Reachability problem in timed automata: abstractions, bounds, and - PowerPoint PPT Presentation

Reachability problem in timed automata: abstractions, bounds, and search order joint work with Frédéric Herbreteau, B. Srivathsan, Than-Tung Tran

s 2 ( y ≤ 3 ) ( x < 4 ) ( x < 1 ) { y } ( x > 6 ) s 0 s 1 s 3 ( y < 1 ) { y } The reachability problem for timed automata: Given a timed automaton, decide if there is an execution reaching a green state. Thm [Alur & Dill’94] : The reachability problem is PSPACE-complete.

Motivation Reachability problem is the basic problem for timed automata. Dually: one can think of it as of asking for a proof that a green state is not reachable. Such a proof is an interesting object: it is an invariant on a timed system. The goal is to provide relatively small invariants, and represent them in a succinct way. We hope that some of these methods can apply also to more complicated settings. In this talk : abstractions + search order

Zones y y y y x x x x ( x ≤ 5 ) ( y ≥ 7 ) q 0 q 1 q 2 q 3 { x } The key idea: Maintain sets of valuations reachable along the path. Zone: a set of valuations defined by conjunctions of constraints. x<c, x-y>c, x>d, x-y>d Fact: the « post » of a zone is a zone.

Zone graph Thm [Soundness and completeness]: The zone graph preserves state reachability.

Trying to solve reachability with zones f u n c t i o n reachability check( A ) 1 // Invariant: W ✓ P := { ( s 0 , Z 0 ) } ; P := W W 2 3 while ( W 6 = ; ) do 4 take and remove a node ( s , Z ) from W 5 i f ( s i n A ) 6 return Yes 7 e l s e 8 f o r each ( s , Z ) ) ( s 0 , Z 0 ) 9 ( s 0 , Z 0 ) 62 P i f 10 add ( s 0 , Z 0 ) to W and to P 11 return No 12 Fact: The algorithm is correct, but it may not terminate.

f u n c t i o n reachability check( A ) 1 := { ( s 0 , Z 0 ) } ; P := W // Invariant: W ✓ P W 2 3 while ( W 6 = ; ) do 4 take and remove a node ( s , Z ) from W 5 i f ( s i n A ) 6 return Yes 7 e l s e 8 f o r each ( s , Z ) ) ( s 0 , Z 0 ) 9 i f ( s 0 , Z 0 ) 62 P 10 add ( s 0 , Z 0 ) to W and to P 11 return No 12 Fact: y The algorithm is correct, but it may not terminate. x ( y = 1 ) { y } { x , y } q 0 q 1

Abstraction: a way to get termination ( q 0 , x − y = 0 ) ( y = 1 ) , { y } ( q 1 , x − y = 0 ) { x , y } q 0 q 1 ( q 1 , x − y = 1 ) ( q 1 , x − y = 2 ) . . .

Abstraction: a way to get termination M ( x ) = −∞ M ( y ) = 1 ( q 0 , x ≠ y = 0 ) ( y = 1 ) , { y } ( q 1 , x ≠ y = 0 ) { x , y } q 0 q 1 ( q 1 , x ≠ y = 1 ) x − y = 1 ⊆ Closure M ( x − y = 0 ) Closure M (Z) : Valuations that can be simulated by a valuation in Z w.r.t. automata with guards using c ≤ M.

What abstractions we can use: Three conditions 1. Abstraction should have finite range : finitely many sets a(W). 2. Abstraction should be complete : W ⊆ a(W). 3. Abstraction should be sound : a(W) should contain only valuations simulated by W. a ( W ) g 5 g 4 g g g 1 3 2 R 5 v R 4 R R R 1 3 2 q , W v Õ g 1 g 2 g g g R 1 4 3 5 R 2 R R R 4 3 5

Reachability algorithm with an abstraction f u n c t i o n reachability check( A ) 1 := { ( s 0 , a ( Z 0 )) } ; P := W // Invariant: W ✓ P W 2 3 while ( W 6 = ; ) do 4 take and remove a node ( s , Z ) from W 5 i f ( s i s a c c e p t i n g i n A ) 6 return Yes 7 e l s e 8 each ( s , Z ) ) a ( s 0 , Z 0 ) // Z 0 = a ( post ( Z )) f o r 9 ( s 0 , Z 0 ) 62 P i f 10 add ( s 0 , Z 0 ) to W and to P 11 return No 12 Fact: If a(W) is a sound and complete abstraction that has finite range then the algorithm is correct, and it terminates.

Subsumption: an important optimisation If a green state is reachable from (q,Z), and Z ⊆ Z’ then it is also reachable from (q,Z’). We say that (q,Z) is subsumed by (q,Z’). Cor: Keep only nodes that are maximal with respect to subsumption.

Reachability algorithm with subsumption f u n c t i o n reachability check( A ) 1 := { ( s 0 , a ( Z 0 )) } ; P := W W 2 3 while ( W 6 = ; ) do 4 take and remove a node ( s , Z ) from W 5 i f ( s i s a c c e p t i n g i n A ) 6 return Yes 7 e l s e 8 each ( s , Z ) ) a ( s 0 , Z 0 ) // Z 0 = a ( post ( Z )) f o r 9 i f ( s 0 , Z 0 ) i s not subsumed by any node i n P 10 add ( s 0 , Z 0 ) to W and to P 11 remove a l l nodes subsumed by ( s 0 , Z 0 ) from P and W 12 return No 13 Node subsumption is frequent due to abstractions.

