy bounds propagation

[Herbreteau, S., Walukiewicz’13] q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q3, x − y = 1

×

32/35

Lazy bounds propagation

[Herbreteau, S., Walukiewicz’13]

Zone graph + aLU

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q3, x − y = 1

×

32/35

Lazy bounds propagation

[Herbreteau, S., Walukiewicz’13]

Zone graph + aLU

q0 q1 q2 q3 q4 q5 q6 y = 1,{y} x = 106 ∧ y = 106 y = 1,{y} y ≥ 5 x ≥ 106 x ≤ 1 −∞ −∞ −∞ U(x) = 1,L(y) = 5 U(x) = 1 U(x) = 1 q0, x − y = 0 q1, x − y = 0 q1, x − y = 1 q2, x − y = 0 ∧ x ≥ 106 q3, x − y = 0 q4, x − y = 0 ∧ y ≥ 5 q5, x − y = 0 ∧ x ≥ 106 q3, x − y = 1

×

32/35

Reachability for timed automata

Standard algorithm: covering tree Convex abstractions Bounds by static analysis

Observation 1

Non-convex abstractions Optimality

Observation 2

Dynamic LU-bounds

33/35

Experiments

Model

• nb. of

UPPAAL (-C) static lazy clocks nodes sec. nodes sec. nodes sec. CSMA/CD 10 11 120845 1.12 CSMA/CD 11 12 311310 3.23 CSMA/CD 12 13 786447 14.8 C-CSMA/CD 6 6 8153 0.19 C-CSMA/CD 7 C-CSMA/CD 8 FDDI 50 151 FDDI 70 211 FDDI 140 421 Fischer 9 9 135485 1.17 Fischer 10 10 447598 5.04 Fischer 11 11 1464971 20.5

◮ UPPAAL (-C) shows results from UPPAAL tool which uses static bounds ◮ static is our implementation of UPPAAL’s algo ◮ Time out (180s)

34/35

Experiments

Model

• nb. of

UPPAAL (-C) static lazy clocks nodes sec. nodes sec. nodes sec. CSMA/CD 10 11 120845 1.12 78604 1.89 CSMA/CD 11 12 311310 3.23 198669 5.07 CSMA/CD 12 13 786447 14.8 493582 13.58 C-CSMA/CD 6 6 8153 0.19 C-CSMA/CD 7 C-CSMA/CD 8 FDDI 50 151 10299 13.61 FDDI 70 211 FDDI 140 421 Fischer 9 9 135485 1.17 135485 3.23 Fischer 10 10 447598 5.04 447598 12.73 Fischer 11 11 1464971 20.5 1464971 46.97

◮ UPPAAL (-C) shows results from UPPAAL tool which uses static bounds ◮ static is our implementation of UPPAAL’s algo ◮ Time out (180s)

34/35

Experiments

Model

• nb. of

UPPAAL (-C) static lazy clocks nodes sec. nodes sec. nodes sec. CSMA/CD 10 11 120845 1.12 78604 1.89 78604 2.10 CSMA/CD 11 12 311310 3.23 198669 5.07 198669 5.64 CSMA/CD 12 13 786447 14.8 493582 13.58 493582 14.71 C-CSMA/CD 6 6 8153 0.19 1876 0.09 C-CSMA/CD 7 18414 0.97 C-CSMA/CD 8 172040 10.36 FDDI 50 151 10299 13.61 401 0.4 FDDI 70 211 561 1.36 FDDI 140 421 1121 18.25 Fischer 9 9 135485 1.17 135485 3.23 135485 4.38 Fischer 10 10 447598 5.04 447598 12.73 447598 17.27 Fischer 11 11 1464971 20.5 1464971 46.97 1464971 67.61

◮ UPPAAL (-C) shows results from UPPAAL tool which uses static bounds ◮ static is our implementation of UPPAAL’s algo ◮ Time out (180s)

34/35

Conclusion

◮ Computing shorter proofs for un-reachability dynamically ◮ Main technical ingredient: efficient inclusion test ◮ Extended to Priced Timed Automata [Bouyer, Colange, Markey’16]

35/35

Conclusion

◮ Computing shorter proofs for un-reachability dynamically ◮ Main technical ingredient: efficient inclusion test ◮ Extended to Priced Timed Automata [Bouyer, Colange, Markey’16] ◮ Future work:

◮ Improve lazy propagation ◮ partial-order reduction ◮ timed games 35/35