Zone based verification of timed automata revisited B. Srivathsan - PowerPoint PPT Presentation

Using Closure α for reachability ( q 0 , a ( Z 0 )) ( q 1 , a ( Z 1 )) ( q 5 , a ( Z 5 )) q 3 = q 1 ∧ a ( Z 3 ) ⊆ a ( Z 1 )? ( q 2 , a ( Z 2 )) ( q 4 , a ( Z 4 )) ( q 3 , a ( Z 3 )) Standard algorithm: covering tree Zone based verification of timed automata revisited - 14/45

Using Closure α for reachability ( q 0 , a ( Z 0 )) ( q 1 , a ( Z 1 )) ( q 5 , a ( Z 5 )) ( q 2 , a ( Z 2 )) ( q 4 , a ( Z 4 )) ( q 3 , a ( Z 3 )) Closure α ( Z ) cannot be efficiently stored Zone based verification of timed automata revisited - 14/45

Using Closure α for reachability ( q 0 , Z 0 ) ( q 1 , Z 1 ) ( q 5 , Z 5 ) ( q 2 , Z 2 ) ( q 4 , Z 4 ) ( q 3 , Z 3 ) Do not store abstracted zones! Zone based verification of timed automata revisited - 14/45

Using Closure α for reachability ( q 0 , Z 0 ) ( q 1 , Z 1 ) ( q 5 , Z 5 ) q 3 = q 1 ∧ Z 3 ⊆ Closure α ( Z 1 )? ( q 2 , Z 2 ) ( q 4 , Z 4 ) ( q 3 , Z 3 ) Use Closure for termination! Zone based verification of timed automata revisited - 14/45

Using Closure α for reachability ( q 0 , Z 0 ) ( q 1 , Z 1 ) ( q 5 , Z 5 ) q 3 = q 1 ∧ Z 3 ⊆ Closure α ( Z 1 )? ( q 2 , Z 2 ) ( q 4 , Z 4 ) ( q 3 , Z 3 ) Need an efficient algorithm for Z ⊆ Closure α ( Z ′ ) Zone based verification of timed automata revisited - 14/45

Reduction to two clocks Inspired by a crucial observation made in [Bou04] Theorem Z �⊆ Closure α ( Z ′ ) if and only if there exist 2 clocks x , y s.t. Proj xy ( Z ) �⊆ Closure α ( Proj xy ( Z ′ )) Zone based verification of timed automata revisited - 15/45

Reduction to two clocks Inspired by a crucial observation made in [Bou04] Theorem Z �⊆ Closure α ( Z ′ ) if and only if there exist 2 clocks x , y s.t. Proj xy ( Z ) �⊆ Closure α ( Proj xy ( Z ′ )) Complexity: O ( | X | 2 ), where X is the set of clocks Zone based verification of timed automata revisited - 15/45

Reduction to two clocks Inspired by a crucial observation made in [Bou04] Theorem Z �⊆ Closure α ( Z ′ ) if and only if there exist 2 clocks x , y s.t. Proj xy ( Z ) �⊆ Closure α ( Proj xy ( Z ′ )) Same complexity as Z ⊆ Z ′ ! Zone based verification of timed automata revisited - 15/45

So what do we have now... ( q 0 , Z 0 ) ( q 1 , Z 1 ) ( q 5 , Z 5 ) q 3 = q 1 ∧ Z 3 ⊆ Closure α ( Z 1 )? ( q 2 , Z 2 ) ( q 4 , Z 4 ) ( q 3 , Z 3 ) Efficient algorithm for Z ⊆ Closure α ( Z ′ ) Zone based verification of timed automata revisited - 16/45

So what do we have now... ( q 0 , Z 0 ) ( q 1 , Z 1 ) ( q 5 , Z 5 ) q 3 = q 1 ∧ Z 3 ⊆ Closure α ( Z 1 )? ( q 2 , Z 2 ) ( q 4 , Z 4 ) ( q 3 , Z 3 ) Coming next: prune the bound function α ! Zone based verification of timed automata revisited - 16/45

