Lazy abstractions for timed automata F. Herbreteau 1 , B. Srivathsan - PowerPoint PPT Presentation

Lazy abstractions for timed automata F. Herbreteau 1 , B. Srivathsan 2 , I. Walukiewicz 1 LaBRI, Universit´ e Bordeaux 1 Software modeling and verification group, RWTH-Aachen MOVES Seminar, March 2013 Lazy abstractions for timed automata - 1/26

Timed Automata [AD94] s 2 ( y = 1) ( x < 1) ( x < 1) { y } s 0 s 1 s 3 ( x > 1) ( y < 1) , { y } Run: finite sequence of transitions s 0 s 1 s 3 0 . 4 0 . 5 x 0 0 . 4 0 . 9 y 0 0 0 . 5 ◮ accepting if ends in green state Lazy abstractions for timed automata - 2/26

The problem we are interested in ... Given a TA, does there exist an accepting run ? Lazy abstractions for timed automata - 3/26

The problem we are interested in ... Given a TA, does there exist an accepting run ? Theorem [AD94] This problem is PSPACE-complete first solution based on Regions Lazy abstractions for timed automata - 3/26

Regions Maximal bounds: M : X �→ N ∪ {−∞} Lazy abstractions for timed automata - 4/26

Regions Maximal bounds: M : X �→ N ∪ {−∞} M ( x ) = 3 , M ( y ) = 2 x ⋖ 0 , x ⋗ 0 , x ⋖ 1 , x ⋗ 1 , . . . , x ⋖ 3 , x ⋗ 3 y ⋖ 0 , y ⋗ 0 , . . . , y ⋖ 2 , y ⋗ 2 Lazy abstractions for timed automata - 4/26

Regions Maximal bounds: M : X �→ N ∪ {−∞} M ( x ) = 3 , M ( y ) = 2 x ⋖ 0 , x ⋗ 0 , x ⋖ 1 , x ⋗ 1 , . . . , x ⋖ 3 , x ⋗ 3 y ⋖ 0 , y ⋗ 0 , . . . , y ⋖ 2 , y ⋗ 2 4 3 2 1 0 1 2 3 4 5 Lazy abstractions for timed automata - 4/26

◮ Region: set of valuations satisfying the same guards w.r.t. time ◮ Finiteness: Parametrized by maximal constant Sound and complete [AD94] Region graph preserves state reachability Lazy abstractions for timed automata - 5/26

◮ Region: set of valuations satisfying the same guards w.r.t. time ◮ Finiteness: Parametrized by maximal constant O ( | X | ! . M | X | ) many regions! Sound and complete [AD94] Region graph preserves state reachability Lazy abstractions for timed automata - 5/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

A more efficient solution... Key idea: Maintain all valuations reachable along a path x = y ≥ 0 x = y ≥ 0 y − x ≥ 7 y − x ≥ 7 ( x ≤ 5) ( y ≥ 7) q 0 q 1 q 2 q 3 x := 0 Lazy abstractions for timed automata - 6/26

Zones and zone graph ◮ Zone: set of valuations defined by conjunctions of constraints: ◮ x ∼ c ◮ x − y ∼ c ◮ e.g. ( x − y ≥ 1) ∧ y < 2 ◮ Representation: by DBM Sound and complete [DT98] Zone graph preserves state reachability Lazy abstractions for timed automata - 7/26

But the zone graph could be infinite ... ( y = 1) , { y } { x , y } q 0 q 1 Lazy abstractions for timed automata - 8/26

But the zone graph could be infinite ... ( q 0 , x − y = 0) ( y = 1) , { y } { x , y } q 0 q 1 Lazy abstractions for timed automata - 8/26

But the zone graph could be infinite ... ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 Lazy abstractions for timed automata - 8/26

But the zone graph could be infinite ... ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 ( q 1 , x − y = 1) Lazy abstractions for timed automata - 8/26

But the zone graph could be infinite ... ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 ( q 1 , x − y = 1) ( q 1 , x − y = 2) . . . Lazy abstractions for timed automata - 8/26

But the zone graph could be infinite ... ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 ( q 1 , x − y = 1) ( q 1 , x − y = 2) . . . Abstract zone to its region closure Lazy abstractions for timed automata - 8/26

M ( x ) = −∞ M ( y ) = 1 ( y = 1) , { y } { x , y } q 0 q 1 Lazy abstractions for timed automata - 9/26

M ( x ) = −∞ M ( y ) = 1 ( y = 1) , { y } { x , y } q 0 q 1 Lazy abstractions for timed automata - 9/26

M ( x ) = −∞ M ( y ) = 1 ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 ( q 1 , x − y = 1) x − y = 1 ⊆ Closure M ( x − y = 0) Lazy abstractions for timed automata - 9/26

M ( x ) = −∞ M ( y ) = 1 ( q 0 , x − y = 0) ( y = 1) , { y } ( q 1 , x − y = 0) { x , y } q 0 q 1 ( q 1 , x − y = 1) x − y = 1 ⊆ Closure M ( x − y = 0) Using Closure 1. Z ⊆ Closure M ( Z ′ ) can be done efficiently [HKSW11] 2. Given M , Closure M is optimal [HSW12] Lazy abstractions for timed automata - 9/26

