1 Efficient Verification of Timed Automata Kim Guldstrand Larsen Paul PetterssonMogens Nielsen BRICS@Aalborg BRICS@Aarhus.

1

Efficient Verification of Timed Automata

Kim Guldstrand Larsen Paul Pettersson Mogens Nielsen BRICS@Aalborg BRICS@Aarhus

2

REGIONSreview

3Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb

RegionsFinite partitioning of state space

x

y Definition

max

'

n

nxxnx

w'www

jii

where

and

form the

of conditions same exact the

satisfy and iff

An equivalence class (i.e. a region)in fact there is only a finite number of regions!!

1 2 3

1

2



x

y Definition

max

'

n

nxxnx

w'www

jii

where

and

form the


satisfy and iff

An equivalence class (i.e. a region)

Successor regions, Succ(r)

r

1 2 3

1

2



x

y

Definition

max

'

n

nxxnx

w'www

jii

where

and

form the


satisfy and iff

An equivalence class (i.e. a region) r

{x}r

{y}r

r

Resetregions

sat

sat

then Whenever

','

,

''

vl,u

vl,u

vuuv

THEOREM

1 2 3

1

2


Fischers again A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2Y<1

X:=0

Y:=0

X>1

Y>1

X<1

A1,A2,v=1

A1,B2,v=2

A1,CS2,v=2

B1,CS2,v=1

CS1,CS2,v=1

Untimed case

A1,A2,v=1x=y=0

A1,A2,v=10 <x=y <1

A1,A2,v=1x=y=1

A1,A2,v=11 <x,y

A1,B2,v=20 <x<1

y=0

A1,B2,v=20 <y < x<1

A1,B2,v=20 <y < x=1

y=0

A1,B2,v=20 <y<1

1 <x

A1,B2,v=21 <x,y

A1,B2,v=2y=11 <x

A1,CS2,v=21 <x,y

No further behaviour possible!!

Timed case

PartialRegion Graph


Regions – Alternativ Definition

x

y

1 2 3

1

2


Problem with regions

Number of regions over n clocks:

Cx

Explosion in number of clocks

Explosion in maximal constant

Reachability is PSPACE complete for asingle TA

9

THE UPPAAL ENGINE

Reachability & ZonesProperty and system dependent

partitioning


ZonesFrom infinite to finite

State(n, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set)(n, )

Zone:conjunction ofx-y<=n, x<=>n

3y4,1x1


Symbolic Transitions

n

m

x>3

y:=0

x

ydelays to

conjuncts to

projects to

x

y

1<=x<=41<=y<=3

x

y1<=x, 1<=y-2<=x-y<=3

x

y 3<x, 1<=y-2<=x-y<=3

3<x, y=0

Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

a


A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s Protocolanalysis using zones

Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Fischers cont. B1 CS1

V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10

A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

Untimed case

A1



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case

Taking time into account

X

Y

A1



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


X

Y

A1

10X

Y1010



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10



V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10


Forward Rechability

Passed

WaitingFinal

Init

INITIAL Passed := Ø; Waiting := {(n0,Z0)}

REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add

{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed

UNTIL Waiting = Ø or Final is in Waiting

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add



n,Z’

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add



n,Z’

m,U

Init -> Final ?


Forward Rechability

Passed

Waiting Final

Init


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add



n,Z’

m,U

n,Z

Init -> Final ?


Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

0

x

y

z

2 3

37

3

? ?

Graph

Graph


Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

ShortestPath

Closure

ShortestPath

Closure

0

x

y

z

1 2

25

0

x

y

z

2 3

37

0

x

y

z

2 3

36

3

3 3

Graph

Graph

? ?

Canonical Dastructures for ZonesDifference Bounded Matrices


Bellman 1958, Dill 1989

x<=1y>=5y-x<=3

x<=1y>=5y-x<=3

D

Emptiness

0y

x1

3

-5

Negative Cycleiffempty solution set

Graph


Compact


1<= x <=41<= y <=3

1<= x <=41<= y <=3

D

Future

x

y

x

y

Future D

0

y

x4

-1

3

-1

ShortestPath

Closure

Removeupper

boundson clocks

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

y

x

-1

-1

3

2

0

4

3




x

y

D

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

Remove allbounds

involving yand set y to 0

x

y

{y}D

y=0, 1<=xy=0, 1<=x

Reset

y

x

-1

0

0 0


Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3 3 -2 -2

1

ShortestPath

ClosureO(n^3)

RTSS 1997


Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Canonical wrt =Space worst O(n^2) practice O(n)

RTSS 1997


v and w are both redundantRemoval of one depends on presence of other.

v and w are both redundantRemoval of one depends on presence of other.

Shortest Path Reduction1st attempt

Idea

Problem

w

<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

w

v

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.


Shortest Path ReductionSolution

G: weighted graph



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges

3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes


Other Symbolic Datastructures

Regions Alur, Dill

NDD’s Maler et. al.

CDD’s UPPAAL/CAV99

DDD’s Møller, Lichtenberg

Polyhedra HyTech

......

CDD-representationsCDD-representations


Verification Options• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Active-Clock Reduction• Global Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation

• Diagnostic Trace

• Breadth-First• Depth-First

• Local Reduction• Active-Clock Reduction• Global Reduction

• Re-Use State-Space

• Over-Approximation• Under-Approximation

Case Studies


Representation of symbolic states (In)Active Clock Reduction

x is only active in location S1

x>3x<5

x:=0

x:=0

S x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitionx<7

Case Studies


Representation of symbolic states Active Clock Reduction

x>3x<5

S

x is inactive at S if on all path fromS, x is always reset before beingtested.

Definitiong1

gkg2r1

r2 rk

iii

ii

rClocks/SAct

gClocks

)S(Act

S1

S2 Sk

Only save constraints on active clocks


When to store symbolic stateGlobal Reduction

No Cycles: Passed list not needed for termination

However,Passed list useful forefficiency

Case Studies


When to store symbolic stateGlobal Reduction

Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list

Case Studies


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?

prop2

Case Studies


Reuse State Space

Passed

Waiting

prop1

A[] prop1

A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn

Searchin existingPassedlist beforecontinuingsearch

Which orderto search?Hashtable

prop2

Case Studies


Over-approximationConvex Hull

x

y

Convex Hull

1 3 5

1

3

5

Case Studies


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z


Under-approximationBitstate Hashing

Passed

Waiting Final

Init

n,Z’

m,U

n,Z

Passed= Bitarray

1

0

1

0

0

1

UPPAAL 8 Mbits

HashfunctionF


Bitstate Hashing


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add




REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add



Passed(F(n,Z)) = 1

Passed(F(n,Z)) := 1

46

END

1 Efficient Verification of Timed Automata Kim Guldstrand Larsen Paul PetterssonMogens Nielsen BRICS@Aalborg BRICS@Aarhus.

Documents

paul petterssonucb fischers

automatic verification

tool visualstate

tool uppaal

automatic verification

succrr12312petri net

aalborg brics

tool suite