Post on 28-Mar-2015
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata
D. Lugiez, P. Niebert, S. Zennou
Laboratoire d ’Informatique Fondamentale de Marseille
(LIF, UMR 6166)
Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata
D. Lugiez, P. Niebert, S. Zennou
Laboratoire d ’Informatique Fondamentale de Marseille
(LIF, UMR 6166)
A Partial Order Semantics approach to the clock
explosion problem of timed automata
At least two previous presentationsat Ametist meetings ...
« They talk and talk ... » « Now they change the title ... »
« Where is the beef?! »
Thank you for your patience!Classical Zone Automaton Event Zone Automaton(ELSE)
Thank you for your patience!Classical Zone Automaton Event Zone Automaton(ELSE)
Thank you for your patience!
#Phil 2 3 4 5 6 7 8 9classical 11 55 337 2456 21037 207677 not on my laptopeventzone 10 35 118 392 1297 4799 14158 46763ratio 1,1 1,57 2,86 6,27 16,22 43,28
Friendly Example: Dining Philosophers with timeouts
#Proc 2 3 4 5UppAal -n1 34345UppAal -n2 2865Else "classical"25 229 2393 26961eventzone 24 209 2048 21077ratio 1,04 1,10 1,17 1,28
Hostile Example: Fischer’s Protocol (almost sequential)
A long time misunderstanding ...
Partial order reduction methods Cut redundant branches in search tree
Works well for discrete systems And for timed automata/time Petri nets?
[Bengtson-Lilius-Johnsson-Yi 98], [Minea99], ... Semantic restrictions B.J. : « sometimes not worse than without
reduction ... » Without citation :
Buggy theorems, discretisation, ...
Mazurkiewicz traces
Example parallel system
0
e
0 0
11 1
2
2
2
d
cba
f
3
g
3 4
A B C
Example parallel system
0
e
0 0
11 1
2
2
2
d
cba
f
3
g
3 4
Property:Is it possible that Aenters state 2
A B C
Witness path to property
0
e
0 0
11 1
2
2
2
d
cba
f
3
g
3 4
A B C
State graph =synchronous product
The state graph
d
ca a
a a
a a a
b
b
b
b
b
b
c
c d
d
e
e
f
1,0,0 1,1,0
0,0,0
1,0,2 1,1,2
0,0,2 0,1,2
1,1,1
0,0,1
0,2,1
1,2,1
2,3,1
0,1,0
0,1,1
1,0,1
c
d
c
d
3,4,0
3,4,2
3,4,1
g
g
g
d
d
d
0,2,2
0,2,2
2,2,3
f
a
The state graph
d
ca a
a a
a a a
b
b
b
b
b
b
c
c d
d
e
e
f
1,0,0 1,1,0
0,0,0
1,0,2 1,1,2
0,0,2 0,1,2
1,1,1
0,0,1
0,2,1
1,2,1
2,3,1
0,1,0
0,1,1
1,0,1
c
d
c
d
3,4,0
3,4,2
3,4,1
g
g
g
d
d
d
0,2,2
0,2,2
2,2,3
f
a
Property:It is possible that Aenters state 2!
The witness path
d
ca a
a a
a a a
b
b
b
b
b
b
c
c d
d
e
e
f
1,0,0 1,1,0
0,0,0
1,0,2 1,1,2
0,0,2 0,1,2
1,1,1
0,0,1
0,2,1
1,2,1
2,3,1
0,1,0
0,1,1
1,0,1
c
d
c
d
3,4,0
3,4,2
3,4,1
g
g
g
d
d
d
0,2,2
0,2,2
2,2,3
f
a
Property:It is possible that Aenters state 2!
d
ca a
a a
a a a
b
b
b
b
b
b
c
c d
d
e
e
f
1,0,0 1,1,0
0,0,0
1,0,2 1,1,2
0,0,2 0,1,2
1,1,1
0,0,1
0,2,1
1,2,1
2,3,1
0,1,0
0,1,1
1,0,1
c
d
c
d
3,4,0
3,4,2
3,4,1
g
g
g
d
d
d
0,2,2
0,2,2
2,2,3
f
a
Equivalent executions
ab
c
d
e
d f
a
b
c
d
e
d f
a
b
d
e
c
d f
a
b
d
e
f
c
d
The misunderstanding
Don’t « try to avoid redundancy in search of zone automaton».
Instead, see to have less zones!
Actually ...
