LAZY STATE SPACE state equation CONSTRUCTION trap equation - - - PowerPoint PPT Presentation

dependability engineering & Petri nets SS 2018 Z:\Documents\teaching\pn-vo\pn_skript_fm\pn09_stubbornSetReduction.sld.fm 9 - 1 / 24

LAZY STATE SPACE CONSTRUCTION

• STUBBORN SET REDUCED

REACHABILITY GRAPH

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 2 / 24

QUALITATIVE ANALYSIS METHODS, OVERVIEW REACHABILITY ANALYSIS (complete) reachability graph reduced state spaces coverability graph symmetry stubborn sets NET REDUCTION STRUCTURAL PROPERTIES LINEAR PROGRAMMING place / transition invariants state equation static dynamic analysis analysis trap equation compressed state spaces BDDs, NDDs, ..., XDDs Kronecker products branching process (model checking)

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 3 / 24

STUBBORN SETS

& REDUCED RG

❑ basic principle - lazy state space construction

• >
• nly a subset of the complete rg is constructed
• >

this subset still allows the decision of certain properties

• >

RGred equiv RG equivalent with respect to some properties

• >

suitable equivalence relation ? ❑ basic idea - partial order reduction techniques

• >

not all interleaving sequences of concurrent behavior (= partially ordered behavior) are considered ❑ preserved properties

• >

all dead states

• >

cyclic behavior

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 4 / 24

EXAMPLE SYSTEM DEADLOCK,

PETRI NET

P2_repeat P1_repeat P2_downB P2_upB P2_downA P2_upA P1_upB P1_downB P1_upA P1_downA b5 a1 b1 b2 b3 b4 B a4 a3 a2 A a5

INA ORD HOM NBM PUR CSV SCF CON SC Ft0 tF0 Fp0 pF0 MG SM FC EFC ES Y Y Y Y N N Y Y N N N N N N N N Y DTP SMC SMD SMA CPI CTI B SB REV DSt BSt DTr DCF L LV L&S N Y Y N Y Y Y Y N Y ? N N N N N

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 5 / 24

EXAMPLE SYSTEM DEADLOCK,

(COMPLETE) RG

P1_downA P2_repeat P2_repeat P2_repeat P2_repeat P1_downB P1_upB P1_upA P1_downA P2_upB P2_upB P2_upA P2_downA P1_upA P2_downA P1_downA P2_upA P2_upB P2_repeat P2_repeat P1_repeat P1_repeat P2_upB P1_repeat P2_upA P1_repeat P2_downA P2_downB P1_repeat P2_downB P1_upA P1_upB P2_downB P1_downB P2_downB P1_downA 16 14 10 11 1 2 3 4 12 13 15 1 5 10 14 9 16 8 17 7 6 1 5 19 4 3 17 2 1 18

DEAD STATE

19 nodes, 32 arcs

CONCURRENCY BRANCHING CONFLICT BRANCHING

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 6 / 24

EXAMPLE, SYSTEM DEADLOCK, REDUCED RG

P1_downA P2_repeat P2_repeat P2_repeat P2_repeat P1_downB P1_upB P1_upA P1_downA P2_upB P2_upB P2_upA P2_downA P1_upA P2_downA P1_downA P2_upA P2_upB P2_repeat P2_repeat P1_repeat P1_repeat P2_upB P1_repeat P2_upA P1_repeat P2_downA P2_downB P1_repeat P2_downB P1_upA P1_upB P2_downB P1_downB P2_downB P1_downA 16 14 10 11 1 2 3 4 12 13 15 1 5 10 14 9 16 8 17 7 6 1 5 19 4 3 17 2 1 18

DEAD STATE

10 nodes, 12 arcs (saving: 9 nodes, 20 arcs)

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 7 / 24

STUBBORN SET, CHARACTERISTICS ❑ a marking-dependent selection of a set of independent transitions ❑ a set of independent transitions

• >

their behavior cannot be influenced by the excluded transitions

• >

“they are stubborn”

• >

any sequence of excluded transitions cannot enable or disable an included transition

