On interleaving in {P {P,A}-Tim ime P e Pet etri i net ets s - - PowerPoint PPT Presentation
On interleaving in {P {P,A}-Tim ime P e Pet etri i net ets s with stron rong semantics Hanifa Boucheneb (1) , Kamel Barkaoui (2) (1) Laboratoire VeriForm , cole Polytechnique de Montral (Canada) (2) Laboratoire CEDRIC,. CNAM (France)
Hanifa Boucheneb(1), Kamel Barkaoui(2)
(1) Laboratoire VeriForm , École Polytechnique de Montréal (Canada) (2) Laboratoire CEDRIC,. CNAM (France)
1 21-24 September, Infinity’10, Singapore
2 21-24 September, Infinity’10, Singapore
Reachabilty properties
Counter-example
Property not satisfied
Model
checki king
Property satisfied
A finite/ infinite set of states = an abstract state I nfinite transition system
Abstraction a finite representation which preserves properties of interest. Challenge:
Abstraction
3 21-24 September, Infinity’10, Singapore
Linear properties
State space abstractions in the literature preserving linear properties:
may differ in:
Three levels of abstraction
Three levels of abstraction:
1 . Tim e abstraction OR 2 . States reachable by the sam e firing sequence independently of their firing tim es are grouped in the sam e node. 3 . The grouped states are then considered m odulo som e relation
θ t s1 s2 t s1 s2 s’1 θ t s1 s2 s’1 s1 s2 s’1 t t1 t1 t2 t2 t2 t2 t3 t1 t1 t1 t1 t1 t2 t2 t3 t1 t1 t2 t2 t3
5 21-24 September, Infinity’10, Singapore
Finite reachability graphs for bounded {P,A,T}-TPN and timed automata Reachability problem is decidable. State explosion problem: Abstract states reached by different interleavings of the same set of transitions are in general not equal. Abstraction by inclusion 6
t1
1 4
t1 t2 t2
2 3 5
t3
5 ⊆ 6
6
t1
1 4
t1 t2 t2 t3
2 3
6 21-24 September, Infinity’10, Singapore
Abstraction by convex-union Convex-union abstractions are much more compact than inclusion abstractions Test of convexity very expensive operation: Smallest-enclosing-DBM (5,6) – 5 ⊆ 6 6
t1
1 4
t1 t2 t2
2 3 5
t3
6
t1
1 4
t1 t2 t2 t3
2 3 5
5 ∪ 6 is convex?
7 21-24 September, Infinity’10, Singapore
Approach of Maler et al. (2006): CCS-like composition of timed automata
transitions. The union of abstract states reached by different interleavings of the same set of transitions is convex Test of convexity is not needed 16 abstract states 12 abstract states
1 2 3 4 6 7 8 9 10 12 11 5 13 14 15 16 t1 t2 t3 t3 t2 t1 t3 t2 t1 t3 t3 t1 t1 t2 t2 1 2 3 4 6 7 8 9 12 13 11 16 14 15 t1 t2 t3 t3 t2 t1 t3 t2 t1 t3 t1 t2 5 10
8 21-24 September, Infinity’10, Singapore
9 21-24 September, Infinity’10, Singapore
P-TPN A-TPN T-TPN
Availability intervals of tokens Implicit / explicit firing intervals Firing intervals of transitions Strong or weak time semantics A transition
What about expressiveness?
10 21-24 September, Infinity’10, Singapore
Some models are incomparable More expressive model
P-TPN model
p [a,b] A token created in p, at date θ, is (unless it is consumed):
unavailable in [θ, θ+a [
available in [ a+θ, b+θ ]
dead token in ] b+θ, ∞ [
A transition t is firable if all its required tokens are available.
Its firing takes no time. State = (M, Deadp, Ip)
11 21-24 September, Infinity’10, Singapore
s0 s2 s1 s5 s3
(p1+ p2, ∅, I(p1) = [0,2], I(p2)=[1,3]) (p2+ p3, ∅, I(p2) = [1,3], I(p3)=[1,1]) (p1+ p2, ∅, I(p1)=[0,1], I(p2) = [0,2]) (p2+ p3, ∅, I(p2) = [0,2], I(p3)=[1,1])
1 2 t1 t2
s4
t1
State s = (M, Deadp, Ip)
(M,Deadp,Ip) --- d (M,Deadp,Ip`) iff ∀p∈ M-Deadp, d ≤ ↑Ip(p) and Ip’(p)=[Max(0, ↓Ip(p)-d), ↑Ip(p) – d]
(M,Deadp,Ip) --- t (M’,Deadp,Ip’) iff Pre(t) ⊆ M - Deadp, ∀p∈ Pre(t), ↓Ip(p) =0 M’= (M – Pre(t)) ∪ Post(t), ∀p’∈ M’-Deadp, Ip’(p’)= Ip(p’) if p’ ∉ Post(t), and Ip’(p’) = Isp(p’) otherwise.