Reachability algorithm: ◮ Compute zones ◮ Use Closure M for termination ◮ Given M , Closure M is optimal Lazy abstractions for timed automata - 10/26

Reachability algorithm: ◮ Compute zones ◮ Use Closure M for termination ◮ Given M , Closure M is optimal Coming next: get better M bounds! Lazy abstractions for timed automata - 10/26

( y = 1) , { y } { x } x ≥ 10 6 q 0 q 1 q 2 y . . . M ( y ) = 1 x M ( x ) = 10 6 Lazy abstractions for timed automata - 11/26

( y = 1) , { y } ( q 0 , x − y = 0) { x } x ≥ 10 6 q 0 q 1 q 2 ( q 0 , x − y = 1) ( q 1 , 0 ≤ x ≤ y ) ( q 2 , 10 6 ≤ x ≤ y ) ( q 0 , x − y = 2) . y . . . . . ( q 0 , x − y = 10 6 + 1) M ( y ) = 1 x M ( x ) = 10 6 ( q 0 , x − y = 10 6 + 2) More than 10 6 nodes unnecessary Lazy abstractions for timed automata - 11/26

Static analysis [BBFL03] Key idea: Bounds for every q of the automaton ( y = 1) , { y } x ≥ 10 6 { x } q 0 q 1 q 2 M 1 ( x ) = 10 6 M 0 ( x ) = −∞ M 0 ( y ) = 1 M 1 ( y ) = −∞ Lazy abstractions for timed automata - 12/26

Static analysis [BBFL03] Key idea: Bounds for every q of the automaton ( y = 1) , { y } ( q 0 , x − y = 0) x ≥ 10 6 { x } q 0 q 1 q 2 ( q 0 , x − y = 1) ( q 1 , 0 ≤ x ≤ y ) M 1 ( x ) = 10 6 M 0 ( x ) = −∞ ( q 2 , 10 6 ≤ x ≤ y ) M 0 ( y ) = 1 M 1 ( y ) = −∞ Lazy abstractions for timed automata - 12/26

However... ( y = 1) , { y } x ≥ 10 6 x = 1 ∧ y = 2 q 0 q 1 q 2 M 0 ( x ) = 10 6 M 1 ( x ) = 10 6 M 0 ( y ) = 2 M 1 ( y ) = −∞ Static analysis gives more than 10 6 nodes in the zone graph Lazy abstractions for timed automata - 13/26

However... ( y = 1) , { y } x ≥ 10 6 x = 1 ∧ y = 2 q 0 q 1 q 2 M 0 ( x ) = 10 6 M 1 ( x ) = 10 6 M 0 ( y ) = 2 M 1 ( y ) = −∞ Static analysis gives more than 10 6 nodes in the zone graph Need to look at semantics Lazy abstractions for timed automata - 13/26

On-the-fly bounds [HKSW11] Key idea: Bounds for every ( q , Z ) of the zone graph constants at depend on subtree . . . . . . . . . Lazy abstractions for timed automata - 14/26

( y = 1) , { y } x ≥ 10 6 x = 1 ∧ y = 2 q 0 q 1 q 2 ( x : 1 , y : 2) ( q 0 , x − y = 0) ( x : 1 , y : 2) ( q 0 , x − y = 1) ( x : 1 , y : 2) ( q 0 , x − y = 2) ( q 0 , x − y = 3) Lazy abstractions for timed automata - 15/26

Two ways of getting bounds: ◮ Static analysis (bounds for every q ) ◮ On-the-fly propagation (bounds for every ( q , Z )) Lazy abstractions for timed automata - 16/26

Two ways of getting bounds: ◮ Static analysis (bounds for every q ) ◮ On-the-fly propagation (bounds for every ( q , Z )) Coming next: Better bounds by exploiting more semantics Lazy abstractions for timed automata - 16/26

Observation 1: If all edges are enabled in the zone graph, then we don’t need bounds at all Lazy abstractions for timed automata - 17/26

( y = 1) , { y } x ≥ 10 6 q 0 q 1 q 2 ( q 0 , x − y = 0) ( q 0 , x − y = 1) ( q 1 , x − y = 0) ( q 2 , x − y = 0 ∧ x ≥ 10 6 ) Lazy abstractions for timed automata - 18/26

( y = 1) , { y } x ≥ 10 6 q 0 q 1 q 2 ( q 0 , x − y = 0) ( q 0 , x − y = 1) ( q 1 , x − y = 0) ( q 2 , x − y = 0 ∧ x ≥ 10 6 ) Otf-propagation would have given ∼ 10 6 nodes Lazy abstractions for timed automata - 18/26

( y = 1) , { y } x ≥ 10 6 q 0 q 1 q 2 ( q 0 , x − y = 0) ( q 0 , x − y = 1) ( q 1 , x − y = 0) ( q 2 , x − y = 0 ∧ x ≥ 10 6 ) Otf-propagation would have given ∼ 10 6 nodes Trigger bounds propagation only when a disabled edge is seen Lazy abstractions for timed automata - 18/26

Observation 2: If some edge is disabled in the zone graph, it is enough to consider only the guards that were responsible for the edge to be disabled Lazy abstractions for timed automata - 19/26