Bound function α q 0 q 1 x ≤ 5 y ≥ 5 y ≥ 10 6 x := 0 x ≤ 14 y := 0 q 3 q 2 Naive: α ( x ) = 14, α ( y ) = 10 6 Size of graph ∼ 10 5 Zone based verification of timed automata revisited - 17/45

Static analysis: bound function for every q [BBFL03] 5 5 q 0 q 1 x ≤ 5 y ≥ 5 y ≥ 10 6 x := 0 x ≤ 14 y := 0 q 3 q 2 10 6 5 Naive: α ( x ) = 14, α ( y ) = 10 6 Zone based verification of timed automata revisited - 17/45

Static analysis: bound function for every q [BBFL03] 5 5 q 0 q 1 x ≤ 5 y ≥ 5 y ≥ 10 6 x := 0 x ≤ 14 y := 0 q 3 q 2 10 6 5 Naive: α ( x ) = 14, α ( y ) = 10 6 But this is not enough! Zone based verification of timed automata revisited - 17/45

Need to look at semantics... x = 1 x := 0 Static analysis: α ( y ) = 10 6 q 0 q 1 x ≥ 2 x < 1 y = 10 6 q 3 q 2 More than 10 6 zones at q 0 not necessary ! Zone based verification of timed automata revisited - 18/45

Bound function for every ( q , Z ) in ZG( A ) constants at depend on subtree . . . . . . . . . Zone based verification of timed automata revisited - 19/45

Constant propagation α ( x ) = −∞ ( q , Z , α ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = −∞ ( q , Z , α ) x ≤ 3 Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 3 ( q , Z , α ) x ≤ 3 Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 3 ( q , Z , α ) x ≤ 3 Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 5 ( q , Z , α ) x ≤ 3 Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 5 ( q , Z , α ) x ≤ 3 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 5 ( q , Z , α ) x ≤ 3 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 6 ( q , Z , α ) x ≤ 3 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 6 ( q , Z , α ) x ≤ 3 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 6 ( q , Z , α ) x ≤ 3 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 6 ( q , Z , α ) X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 11 ( q , Z , α ) X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 11 ( q , Z , α ) X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 11 ( q , Z , α ) X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation α ( x ) = 11 ( q , Z , α ) x := 0 X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Constant propagation All tentative nodes consistent α ( x ) = 11 + No more exploration ( q , Z , α ) → Terminate! x := 0 X x ≤ 3 x ≥ 11 x > 6 Z ′ ⊆ Closure α ( Z ) ( q ′ , Z ′ , α ′ ) Zone based verification of timed automata revisited - 20/45

Invariants on the bounds ◮ Non tentative nodes: α = max { α succ } (modulo resets) ◮ Tentative nodes: α = α covering Theorem (Correctness) An accepting state is reachable in ZG( A ) iff the algorithm reaches a node with an accepting state and a non-empty zone. Zone based verification of timed automata revisited - 21/45

Overall algorithm ◮ Compute ZG ( A ): Z ⊆ Closure α ′ ( Z ′ ) for termination ◮ Bounds α calculated on-the-fly ◮ Abstraction Extra + LU can also be handled : a � LU Closure α ◦ Extra + LU Extra + Closure α LU Extra + α Extra α An efficient O ( | X | 2 ) procedure for Z ⊆ Closure α ( Extra + LU ( Z ′ ))! Zone based verification of timed automata revisited - 22/45

Benchmarks Model Our algorithm UPPAAL’s algorithm UPPAAL 4.1.3 (-n4 -C -o1) nodes s. nodes s. nodes s. CSMA/CD7 5031 0 . 32 5923 0 . 27 − T.O. CSMA/CD8 16588 1 . 36 19017 1 . 08 − T.O. CSMA/CD9 54439 6 . 01 60783 4 . 19 − T.O. FDDI10 459 0 . 02 525 0 . 06 12049 2 . 43 FDDI20 1719 0 . 29 2045 0 . 78 − T.O. FDDI30 3779 1 . 29 4565 4 . 50 − T.O. Fischer7 7737 0 . 42 20021 0 . 53 18374 0 . 35 Fischer8 25080 1 . 55 91506 2 . 48 85438 1 . 53 Fischer9 81035 5 . 90 420627 12 . 54 398685 8 . 95 Fischer10 − T.O. − T.O. 1827009 53 . 44 ◮ Extra + LU and static analysis bounds in UPPAAL ◮ Closure α (Extra + LU ) and otf bounds in our algorithm Zone based verification of timed automata revisited - 23/45