(M,Deadp,Ip) --- Err (M, Deadp’,Ip`) iff No friable transition and no time progression from (M,Deadp,Ip) Deadp’ = Deadp ∪ {p’∈M-Deadp | ↑Ip(p’)=0 }, ∀p’∈ M-Deadp’, Ip’(p’)= Ip(p’).
cannot over-pass intervals of non dead tokens
All tokens of t have reached their intervals timelock state
…
(p1+ p4, ∅, I(p1) = [0,1], I(p4)=[2,2])
21-24 September, Infinity’10, Singapore
(p1+ p2, ∅, I(p1) = [1,3], I(p2)=[2,4])
Semantics
…
s0 s2 s1 s5 s3
(p1+ p2, ∅, I(p1) = [0,2], I(p2)=[1,3]) (p2+ p3, ∅, I(p2) = [1,3], I(p3)=[1,1]) (p1+ p2, ∅, I(p1)=[0,1], I(p2) = [0,2]) (p2+ p3, ∅, I(p2) = [0,2], I(p3)=[1,1])
1 2 t1 t2
1 ≤ 3 ∧ 1 ≤ 4 2 ≤ 3 ∧ 2 ≤ 4
s4
t1
(p1+ p4, ∅, I(p1) = [0,1], I(p4)=[2,2])
State class { states reached by the same firing sequence } = (M, Deadp, φ)
13 21-24 September, Infinity’10, Singapore
(p1+ p2, ∅, I(p1) = [1,3], I(p2)=[2,4])
SCG
State class = (M, Deadp, φ) = { states reached by the same firing sequence }
(M, Deadp, φ) –t-> (M’,Deadp’, φ’) iff
pf – pi ≤ 0 is consistent
pf – pi ≤ 0
SCG is finite for all bounded P-TPNs and preserves linear properties
14 21-24 September, Infinity’10, Singapore
SCG
In the P-TPN SCG, the union of state classes reached by different interleavings of the same set of transitions is not necessarily convex.
15 21-24 September, Infinity’10, Singapore
c0
(p1+ p2, ∅, 1 ≤ p1 ≤ 3 ∧ 2 ≤ p2 ≤ 4)
c2 c1 c4 c3
(p1+ p4, ∅, 0 ≤ p1 ≤ 1 ∧ p4 = 2) (p3+ p4, ∅, p3 = 1 ∧ 1 ≤ p4 ≤ 2) (p2+ p3, ∅, 0 ≤ p2 ≤ 3 ∧ p3 = 1) (p3+ p4, ∅, 0≤ p3 ≤ 1 ∧ p4 = 2)
t2 t1 t1 t2
1 ≤ p1 ≤ 3 ∧ 2 ≤ p2 ≤ 4 ∧ p2 ≤ p1 1 ≤ p1 ≤ 3 ∧ 2 ≤ p2 ≤ 4 ∧ p2 ≤ p1
c3 ≠ c4 c3 ⊄ c4 c4 ⊄ c3 c3 ∪ c4 is not convex
SCG
c0
(p1+ p2, ∅,
c2 c1 C4 c3
(p1+ p4, ∅,
(p3+ p4, ∅,
(p2+ p3, ∅,
(p3+ p4, ∅,
t2 t1 t1 t2
∧ p2 - p1 ≤ 0
∧ p2 - p1 ≤ 0
16 21-24 September, Infinity’10, Singapore
CSCG
CSCG is the quotient graph of the SCG w.r.t. ≈: (M, Deadp, φ) ≈ (M’, Deadp’, φ’) M= M’, Deadp = Deadp’ and φ’ and φ’ have the same triangular constraints ≈ is a bisimulation over the SCG
c0
(p1+ p2, ∅,
c2 c1 C4 c3
(p1+ p4, ∅,
(p3+ p4, ∅,
(p2+ p3, ∅,
(p3+ p4, ∅,
t2 t1 t1 t2
∧ p2 - p1 ≤ 0
∧ p2 - p1 ≤ 0
c3 ≠ c4 c3 ⊄ c4 c4 ⊄ c3 c3 ∪ c4 is convex Theorem In the P-TPN CSCG, the union of state classes reached by different interleavings of the same set of transitions is convex.
