symbolic reachability and beyound or how uppaal really works kim guldstrand larsen brics@aalborg
DESCRIPTION
Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg. Timed Automata. Alur & Dill 1990. Clocks : x, y. Guard Boolean combination of integer bounds on clocks and clock-differences. n. Reset Action perfomed on clocks. Action used - PowerPoint PPT PresentationTRANSCRIPT
2DTU March 7, 2002. Kim G. Larsen
UCb
Timed Automata
n
m
a
Alur & Dill 1990
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of integer boundson clocks and clock-differences.
ResetAction perfomed on clocks
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
3DTU March 7, 2002. Kim G. Larsen
UCb
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
e(1.1)
( n , x=2.4 , y=3.1415 )
e(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Timed Automata Invariants
Invariants ensure
progress!!
Invariants ensure
progress!!
4DTU March 7, 2002. Kim G. Larsen
UCb
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s Protocolanalysis using zones
Y<10
X:=0
Y:=0
X>10
Y>10
X<10
6DTU March 7, 2002. Kim G. Larsen
UCb ZonesFrom infinite to finite
State(n, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set)(n, )
Zone:conjunction ofx-y<=n, x<=>n
3y4,1x1
7DTU March 7, 2002. Kim G. Larsen
UCb
Symbolic Transitions
n
m
x>3
y:=0
delays to
conjuncts to
projects to
x
y
1<=x<=41<=y<=3
x
y1<=x, 1<=y-2<=x-y<=3
x
y 3<x, 1<=y-2<=x-y<=3
3<x, y=0
x
y
Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)
a
8DTU March 7, 2002. Kim G. Larsen
UCb
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s Protocolanalysis using zones
Y<10
X:=0
Y:=0
X>10
Y>10
X<10
9DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
A1
10DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
X
Y
A1
11DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
X
Y
A1
10X
Y1010
12DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
13DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
10X
Y10
14DTU March 7, 2002. Kim G. Larsen
UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
10X
Y10
15DTU March 7, 2002. Kim G. Larsen
UCb
Forward Rechability
Passed
WaitingFinal
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Init -> Final ?
16DTU March 7, 2002. Kim G. Larsen
UCb
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
Init -> Final ?
17DTU March 7, 2002. Kim G. Larsen
UCb
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
Init -> Final ?
18DTU March 7, 2002. Kim G. Larsen
UCb
Forward Rechability
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
19DTU March 7, 2002. Kim G. Larsen
UCb Canonical Dastructures for Zones
Difference Bounded Matrices Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=2y-x<=3y<=3z-y<=3z<=7
x<=2y-x<=3y<=3z-y<=3z<=7
D1
D2
Inclusion
0
x
y
z
1 2
29
0
x
y
z
2 3
37
3
? ?
Graph
Graph
20DTU March 7, 2002. Kim G. Larsen
UCb
Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=2y-x<=3y<=3z-y<=3z<=7
x<=2y-x<=3y<=3z-y<=3z<=7
D1
D2
Inclusion
0
x
y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0
x
y
z
1 2
25
0
x
y
z
2 3
37
0
x
y
z
2 3
36
3
3 3
Graph
Graph
? ?
Canonical Dastructures for ZonesDifference Bounded Matrices
Canonical Form
21DTU March 7, 2002. Kim G. Larsen
UCb
Bellman 1958, Dill 1989
x<=1y>=5y-x<=3
x<=1y>=5y-x<=3
D
Emptyness
0y
x1
3
-5
Negative Cycleiffempty solution set
Graph
Canonical Dastructures for ZonesDifference Bounded Matrices
22DTU March 7, 2002. Kim G. Larsen
UCb
1<= x <=41<= y <=3
1<= x <=41<= y <=3
D
Future
x
y
x
y
Future D
0
y
x4
-1
3
-1
ShortestPath
Closure
Removeupper
boundson clocks
1<=x, 1<=y-2<=x-y<=3
1<=x, 1<=y-2<=x-y<=3
y
x
-1
-1
3
2
0
y
x
-1
-1
3
2
0
4
3
Canonical Dastructures for ZonesDifference Bounded Matrices
23DTU March 7, 2002. Kim G. Larsen
UCb Canonical Dastructures for Zones
Difference Bounded Matrices
x
y
D
1<=x, 1<=y-2<=x-y<=3
1<=x, 1<=y-2<=x-y<=3
y
x
-1
-1
3
2
0
Remove allbounds
involving yand set y to 0
x
y
{y}D
y=0, 1<=xy=0, 1<=x
Reset
y
x
-1
0
0 0
24DTU March 7, 2002. Kim G. Larsen
UCb Improved DatastructuresCompact Datastructure for Zones
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1 x2
x3x0
-4
10
22
5
3
x1 x2
x3x0
-4
4
22
5
3
x1 x2
x3x0
-4
22
3
3 -2 -2
1
ShortestPath
ClosureO(n^3)
ShortestPath
ReductionO(n^3) 3
Canonical wrt =Space worst O(n^2) practice O(n)
RTSS’97
25DTU March 7, 2002. Kim G. Larsen
UCb SPACE PERFORMANCE
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
Per
cen
t Minimal Constraint
Global Reduction
Combination
26DTU March 7, 2002. Kim G. Larsen
UCb TIME PERFORMANCE
0
0,5
1
1,5
2
2,5
Per
cen
t Minimal Constraint
Global Reduction
Combination
27DTU March 7, 2002. Kim G. Larsen
UCb
v and w are both redundantRemoval of one depends on presence of other.
v and w are both redundantRemoval of one depends on presence of other.