1
23
4
(a,-,
X:=0)
(a,-,
X:=0)
(b,-,Y:=
0)
(b,-,Y:=
0)
(1,X=Y=0)
a
(2,X=0,Y0) (2,X0,Y=0)
b
(4,X0,Y=0) (4,X=0,Y0)
b a
An artificial example
An artificial exampleClassical Zone Automaton Event Zone Automaton(ELSE)
Our work about this
Theoretical foundation, now to treat Alur-Dill automata without any restriction
Infinite symbolic « event zone automaton » with full commutation
Finite index equivalence that preserves reachability (only)
A tool! (Well, still a prototype, of course ...)
Context (other works)
[D’Souza-Tjagarajan98] : Complementation for a sub class of timed
automata « Distributed Interval Automata »Petri nets with final states
Surprise : Construction based on Mazurkiewicz traces without time
Potential basis for a new formalisation
Timed Automata - and independence?
Formalisation
Separate state graph from constraints
« Clocked labels »
Timed Automata
={, , , ,…} of finite clocked label alphabet
Set of clocks C An automaton A=(Q,s0,,F) over
Q finite set of states s0 Q initial state Q x x Q transition relation F Q final states
Timed Automata
Clocked label =(a,c,r) of action + constraint + reset
Action over ={a, b, c, d,…} finite Constraint c maps clocks to intervals with integer or
infinite bounds Reset r C
Clocked words = sequence of clocked labelsEx:
Timed and Clocked Words
Timed word = (w,t) with w * and t maps positions in w to time stamps Ex: (a, 3.2)(c, 2.5)(b, 6.3)
Normal timed word (w,t) s.t. t(i) t(j) if i j Ex: (a, 3.2)(c, 4.5)(b, 6.3)
Symbolic states of timed automata
Combination of discrete states and regions orzones of clock values
Zones: conjunctions of clock bounds “X (- 0) 3” clock difference bounds “X-Y 3” difference bounds matrix
of dimension n+1 (clocks and “zero”) Algorithms
Linking Clocked and Timed Words
Standard realization of a clocked word with i=(ai,ci,ri), 1 i n = (w,t) s.t.
w=a1…an
(w,t) normal t(k)-t(l) ck(C) l=last reset of C in 1…k-1
Ex: (a, 3.2)(c, 4)(b, 6.2) = normal realization of
Lt(A) set of clocked words =1...n which have a standard realization and s.t.
s01 s1...
n sn F
Independence of clocked labels
One transition does not constrain clocks the other transition resets.
One transition does not reset clocks the other transition resets.
Same as independence for shared variables read a variable written by another process
implies dependency writing the same variable implies dependency
Relaxing constraints
Standard zones incomparable zonesEx: ab -------> c2 c1
ba -------> c1 c2
Normal timed words (w,t) w.r.t I realizing with i=(ai,ci,ri) s.t.
w=a1…an
t(i) t(j) if i j and not ai I aj
t(k)-t(l) ck(C) l=last reset of C in 1…k-1
Ex: (c, 4)(a, 3.2)(b, 6.2) for
Commuting clocked labels and time stamps together!
Clocked word (a,X<1,X:=0)(b,Y<1,Y:=0)(c,X<1&Y>1,-)
Normal timed word w.r.t. I
(a,0.7)(b,0.5)(c,1.6)
Equivalent Clocked word (b,Y<1,Y:=0)(a,X<1,X:=0) (c,X<1&Y>1,-)
Equivalent timed word, normal! (b,0.5)(a,0.7)(c,1.6)
What is it good for
Realisability w.r.t. I characterises classical realisability up to commutations
Any realisation w.r.t. I can be transformed into a classical realisation.
Hence, we can search for error traces modulo independence, then retrieve normal ones.
Towards Algorithmics
Relaxing constraints
Standard zones incomparable zonesEx: ab -------> c2 c1
ba -------> c1 c2
Normal timed words (w,t) w.r.t I realizing with i=(ai,ci,ri) s.t.
w=a1…an
t(i) t(j) if i j and not ai I aj
t(k)-t(l) ck(C) l=last reset of C in 1…k-1
Ex: (c, 4)(a, 3.2)(b, 6.2) for
Clocked Words and Event Zones
One variable per position in + one for the beginning (empty word)Ex: -------> V={x0, x1, x2, x3}
Only constraints between dependent clocked labels are added
Commuting independent clocked labels gives isomorphic constraint set
Differences and Graph Algorithms
X-Yc, Y-Z d implies X-Z c+d
XY
Z
cd
c+dGraph coding:Shortest path = Strongest Consequence
Solving via graph algorithms (Ford-Bellman, Floyd-Warshall):• shortest path with negative weights• negative cycles = no solution
On the level of traces ...
