Topics in Timed Automata B. Srivathsan RWTH-Aachen Software - - PowerPoint PPT Presentation

Topics in Timed Automata

• B. Srivathsan

RWTH-Aachen

Software modeling and Verification group

1/25

Reachability: Does something bad happen?

“The gate is still open when the train is 2 minutes away from the crossing” A theory of timed automata

• R. Alur and D.L. Dill, TCS’94

This problem is PSPACE-complete

2/25

Tools

◮ UPPAAL:

Uppsaala university (Sweden), Aalborg university (Denmark)

◮ KRONOS:

Verimag (France)

◮ RED

National Taiwan University (Taiwan)

◮ Rabbit

Brandenburg TU Cottbus (Germany)

3/25

Tools

◮ UPPAAL:

Uppsaala university (Sweden), Aalborg university (Denmark)

◮ KRONOS:

Verimag (France)

◮ RED

National Taiwan University (Taiwan)

◮ Rabbit

Brandenburg TU Cottbus (Germany) and still research on for efficient algorithms . . .

3/25

Lecture 6: Reachability

4/25

Timed Automata

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y}

s0 s1 s3 s2

Run: finite sequence of transitions

s0 s1 0.4 s3 0.9 0.5

0.4 0.5

x y

◮ accepting if ends in green state

5/25

Reachability problem

Given a TA, does it have an accepting run

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y}

s0 s1 s3 s2

Theorem [AD94] This problem is PSPACE-complete

first solution based on Regions

6/25

Key idea: Maintain sets of valuations reachable along a path

q0 q1 q2 q3

(x ≤ 5) (y ≥ 7) {x}

x y x y x y x y 7/25

Key idea: Maintain sets of valuations reachable along a path

q0 q1 q2 q3

(x ≤ 5) (y ≥ 7) {x} x = y ≥ 0 x = y ≥ 0 y − x ≥ 7 y − x ≥ 7

x y x y x y x y

Easy to describe convex sets

7/25

Zones and zone graph

◮ Zone: set of valuations defined by

conjunctions of constraints: x ∼ c x − y ∼ c e.g. (x − y ≥ 1) ∧ (y < 2)

◮ Representation: by DBM [Dil89]

Sound and complete [DT98] Zone graph preserves state reachability

8/25

Problem of non-termination

q0 q1

(y = 1) {x, y} {y}

x y 9/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 , 10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 ,

a(Z0)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 q0 ,

× ×

a(Z0)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 q0 , q1 ,

× ×

a(Z0)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 q0 , q1 ,

× ×

a(Z0) a(W1)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1) a(W2) a(W3)

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1) a(W2) a(W3) Find a such that number of abstracted sets is finite

10/25

Abstractions

Zone graph potentially infinite...

Z0 Z1 Z2 Z3 q0 , q1 , q2 , q3 ,

× × ×

. . . . . .

Z0 W1 Z1 W2 Z2 W3 Z3 q0 , q1 , q2 , q3 ,

× × ×

a(Z0) a(W1) a(W2) a(W3) Coarser the abstraction, smaller the abstracted graph

10/25

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

,

11/25

Condition 1: Abstractions should have finite range Condition 2: Abstractions should be sound ⇒ a(W) can contain

• nly valuations simulated by W

a(W) W v

g1 R1 g2 R2 g3 R3 g4 R4 g

5

R

5

v′

g

1

R

1

g2 R2 g3 R3 g4 R4 g5 R5

q

, Question: Why not add all the valuations simulated by W?

11/25

Bounds and abstractions

Theorem [LS00] Coarsest simulation relation is EXPTIME-hard

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6) {y} {y}

s0 s1 s3 s2

12/25

Bounds and abstractions

Theorem [LS00] Coarsest simulation relation is EXPTIME-hard

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

12/25

Bounds and abstractions

Theorem [LS00] Coarsest simulation relation is EXPTIME-hard

M-bounds [AD94] M(x) = 6, M(y) = 3 v M v′

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

12/25

Bounds and abstractions

Theorem [LS00] Coarsest simulation relation is EXPTIME-hard

M-bounds [AD94] M(x) = 6, M(y) = 3 v M v′ LU-bounds [BBLP04] L(x) = 6, L(y) = −∞ U(x) = 4, U(y) = 3 v LU v′

(y ≤ 3) (x < 1) (y < 1) (x < 4) (x > 6)

12/25

Abstractions in literature [BBLP04, Bou04]

aLU ClosureM (M) (LU)

13/25

Abstractions in literature [BBLP04, Bou04]

Non-convex

aLU ClosureM (M) (LU)

13/25

Abstractions in literature [BBLP04, Bou04]

Non-convex Convex

aLU ClosureM Extra+

M

Extra+

LU

ExtraLU ExtraM (M) (LU) Only convex abstractions used in implementations!