• >

their firing can be postponed

• >

contains at least one enabled transition ❑ stubborn set reduced rg

• >

slight variation of the standard algorithm

• >

at each marking (node): instead of firing all enabled transitions,

• nly transitions of a stubborn set are fired

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 8 / 24

REACHABILITY GRAPH, CONSTRUCTION ALGORITHM

ROCEDURE rg (IN Net pn, IN Marking m0, OUT MSet nodes, OUT ArcSet arcs);

MSet , // unprocessed markings ; // rg nodes ArcSet ; // rg arcs (pre, post, t) Marking ; // successor marking Transition ;

WHILE

DO choose one ; ; ;

FOR ALL enabled at m DO

;

IF

// new marking

THEN ENDIF; ENDFOR ENDWHILE;

nodes = N; arcs = E;

ENDPROC rg.

U m0 { } = N ∅ = E ∅ = m' t U ∅ ≠ m U ∈ U U m { } – = N N m { } ∪ = t ∈ m' m ∆t + = m' N U ∪ ∉ U U m' { } ∪ = E E m m' t , , ( ) { } ∪ =

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 9 / 24

STUBBORN REDUCED RG, CONSTRUCTION ALGORITHM

ROCEDURE rg (IN Net pn, IN Marking m0, OUT MSet nodes, OUT ArcSet arcs);

MSet , // unprocessed markings ; // rg nodes ArcSet ; // rg arcs (pre, post, t) Marking ; // successor marking Transition ;

WHILE

DO choose one ; ; ;

FOR ALL of a stubborn set enabled at m DO

;

IF

// new marking

THEN ENDIF; ENDFOR ENDWHILE;

nodes = N; arcs = E;

ENDPROC rg.

U m0 { } = N ∅ = E ∅ = m' t U ∅ ≠ m U ∈ U U m { } – = N N m { } ∪ = t ∈ m' m ∆t + = m' N U ∪ ∉ U U m' { } ∪ = E E m m' t , , ( ) { } ∪ =

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 10 / 24

HOW TO CONSTRUCT STUBBORN SETS ❑ three basic steps (1) choose an enabled transition t and put it into U (2)

FOR ALL enabled transition t in U DO

all transitions in conflict with t go into U

ENDFOR

• >

conflict transitions: (Ft)F

• >

any sequence of excluded transitions cannot disable an included transition (3)

FOR ALL disabled transition t in U DO

choose a scapegoat (a place p which prevents t from being enabled), and all pre-transitions of p go into U

ENDFOR

• >

any sequence of excluded transitions cannot enable an included transition ❑ repeat (2) and (3) as long as necessary

• >

each set U constructed by this way is a stubborn set at m

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 11 / 24

STUBBORN SETS, EXAMPLES (1)

A a2 a3 B b3 b2 b1 a1 P1_downA P1_downB P2_downA P2_downB A a2 a3 B b3 b2 b1 a1 P1_downA P1_downB P2_downA P2_downB P2_downB P2_downA P1_downB P1_downA a1 b1 b2 b3 B a3 a2 A A a2 a3 B b3 b2 b1 a1 P1_downA P1_downB P2_downA P2_downB P2_downB P2_downA P1_downB P1_downA a1 b1 b2 b3 B a3 a2 A (2) (3) (2) (3) stop

step1 step2 step3 step5 step4

A B

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 12 / 24

STUBBORN SETS, EXAMPLES (2) ❑ for any dead state

• >

there is no stubborn set ❑ for non-dead states

• >

set of all transitions is a stubborn set ❑ any conflict-free enabled transition

• >

is a stubborn set for itself

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 13 / 24

STUBBORN SETS, OBSERVATIONS ❑ result U depends on the current marking m ❑ non-deterministic stubborn set construction

• >

result depends on non-deterministic choices

• >

choose an enabled transition t

• >

choose a scapegoat p ❑ Charlie’s heuristics

• >

start with an enabled transition, having few transistions in conflict

• >

choose a scapegoat with few pre-transitions ❑ smaller stubborn sets generally result into smaller reduced rg

• >

BUT, there are counter examples ❑ there are various heuristics to determine smaller stubborn sets -> basic step (3) ❑ BUT, increasing computational effort

• >

may exceed benefit gained

• >

what is more worth: space or run time ?