Part 2: The liveness problem Zone based verification of timed automata revisited - 24/45

Timed B¨ uchi Automata [AD94] Run: infinite sequence of transitions y x ���� ���� 0 . 4 , a 0 . 5 , c 0 . 3 , d 15 , d ( s 0 , 0 , 0 ) − − − → ( s 1 , 0 . 4 , 0) − − − → ( s 3 , 0 . 9 , 0 . 5) − − − → ( s 3 , 1 . 2 , 0 . 8) − − → · · · ◮ accepting if infinitely often green ◮ non-Zeno if time diverges ( � i ≥ 0 δ i → ∞ ) Zone based verification of timed automata revisited - 25/45

Model-Checking Real-Time Systems Correctness: Safety + Liveness + Fairness ¬ open open , x := 0 ( x < 5) , close ”Infinitely often, the gate is open for at least 5 s.” Realistic counter-examples: infinite non-Zeno runs Zone based verification of timed automata revisited - 26/45

The problem that we consider Given a TBA A , does it have a non-Zeno accepting run Theorem [AD94] Deciding if a TBA has a non-Zeno accepting run is PSPACE- complete Zone based verification of timed automata revisited - 27/45

Once again abstract zone graph ZG a ( A ) a � LU Extra + Closure α LU � Extra + α � Extra α � Sound and complete [Bou04, BBLP06, Tri09, Li09] α , Extra + Extra α , Extra + LU preserve repeated state reachability Zone based verification of timed automata revisited - 28/45

Once again abstract zone graph ZG a ( A ) a � LU Extra + Closure α LU � Extra + α � Extra α � Sound and complete [Bou04, BBLP06, Tri09, Li09] α , Extra + Extra α , Extra + LU preserve repeated state reachability What about non-Zenoness ? Zone based verification of timed automata revisited - 28/45

Finding non-Zeno Runs from Abstract Paths y := 0 x := 0 s 1 s 0 s 2 ( y ≤ 0) ( x ≤ 0) Region graph: ( s 1 , 0 = x < y ) ( s 2 , 0 = y < x ) ( s 0 , 0 = x = y ) ( s 1 , 0 = x = y ) ( s 0 , 0 = x = y ) ( s 2 , 0 = y = x ) Zone graph with Extra α : ( s 0 , 0 = x = y ) ( s 1 , 0 = x ≤ y ) ( s 0 , 0 = x = y ) ( s 2 , 0 = y ≤ x ) Zone graph with Extra + LU : ( s 0 , ⊤ ) ( s 1 , ⊤ ) ( s 0 , ⊤ ) ( s 2 , ⊤ ) Zone based verification of timed automata revisited - 29/45

Finding non-Zeno Runs from Abstract Paths y := 0 x := 0 s 1 s 0 s 2 ( y ≤ 0) ( x ≤ 0) Region graph: ( s 1 , 0 = x < y ) ( s 2 , 0 = y < x ) ( s 0 , 0 = x = y ) ( s 1 , 0 = x = y ) ( s 0 , 0 = x = y ) ( s 2 , 0 = y = x ) Zone graph with Extra α : ( s 0 , 0 = x = y ) ( s 1 , 0 = x ≤ y ) ( s 0 , 0 = x = y ) ( s 2 , 0 = y ≤ x ) Zone graph with Extra + LU : ( s 0 , ⊤ ) ( s 1 , ⊤ ) ( s 0 , ⊤ ) ( s 2 , ⊤ ) How to detect non-Zeno runs from abstract zones ? Zone based verification of timed automata revisited - 29/45

From TBA to Strongly non-Zeno TBA [TYB05] Key Idea : reduce non-Zenoness to B¨ uchi acceptation ≥ 1 ≥ 1 . . . . . . . . . . . . . . . g 1 ; R 1 . . . R 2 ; 2 g A Zone based verification of timed automata revisited - 30/45

From TBA to Strongly non-Zeno TBA [TYB05] Key Idea : reduce non-Zenoness to B¨ uchi acceptation ≥ 1 ≥ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g 1 ; R 1 . . . R 2 ; 2 g A Zone based verification of timed automata revisited - 30/45