... these constraints characterise realisability
... can be used for « bounded model checking » [FTRTFT2002]
And for exhaustive exploration ???
Zone automata?
Technical problem : The longer the trace, the more
variables?!
Fundamental problem : Constraints X-Yc with c unbounded
Classical zone automata : abstraction (the greatest constant ...)
P.Bouyer : yes, but be careful!
Bounding dimensions
Transitions add variables and constraints linking them to an interface « Last » Last clock resets Last occurrences of independent actions
Decomposition of shortest paths
s1
s2 s3
Distances in the interface
s1
s2
s3
Distances in the interface
Projection of the event zone to the interface can be computed incrementally : add new event normalise (incremental Floyd-Warshall) garbage collection: project events
no longer in the interface Dimensions :
at worst (#clocks +1) * #processes classical timed automata #clocks + 1
Data structure event zone
e2
r X r
Y r
Z r
U
e3
e1 e4
e4
e2 e7
rX rY rZ rU p1 p2 p3
<3
t(e3)-t(e2)<3
The fundamental problem
Languages of realisable traces are not always finite state
1
2
=(Y=1,b,Y:=0)=(X=1,a,X:=0)
=(X=5,Y=5,c,-)
R = realisable tracesR{,}* ={u | u {,}*, |u|= |u|} not recognisable
The fundamental problem - what to do
Give up semantic Restrictions (BLJY98,M99)
No Zeno cycles + invariants deduce new bounds (huge) for the abstraction
Our choice : maintain the classical abstraction, sacrifice some commutations
New approach: Compute without abstraction, compare with abstraction
A formal language view
Clock zone automaton, also with abstraction, gives Nerode congruence of finite index
Optimisations of timed automata mean smaller index
No such automaton can exist for realisable traces, but ...
The trick for event zones
« Separate past and future before comparing » Separator transition « $ », commutes with
nothing. Insertion of separator in sequence u$v changes
nothing, except: all of u happens temporally before all of v
IN-preorder to replace zone inclusion
Theorem: Reachability w.r.t. classical semantics preserved
The trick and formal language view
Practically
Compute with event zones Zu WITHOUT separators
Compare not Zu and Zv , but Zu$ and Zv$
Dimension of Zu$ at most #Clocks+1
Same abstractions and data structures as for Clock zones possible!
« UppAal killer » does not kill Else
In fact, asymmetric bounds analysis included,
Difference to -n2 switch: No location based analysis
used
And the counterexample?
1
2
=(Y=1,b,Y:=0)=(X=1,a,X:=0)
=(X=5,Y=5,c,-)
And the counterexample?Classical Zone Automaton Event Zone Automaton(ELSE)
The reachability algorithm
Practical aspects of algorithm
Zones with higher dimensions in « Gray set » (Waiting List) Potentially higher cost of computing
successors Potentially more memory needed
Zones with classical dimensions in « Black set » (Past List) All fancy data structures work here
(compressed clock zones, CDDs, ...)
ELSE - a new timed automata tool
Contributors until now:Manuel Yguel, Sarah Zennou, Peter
Niebert,
Marcos Kurban (U.Twente)
Our tool approach Aim: Platform for experiments with algorithms
for timed automata and more ... No intention to invent new specification
language Currently use IF 2 (VERIMAG) as input syntax
But semantic coverage very limited(lazy implementation)
Sometime 2004: Open Source Distribution, Invitation to participate
Software structure of ELSE
Much like Murphi, Spin, IF, ... Compiler
Frontend(s), maybe add UppAal (Tool Interaction!)
Internal data structure to generalize frontends ... Backend(s) for exploration, generate C-code
Libraries memory management, output (graph drawing),
exploration ... Some parts as include files
Current state of development « Prototype »
Almost complete chain Very little language coverage Sufficient for exhaustive exploration experiments Good memory management
Urgent todo list before alpha release Sequence extraction Basic urgency Efficient data structures for « past list » A bit more of static analysis A few algorithmic improvements
Conclusion, outlook Fundamental contribution, clean theory A substantial contribution to timed
automata algorithmics
Strong potential for resource allocation problems (linear priced version would be interesting)
A new tool, still needs work for serious case studies