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 14 / 24

EXAMPLE TRAVEL PLANNING, RG

zug auto fuss camping hotel verbindung camping hotel packen verbindung camping hotel check camping hotel packen check camping hotel camping hotel packen camping hotel zug auto fuss anrufen verbindung anrufen packen verbindung anrufen check anrufen packen check anrufen anrufen packen anrufen zug auto fuss verbindung packen verbindung check packen check repeat vorbereitungen_ende packen packen zug auto fuss packen zug auto fuss anrufen packen zug auto fuss camping hotel vorbereitungen_beginn 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 15 / 24

EXAMPLE TRAVEL PLANING, REDUCED RG

ask_for_ check repeat end_preparations pack train car feet ask_for_rooms camping hotel begin_preparations 9 8 7 6 5 4 3 2 1 schedule

• > only one interleaving sequence is represented

concurrent activity 1 concurrent activity 2 concurrent activity 3

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 16 / 24

DINING PHILOSOPHERS, RG AND REDUCED RG, SIZES

# phils P / T Rstub R 1 2 3 4 5 6 / 4 10 / 8 15 / 12 20 / 16 25 / 20 4 8 20 38 62 4 10 35 118 392 6 7 8 9 10 30 / 24 35 / 28 40 / 32 45 / 36 50 / 40 92 128 170 218 272 1.297 4.286 14.158 46.763 154.450 11 12 13 14 15 55 / 44 60 / 48 65 / 52 70 / 56 75 / 60 332 398 470 548 632 510.116 (5.56 e+6) (60.7 e+6)

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 17 / 24

PRODUCTION CELL, COOPERATION MODEL

places/ transitions DTP Rstub R table / press with init part without init part 13 / 9 12 / 8 (N) 28 12 8 28 24 crane 12 / 8 31 11 48 arms version 1 version 2 version 3 13 / 8 17 / 12 17 / 12 38 109 88 11 15 15 48 112 96 belts 12 / 8 26 8 36 subsystem with arm version 1 arm version 2 arm version 3 25 / 16 33 / 24 33 / 24 175 3.851 (N) 725 47 75 140 640 1.984 1.800

• pen system

51 / 36 1.145 299 77.760 closed system with 1 plate with 2 plates with 3 plates with 4 plates with 5 plates 51 / 36 1.140 36 72 94 98 121 864 4.776 12.102 16.362 12.144

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 18 / 24

PRODUCTION CELL, CONTROL MODEL

system part P / T PROD R time Rstub

a)

a)deletion algorithm time Rstub

b)

b)incremental algorithm time controllers crane 45/34 256 0.78” 51 0.16” 38 0.08” feed belt 22/16 69 0.20” 31 0.10” 16 0.07” table 32/24 88 0.38” 36 0.15” 24 0.09” arm, v3 66/60 365” 1.19” 62 0.23” 51 0.09” press 28/20 140 0.42” 48 0.10” 20 0.09” deposit belt 22/16 69 0.20” 31 0.11” 16 0.07” composed systems robot 124/120 63,232 11.26 ’ 992 5.99” 205 0.21” robot/ press 140/132 18,344 3.10” 557 3.46” 305 0.35”

• pen

system 198/176 2,776,936 ? 798 5.90” 507 0.62” closed system 1 plate 2 plates 3 plates 4 plates 5 plates 231/202 30,952 543,480 > 1,7 Mio > 3.1 Mio 1,657,242 7.54’ 3.3 h >20 h >42 h 14 h 162 406 523 471 585 0.68” 2.53” 4.51” 4.02” 5.05” 163 456 635 678 608 0.32” 0.72” 0.95” 1.06” 0.98”

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 19 / 24

EXAMPLE CONCURRENT PUSHERS ❑ version 1 - many dynamic conflicts ❑ version 2 - persistent ❑ stubborn set reduction yields same results for both versions

# pushers R version 1 P / T version 1 Rstub version 2 P / T version 2 Rstub 1 2 3 4 5 88 464 3.088 18.848 118.624 24 / 25 42 / 46 60 / 67 78 / 88 96 / 109 22 42 79 133 204 24 / 21 42 / 38 60 / 55 78 / 72 96 / 89 22 42 79 133 204 6 7 8 9 10 0.7 e+6 4.6 e+6 28.9 e+6 179.8 e+6 1.1 e+9 114 / 130 132 / 151 150 / 172 168 / 193 186 / 214 292 397 519 658 814 114 / 106 132 / 123 150 / 140 168 / 157 186 / 174 292 397 519 658 814