Shortest Path Reduction1st attempt
Idea
Problem
w
<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!
An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!
w
v
Observation: If no zero- or negative cycles then SAFE to remove all redundancies.
Observation: If no zero- or negative cycles then SAFE to remove all redundancies.
29DTU March 7, 2002. Kim G. Larsen
UCb Shortest Path ReductionSolution
G: weighted graph
1. Equivalence classes based on 0-cycles.
2. Graph based on representatives. Safe to remove redundant edges
30DTU March 7, 2002. Kim G. Larsen
UCb Shortest Path ReductionSolution
G: weighted graph
1. Equivalence classes based on 0-cycles.
2. Graph based on representatives. Safe to remove redundant edges
3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes
31DTU March 7, 2002. Kim G. Larsen
UCb
Earlier Termination
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
32DTU March 7, 2002. Kim G. Larsen
UCb
Earlier Termination
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
ZZ'
33DTU March 7, 2002. Kim G. Larsen
UCb
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Earlier Termination
Passed
Waiting Final
Init
n,Zk
m,U
n,Z
Init -> Final ?
n,Z1
n,Z2 ZZii
ZZ'
34DTU March 7, 2002. Kim G. Larsen
UCb Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices
CDD-representationsCDD-representations
CAV99
Nodes labeled with differences
Maximal sharing of substructures (also across different CDDs)
Maximal intervals Linear-time algorithms
for set-theoretic operations.
NDD’s Maler et. al
DDD’s Møller, Lichtenberg
35DTU March 7, 2002. Kim G. Larsen
UCb
SPACE PERFORMANCE
0
0,5
1
1,5
2
2,5
3
3,5
4
4,5
Per
cen
t CDD
Reduced CDD
CDD+BDD
36DTU March 7, 2002. Kim G. Larsen
UCb
TIME PERFORMANCE
0
1
2
3
4
5
6
Per
cen
t CDD
Reduced CDD
CDD+BDD
38DTU March 7, 2002. Kim G. Larsen
UCb
Logical Formulas
Safety Properties:F ::= A[ ] P |
E<> P Always P
P ::= Proc.l | x = n | v = n | x<=n | x<n | P and P | not P | P or P | P imply P
Possibly P
where
atomic properties
Process Proc at location l
clock comparison
boolean combinations
39DTU March 7, 2002. Kim G. Larsen
UCb
Train Crossing
River
Crossing
Gate
StopableArea
[10,20]
[7,15]
Queue
[3,5]appr,stop
leave
go
emptynonemptyhd, add,rem
elel
Communication via channels andshared variable.
40DTU March 7, 2002. Kim G. Larsen
UCb Beyound SafetyDecoration
TACAS98a
l
n
Leadsto: Whenever l is reached then n is reached with t
l
n
Decorationnew clock Xboolean B
X:=0
B:=tt
B:=ff
A[] (B implies x<=t)
)( ba t AFAG
41DTU March 7, 2002. Kim G. Larsen
UCb Beyond SafetyTest automata
TACAS98b)( ba t AFAG
l
n
l
n
a!
b!
a?x:=0
x<=tx==tb?
b urgent!
A[] (not T.BAD)
BAD
TSS
42DTU March 7, 2002. Kim G. Larsen
UCb
Timed Bisimulation
Del.Acta allfor
Rt's's'ss'.t't ii)
Rt's't'tt'.s's i)
:holds following
the thensRt whenever if onbisimulati timed a is R
aa
aa
0Rd:dDel
R. onbisimulati timed
somefor sRt whenever t s write We
Wang’91
43DTU March 7, 2002. Kim G. Larsen
UCb
Timed Simulation
Del.Acta allfor
Rt's't'tt'.s's i)
:holds following
the thensRt whenever if simulation timed a is R
aa
0Rd:dDel
R. simulation
timed somefor sRt ifft s write We
45DTU March 7, 2002. Kim G. Larsen
UCb Abstraction & Compositionality dealing w stateexplosion
a
cb
a
cb
a
cb
a
cb
a
cb
a
cb
a
cb
a
cb
1 2
43
1 2
43
2121
2211
AACCACAC
Concrete Abstract
simulation
48DTU March 7, 2002. Kim G. Larsen
UCb Proving abstractions using reachability
A[] not TestAbstPoP1.BAD
Recognizesall the BADcomputationsof PoP1