17 21-24 September, Infinity’10, Singapore
CSCG
(p,t) [a,b] A token created in p, at date θ, is (unless it is consumed):
unavailable in [θ, θ+a [ for t
available in [ a+θ, b+θ ] for t
dead token in ] b+θ, ∞ [ for t
A transition t is firable if all its input arcs are available.
Its firing takes no time. State = (M, Deada, Ia)
18 21-24 September, Infinity’10, Singapore
A-TPN model
State s = (M, Deada, Ia)
(M,Deada,Ia) --- d (M,Deada,Ia`) iff ∀(p,t)∈ EE(M)-Deada, d ≤ ↑Ia(p,t) and Ia’(p,t)=[Max(0, ↓Ia(p,t)-d), ↑Ia(p,t) – d]
(M,Deada,Ia) --- t (M’,Deada,Ia’) iff Pre(t)x{ t)⊆ EE(M) - Deada, ∀p∈ Pre(t), ↓Ia(p,t) =0 M’= (M – Pre(t)) ∪ Post(t), ∀(p’,t`)∈ EE(M’)-Deada, Ia’(p’,t’)= Ia(p’,t’) if p’ ∉ Post(t), and Ia’(p’,t’) = Isa(p’,t’) otherwise.
(M,Deada,Ia) --- Err (M, Deada’,Ia`) iff No friable transition and no time progression from (M,Deada,Ia) Deada’ = Deada ∪ {(p’,t’)∈EE(M)-Deada | ↑Ia(p’,t’)=0 }, ∀p’∈ EE(M)-Deada’, Ia’(p’,t’)= Ia(p’,t’).
cannot over-pass intervals of non dead arcs All input arcs of t have reached their intervals timelock state
19 21-24 September, Infinity’10, Singapore
Semantics
c3 ≠ c4 c3 ⊄ c4 c4 ⊄ c3 c3 ∪ c4 is not convex In the A-TPN SCG, the union of state classes reached by different interleavings of the same set of transitions is not necessarily convex.
20 21-24 September, Infinity’10, Singapore
c0
(p1+ p2, ∅, 1 ≤ pt1 ≤ 3 ∧ 2 ≤ pt2 ≤ 4)
c2 c1 c4 c3
(p1+ p4, ∅, 0 ≤ pt1 ≤ 1 ∧ pt4 = 2) (p3+ p4, ∅, pt3 = 1 ∧ 1 ≤ pt4 ≤ 2) (p2+ p3, ∅, 0 ≤ pt2 ≤ 3 ∧ pt3 = 1) (p3+ p4, ∅, 0≤ pt3 ≤ 1 ∧ pt4 = 2)
t2 t1 t1 t2
1 ≤ pt1 ≤ 3 ∧ 2 ≤ pt2 ≤ 4 ∧ pt2 ≤ pt1 1 ≤ pt1 ≤ 3 ∧ 2 ≤ pt2 ≤ 4 ∧ pt2 ≤ pt1
SCG
c0
(p1+ p2, ∅,
c2 c1 C4 c3
(p1+ p4, ∅,
(p3+ p4, ∅,
(p2+ p3, ∅,
(p3+ p4, ∅,
t2 t1 t1 t2
∧ pt2 - pt1 ≤ 0
∧ pt2 - pt1 ≤ 0
c3 ≠ c4 c3 ⊄ c4 c4 ⊄ c3 c3 ∪ c4 is convex
21 21-24 September, Infinity’10, Singapore
Theorem : In the A-TPN CSCG, the union of state classes reached by different interleavings of the same set of transitions is convex.
CSCG
The union of state classes reached by different interleavings of the same set of transitions is not necessarily convex in the SCG and in the CSCG [Boucheneb et al. 2008].
22 21-24 September, Infinity’10, Singapore
The union of state classes reached by different interleavings
not necessarily convex in the SCG of the { P,A} -TPN
convex in the CSCG of the { P,A} -TPN
is not necessarily convex in the SCG and CSCG of the T-TPN [ Boucheneb & al. 2008]
A-TPN is the more powerful model [ Boyer & Roux 2008] and
then more suitable, than the T-TPN, for abstractions by convex-union.
The translation of T-TPN into A-TPN needs to add several
places and transitions [ Boyer 2001] , which may offset the benefits of abstractions by convex-union.
23 21-24 September, Infinity’10, Singapore
A-TPN
(11 places, 21 transitions, 42 arcs)
T-TPN
(3 places, 2 transitions, 4 arcs) [2,5] [1,3] β α
21-24 September, Infinity’10, Singapore 24
Too large model Bad impact on analysis (complexity)
[ Boyer 2001]
25 21-24 September, Infinity’10, Singapore