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 20 / 24

ON-THE-FLY LTL MODEL CHECKING

❑ LTL - Linear Time Temporal Logic

• >

a formula must be true for all (linear) execution sequences

• >

X, F, G, U ❑ rule of the thumb

• >

linear OP ~ branching “on all branch” OP BUT: CTL =//= LTL ❑ LTL\X model checking can be combined with stubborn set reduction

• >
• n-the-fly model checking

❑ two sets

• >

visible transitions of a formula: all pre- and posttransitions of places appearing in the formula

• >

invisible transitions of a formula: all other transitions ❑ a formula-conform stubborn set contains only invisible transitions or all enabled transitions ❑ very successful for “local” formulas

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 21 / 24

PRODUCTION CELL ON-THE-FLY LTL MODEL CHECKING

control model, 5 plates, full state space: 1.657.242

• > [BTU Report I-08/1995]

requirement formula # states generated time effort 8 a 2259 4.16’ 8 b 1775 3.76’ 9 2305 4.34’ 10 1879 3.10’ 15 1184 2.55’ 29 704 2.16’ 30 703 2.46’ 31 a 27104 23.80’ 31 b 6433 4.02’ 31 c 28285 24.30’ 32 a 3940 10.26’ 32 b 3113 9.21’

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 22 / 24

LTL PROPERTIES, EXAMPLES

❑ requirement 10 -> 1879 states The travelling crane is not allowed to knock against a belt laterally, i. e. the crane never moves without per- forming a vertically translation. G ( (crane_to_belt1 + crane_to_belt2) -> crane_at_transport_height ) ❑ requirement 15 -> 1184 states The feed belt may only convey a blank through its light barrier, if the table is in its loading position. G ( belt1_light_barrier_true -> (table_load_angle * table_bottom_pos ) ) ❑ requirement 29 -> 704 states The swivel is always either stopped or moves in exactly one direction. G ( robot_stop xor robot_left xor robot_right ) ❑ requirement 30 -> 703 states The swivel is always positioned at exactly one angle. G ( arm1_pick_up_angle xor arm1_release_angle xor arm2_pick_up_angle xor arm2_release_angle )

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 23 / 24

SUMMARY, OUTLOOK ❑ reduction effect needs concurrently enabled transitions

• >

more than one

• >

no conflict in between ❑ for system without concurrency

• >

RG = RGstub ❑

• n-the-fly model checking of LTL\X

dependability engineering & Petri nets SS 2018 monika.heiner@b-tu.de 9 - 24 / 24

REFERENCES

[Gerth 95] GERTH, R., PELED, D., VARDI, M. Y., WOLPER, P.: Simple On-the-fly Automatic Verification of Linear Temporal Logic;

• Proc. of the 15th International Symposium on Protocol Specification, Testing and Verification

(PSTV'95), Warsaw 1995, 3-18. [Godefroid 96] GODEFROID, P.: Partial-Order Methods for the Verification of concurrent Systems; LNCS 1032, 1996. [Pogrell 95] Master Thesis, Humboldt Univ. at Berlin, 1995. [Starke 92] STARKE, P. H.; ROCH, S.: INA - Integrated Net Analyser version 1.7; Technical report, Humbold University at Berlin, 1997, http://www.informatik.hu-berlin.de/lehrstuehle/automaten/ina. [Valmari 92] VALMARI, A.: A Stubborn Attack on State Explosion; Formal Methods in System Design 1(1992)4, 297-322. [Valmari 92] VALMARI, A.: Alleviating State Explosion during Verification of Behavioral Equivalence;

• Univ. of Helsinki, Department of Computer Science, Report A-1992-4, Helsinki 1992.

[Varpaaniemi 95] VARPAANIEMI, K.; HALME, J.; HIEKKANEN, K.; PYSSYSALO, T.: PROD Reference Manual; Helsinki Univ. of Technology, Digital Systems Laboratory, Series B: Techn. Report No. 13, August 1995, ftp://saturn.hut.fi/pub/reports