13/25

Timed automata Zone graph Problem of non-termination Use finite abstractions Bounds as parameters Restriction to convex abstractions Zones are efficient Non-convex abstr. are coarser

14/25

Timed automata Zone graph Problem of non-termination Use finite abstractions Bounds as parameters Restriction to convex abstractions Zones are efficient Non-convex abstr. are coarser Question: Can we benefit from both together?

14/25

In this lecture...

Efficient use of the non-convex Closure approximation

Using non-convex approximations for efficient analysis of timed automata

• F. Herbreteau, D. Kini, B. Srivathsan, I. Walukiewicz. FSTTCS’11

15/25

Observation 1: We can use abstractions without storing them

16/25

Using non-convex abstractions

Standard algorithm: covering tree

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

• 17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 W1 Z1 W2 Z2 W3 Z3 W4 Z4 W5 Z5 a(Z0) a(W1) a(W2) a(W3) a(W4) a(W5)

q3 = q1 ∧ a(W3) ⊆ a(W1)?

• 17/25

Using non-convex abstractions

Pick simulation based a

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5 a(Z0) a(Z1) a(Z2) a(Z3) a(Z4) a(Z5)

q3 = q1 ∧ a(Z3) ⊆ a(Z1)?

17/25

Using non-convex abstractions

Need to store only concrete semantics

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5

q3 = q1 ∧ a(Z3) ⊆ a(Z1)?

17/25

Using non-convex abstractions

Use Z ⊆ a(Z′) for termination

q0 q1 q2 q3 q4 q5

, , , , , ,

Z0 Z1 Z2 Z3 Z4 Z5

q3 = q1 ∧ Z3 ⊆ a(Z1)?

17/25

Observation 1: We can use abstractions without storing them Observation 2: We can do the inclusion test efficiently

18/25

Coming next...

The inclusion test Z ⊆ ClosureM(Z′)

19/25

What is ClosureM?

M(x) M(y)

x y

20/25

What is ClosureM?

Z M(x) M(y)

x y

20/25

What is ClosureM?

Z M(x) M(y)

x y ClosureM(Z): set of regions that Z intersects

20/25

Z ⊆ ClosureM(Z′)?

x y M(x) M(y) Z Z′

21/25

Z ⊆ ClosureM(Z′)?

x y M(x) M(y) Z Z′ ClosureM(Z′)

21/25

Z ⊆ ClosureM(Z′)?

x y M(x) M(y) Z Z′ ClosureM(Z′)

21/25

Z ⊆ ClosureM(Z′)?

x y M(x) M(y) Z Z′

Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

21/25

Z ⊆ ClosureM(Z′)?

x y M(x) M(y) Z Z′

Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′ Coming next: Steps to the efficient algorithm for Z ⊆ ClosureM(Z′)

21/25

Step 1: Representing regions and zones

x y

22/25

Step 1: Representing regions and zones

x y

x < 3 x > 2 y < ∞ y > 2

22/25

Step 1: Representing regions and zones

x y

x < 3 x > 2 y < ∞ y > 2

x y

22/25

Step 1: Representing regions and zones

x y

x < 3 x > 2 y < ∞ y > 2

x y

22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 x > 2 y < ∞ y > 2

x y

< 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 x > 2 y < ∞ y > 2

x y

< 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y < ∞ y > 2

x y

< 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y < ∞ y > 2

x y

< −2 < 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y < ∞ y > 2

x y

< −2 < 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 < ∞ < ∞ 22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 < ∞ < ∞

Need a canonical representation

22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 < ∞ < ∞

Shortest path should be given by the direct edge

22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 < ∞ < 1

Shortest path should be given by the direct edge

22/25

Step 1: Representing regions and zones

x y

x − 0 < 3 0 − x < −2 y − 0 < ∞ 0 − y < −2

x y

< −2 < 3 < ∞ < −2 < ∞ < 1

For every zone Z, canonical distance graph GZ

22/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GR

x1 x2 x3

GZ′

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GR

x1 x2 x3

GZ′

x2 x1 x3

min(GR, GZ′)

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GR

x1 x2 x3

GZ′

x2 x1 x3

min(GR, GZ′)

Lemma

R ∩ Z′ is empty ⇔ min(GR, GZ′) has a negative cycle

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GR

x1 x2 x3

GZ′

x2 x1 x3

min(GR, GZ′)

Lemma

R ∩ Z′ is empty ⇔ min(GR, GZ′) has a negative cycle involving at most 2 clocks!