Abstractions based on simulation Coarsest The coarsest LU-abstraction abstractions Efficient use of the abstraction Abstractions Static bounds, one per state Better On-the-fly-bounds, LU-bounds one per (state,zone) TA Lazy bounds, from disabled edges Reachability Subsumption makes the algorithm sensitive to exploration order Goal: reduce mistakes nodes that later will be deleted Better search Subsumtion order Idea1: Give priority to big nodes to minimise the effect of a mistake Idea2: use topological order to avoid mistakes

Abstractions based on simulation Coarsest The coarsest LU-abstraction abstractions Efficient use of the abstraction Abstractions Static bounds, one per state Better On-the-fly-bounds, LU-bounds one per (state,zone) TA Lazy bounds, from disabled edges Reachability Subsumption makes the algorithm sensitive to exploration order Goal: reduce mistakes nodes that later will be deleted Better search Subsumtion order Idea1: Give priority to big nodes to minimise the effect of a mistake Idea2: use topological order to avoid mistakes

Time abstract simulation A time-abstract simulation is a relation between configurations ( s, v ) � ( s 0 , v 0 ), such that: • s = s 0 , δ ! ( s 1 , v 1 ), then for some δ 0 2 R � 0 we have t • if ( s, v ) ! ( s, v + δ ) � � δ 0 ! ( s, v 0 + δ 0 ) t ( s, v 0 ) ! ( s 1 , v 0 1 ) and ( s 1 , v 1 ) � ( s 1 , v 0 1 ). � � Abstraction based on simulation � ( W ) = { v | 9 v 0 2 W. ( s, v ) � ( s, v 0 ) } a s Fact: An abstraction based on simulation is sound and complete.

Abstraction based on simulation � ( W ) = { v | 9 v 0 2 W. ( s, v ) � ( s, v 0 ) } a s Thm [Laroussinie, Schnoebelen 2000] Computing the coarsest time-abstract simulation for a given automaton is EXPTIME-hard. LU bounds for a given automaton For every clock x, let L(x) be the sup over constants occurring in lower bound guards of the automaton (x>c, x ≥ c). Similarly U(x) but for upper bounds (x<c, x ≤ c) Idea: compute the coarsest time-abstract simulation for all automata with a given LU bounds.

Abstractions based on simulation Coarsest The coarsest LU-abstraction abstractions Efficient use of the abstraction Abstractions Static bounds, one per state Better On-the-fly-bounds, LU-bounds one per (state,zone) TA Lazy bounds, from disabled edges Reachability Subsumption makes the algorithm sensitive to exploration order Goal: reduce mistakes nodes that later will be deleted Better search Subsumtion order Idea1: Give priority to big nodes to minimise the effect of a mistake Idea2: use topological order to avoid mistakes

The coarsest abstraction for all automata with a given LU. Defintion [Behrmann, Bouyer, Larsen, Pelanek] : Thm:

A comparison of different abstractions y Z : U y Extra + LU ( Z ) : ∪ Closure + LU ( Z ) : ∪ ∪ L y a 4 LU ( Z ) : ∪ ∪ ∪ x L x U x

Abstractions based on simulation Coarsest The coarsest LU-abstraction abstractions Efficient use of the abstraction Abstractions Static bounds, one per state Better On-the-fly-bounds, LU-bounds one per (state,zone) TA Lazy bounds, from disabled edges Reachability Subsumption makes the algorithm sensitive to exploration order Goal: reduce mistakes nodes that later will be deleted Better search Subsumtion order Idea1: Give priority to big nodes to minimise the effect of a mistake Idea2: use topological order to avoid mistakes

The same algorithm but with a_LU. We store only Z f u n c t i o n reachability check( A ) 1 := { ( s 0 , Z 0 ) } ; P := W W 2 3 while ( W 6 = ; ) do 4 take and remove a node ( s , Z ) from W 5 i f ( s i s a c c e p t i n g i n A ) 6 return Yes 7 e l s e 8 each ( s , Z ) ) ( s 0 , Z 0 ) // Z 0 = post ( Z ) f o r 9 Z 0 ✓ a LU ( Z 00 ) some ( s 0 , Z 00 ) i n P // subsumption i f f o r 10 then nop 11 e l s e 12 add ( s 0 , Z 0 ) to W and to P 13 remove a l l nodes subsumed by ( s 0 , Z 0 ) from P and W 14 return No 15 Remarks: We store only zones not the abstractions of zones. This is possible since we do Observe that LU can change during the execution.

The test In general is not a zone. Thm: Thus the inclusion test is as efficient as testing Z ⊆ Z’

Abstractions based on simulation Coarsest The coarsest LU-abstraction abstractions Efficient use of the abstraction Abstractions Static bounds, one per state Better On-the-fly-bounds, LU-bounds one per (state,zone) TA Lazy bounds, from disabled edges Reachability Subsumption makes the algorithm sensitive to exploration order Goal: reduce mistakes nodes that later will be deleted Better search Subsumtion order Idea1: Give priority to big nodes to minimise the effect of a mistake Idea2: use topological order to avoid mistakes

( y = 1) , { y } x ≥ 10 6 { x } q 0 q 1 q 2 y . . . M ( y ) = 1 x M ( x ) = 10 6