From TBA to Strongly non-Zeno TBA [TYB05] Key Idea : reduce non-Zenoness to B¨ uchi acceptation ≥ 1 ≥ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g 1 ; R 1 g 1 & ( t ≥ 1) g 1 ; R 1 R 1 ; t := 0 . . . . . g 2 & ( t ≥ 1) . R 2 ; t := 0 R 2 ; 2 g g 2 ; R 2 A A ′ Zone based verification of timed automata revisited - 30/45

Strongly non-Zeno TBA [Tri99, TYB05] Definition Strongly non-Zeno TBA: all accepting runs are non-Zeno Theorem [TYB05] For every TBA A , there exists a Strongly non-Zeno TBA A ′ that has an accepting run iff A has a non-Zeno accepting run (size of A ′ : | X | + 1 clocks and at most 2 | Q | states) Theorem [Tri09] A has a non-Zeno accepting run iff ZG( A ′ ) has an accepting run Zone based verification of timed automata revisited - 31/45

What we observe Extra + LU Strongly non-Zeno Extra + Construction [TYB05] α Extra α Zone based verification of timed automata revisited - 32/45

What we observe Extra + LU Strongly non-Zeno Extra + Construction [TYB05] α Combinatorial blowup Extra α | ZG a ( A ) | . O (2 | X | ) Zone based verification of timed automata revisited - 32/45

and we propose... Extra + LU Strongly non-Zeno Extra + Construction [TYB05] α Combinatorial blowup Extra α | ZG a ( A ) | . O (2 | X | ) Polynomial algorithm | ZG a ( A ) | . O ( | X | 2 ) Zone based verification of timed automata revisited - 32/45

and we propose... NP-complete Extra + LU Given A , ZG Extra + LU does A have a non-Zeno run? Strongly non-Zeno Extra + Construction [TYB05] α Combinatorial blowup Extra α | ZG a ( A ) | . O (2 | X | ) Polynomial algorithm | ZG a ( A ) | . O ( | X | 2 ) Zone based verification of timed automata revisited - 32/45

and we propose... NP-complete Extra + LU Given A , ZG Extra + LU does A have a non-Zeno run? Strongly non-Zeno Extra + Construction [TYB05] α Combinatorial blowup Extra α | ZG a ( A ) | . O (2 | X | ) Polynomial algorithm | ZG a ( A ) | . O ( | X | 2 ) Coming next: the polynomial construction Zone based verification of timed automata revisited - 32/45

Our approach to non-Zenoness A path in ZG a ( A ) yields only Zeno runs iff: 1. some clock x is blocking : ( x ≤ 1) ( x ≤ 2) ( x ≤ 1) ( x ≤ 2) • · · · • · · · • · · · • · · · • · · · x := 0 x := 0 x never reset Zone based verification of timed automata revisited - 33/45

Our approach to non-Zenoness A path in ZG a ( A ) yields only Zeno runs iff: 1. some clock x is blocking : ( x ≤ 1) ( x ≤ 2) ( x ≤ 1) ( x ≤ 2) • · · · • · · · • · · · • · · · • · · · x := 0 x := 0 x never reset 2. or time cannot elapse due to zero-checks : ( y = 0) ( x = 0) ( y = 0) ( x = 0) • • • • • • • • • · · · x := 0 y := 0 x := 0 y := 0 x := 0 time cannot elapse Zone based verification of timed automata revisited - 33/45

Our approach to non-Zenoness A path in ZG a ( A ) yields only Zeno runs iff: 1. some clock x is blocking : ( x ≤ 1) ( x ≤ 2) ( x ≤ 1) ( x ≤ 2) • · · · • · · · • · · · • · · · • · · · x := 0 x := 0 x never reset 2. or time cannot elapse due to zero-checks : ( y = 0) ( x = 0) ( y = 0) ( x = 0) • • • • • • • • • · · · x := 0 y := 0 x := 0 y := 0 x := 0 time cannot elapse ◮ Idea : define conditions on SCC in ZG a ( A ) to detect those two situations Zone based verification of timed automata revisited - 33/45