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GR

x1 x2 x3

GZ′

x2 x1 x3

min(GR, GZ′)

Lemma

R ∩ Z′ is empty ⇔ min(GR, GZ′) has a negative cycle involving at most 2 clocks!

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GProjx2x3(R)

x1 x2 x3

GProjx2x3(Z′)

x2 x1 x3

Lemma

R ∩ Z′ is empty ⇔ min(GR, GZ′) has a negative cycle involving at most 2 clocks!

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GProjx2x3(R)

x1 x2 x3

GProjx2x3(Z′)

x2 x1 x3

min(GProjx2x3(R), GProjx2x3(Z′))

Lemma

R ∩ Z′ is empty ⇔ min(GR, GZ′) has a negative cycle involving at most 2 clocks!

23/25

Step 2: When is R ∩ Z′ empty?

Inspired by an observation made in [Bou04]

x1 x2 x3

GProjx2x3(R)

x1 x2 x3

GProjx2x3(Z′)

x2 x1 x3

min(GProjx2x3(R), GProjx2x3(Z′))

Lemma

R ∩ Z′ is empty ⇔ ∃ x, y. Projxy(R) ∩ Projxy(Z′) is empty

23/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′)

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′)

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′)

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′) Projx2x3(R) ∩ Projx2x3(Z)

24/25

Step 3: Reduction to two clocks

Recall: Z ⊆ ClosureM(Z′) ⇔ ∃R. R intersects Z, R does not intersect Z′

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′) Projx2x3(R) ∩ Projx2x3(Z)

Theorem

Z ⊆ Closureα(Z′) if and only if there exist 2 clocks x, y s.t. Projxy(Z) ⊆ ClosureM(Projxy(Z′))

24/25

Step 3: Reduction to two clocks

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′) Projx2x3(R) ∩ Projx2x3(Z)

Theorem

Z ⊆ Closureα(Z′) if and only if there exist 2 clocks x, y s.t. Projxy(Z) ⊆ ClosureM(Projxy(Z′)) Slightly modified edge-edge comparison is enough

24/25

Step 3: Reduction to two clocks

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′) Projx2x3(R) ∩ Projx2x3(Z)

Theorem

Z ⊆ Closureα(Z′) if and only if there exist 2 clocks x, y s.t. Projxy(Z) ⊆ ClosureM(Projxy(Z′)) Complexity: O(|X|2), where X is the set of clocks

24/25

Step 3: Reduction to two clocks

x1 x2 x3

Z

x1 x2 x3

Z′

x1 x2 x3

R

∩ ∩

Projx2x3(R) ∩ Projx2x3(Z′) Projx2x3(R) ∩ Projx2x3(Z)

Theorem

Z ⊆ Closureα(Z′) if and only if there exist 2 clocks x, y s.t. Projxy(Z) ⊆ ClosureM(Projxy(Z′)) Same complexity as Z ⊆ Z′!

24/25

So what do we have now...

(q0, Z0) (q1, Z1) (q5, Z5) (q2, Z2) (q3, Z3) (q4, Z4) q3 = q1 ∧ Z3 ⊆ Closureα(Z1)?

Efficient algorithm for Z ⊆ Closureα(Z′)

25/25

Overall algorithm

◮ Store concrete semantics : zones ◮ Compute ZG(A): Z ⊆ Closureα′(Z′) for termination

26/25

Non-convex Convex

aLU ClosureM Extra+

M

Extra+

LU

ExtraLU ExtraM (M) (LU) Next lecture: aLU, optimality and benchmarks

27/25

References I

• R. Alur and D.L. Dill.

A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994.

• G. Behrmann, P. Bouyer, E. Fleury, and K. G. Larsen.

Static guard analysis in timed automata verification. In TACAS’03, volume 2619 of LNCS, pages 254–270. Springer, 2003.

• G. Behrmann, P. Bouyer, K. Larsen, and R. Pelánek.

Lower and upper bounds in zone based abstractions of timed automata. Tools and Algorithms for the Construction and Analysis of Systems, pages 312–326, 2004.

• P. Bouyer.

Forward analysis of updatable timed automata.

• Form. Methods in Syst. Des., 24(3):281–320, 2004.
• D. Dill.

Timing assumptions and verification of finite-state concurrent systems. In AVMFSS, volume 407 of LNCS, pages 197–212. Springer, 1989.

• C. Daws and S. Tripakis.

Model checking of real-time reachability properties using abstractions. In TACAS’98, volume 1384 of LNCS, pages 313–329. Springer, 1998. François Laroussinie and Ph. Schnoebelen. The state explosion problem from trace to bisimulation equivalence. In Proceedings of the Third International Conference on Foundations of Software Science and Computation Structures, FOSSACS ’00, pages 192–207. Springer-Verlag, 2000. 27/25