Compatibility between shared variable valuations in timed automaton network model-checking

Zhao Jianhua, Zhou Xiuyi,

Li Xuandong, Zheng Guoliang

Presented by ZHAO Jianhua

Background (Time Automata)

A timed automaton can be viewed as a conventional finite state automaton plus some clock variables ， which are used to constraint time distances between events.

A B

Clocks: x, y

E1:x < 5, y := 0

E2: y < 8, x := 0

x < 5 y < 8

Background (timed automaton network) A timed automaton network is a finite set of

timed automata which interact with each other.

These timed automata may interact with each other through a finite set of shared variables.

For each timed automaton network, an equivalent timed automaton can be built.

Background (timed automaton network) An example:

A B

Clocks: x

E11:x < 5, x:=0

v:=1

E12: x < 8, x := 0

v==0

x < 5 x < 8

1 2

E21:y < 8, y:=0

v==1

E12: y < 3, y := 0

v:=0

y<8

y < 3

Clocks: y

Background(reachability analysis 1) Many interesting properties (for example,

safety) can be expressed as reachability of locations of timed automata.

Because the state spaces of timed automata are infinite, model checking techniques can not be applied to timed automaton directly.– Symbolic representation of states are used in

automatically reachability analysis.

Background(Symbolic States) A symbolic state of a timed automaton network is

a tuple (l,s, D)– l is the global location of the network.– s is the valuation of the set of shared variables.– D is a conjunction of formulas like x-y<c.

A symbolic state (l,s, D ) represents a set of concrete states (l,s,v), where v satisfies D.

Given a symbolic state S, the set of concrete states which are reachable from a concrete state in S through a given transition t can also be represented as a symbolic state. We call it as the successor of S w.r.t. t.

Background (Basic reachability analysis algorithm 1)

Wait = { S0}, Passed = {}, where S0 is the initial symbolic statewhile (Wait != {} ) do{ S = a symbolic state in Wait;

Wait = Wait – {S}for each transition t leaving S do{ S’ = successor of S w.r.t. t;

if (S’!= Φ and S’ is not contained by any state in Passed)

Wait = Wait + {S’}if (the location of S’ is the target location)

return true;}Passed = Passed + {S}

}

Background (Basic reachability analysis algorithm 2) The algorithm explores the state space by

generating successors of generated states continuously.

The algorithm will not generated the successors of a generated symbolic state (l,s, D1 ) only if

– another symbolic state (l, s, D2 ) containing (l,s, D1 ) has already been generated.

– a symbolic state S1 contains another one S2, if the set of concrete states represented by S1 contains the one represented by S2.

Compatibility between shared variable valuations

A shared variable valuations s1 is compatible with s2 on a tuple (l,D) if for each transition e leaving l, one of the following conditions holds. – s1 and s2 are identical.– The conjunction of D and g is false, where g is the time

guard of e.– Neither s1 nor s2 satisfies the shared variable guards of e.– The variable guard of e is satisfied by s1, and the transition

e sets s1 and s2 to two compatible variable valuations.

An example of Compatibility

(v1 = 3; v2 = 3) is compatible with (v1 = 2; v2 = 3) on ((A,M), (x > 3 ^ y < 10))

A

B

Clocks: x

M N

Clocks: y

Shared variables: v1, v2

B

C

e11 : x > 5; v2 = 3 x:=0, v1:=0

e12 : x < 3; v1 = 3 x:=0, v1:=v1+1

e21 : y < 10; v1:=v2+1, y:= 0

Compatibility contain

Definition 3. Let (l, s1, D1) and (l, s2, D2) be two symbolic states of a timed automaton network. We say (l, s1, D1) compatibility contains (l, s2 ,D2)

– if s1 is compatible with s2 on (l, D1) and

– D1 contains D2.

A lemma about the compatibility contain Lemma

– Let S1, and S2 be two symbolic states of a timed automaton network. We have that all the locations reachable from S2 are also reachable from S1 if S1 compatibility contains S2.

Intuitively, (l, s1, D1) is more like to reach the target location than (l, s2, D2) is.

The algorithm can avoid generating successors of a generated symbolic state (l, s, D1 ) if– another symbolic state which compatibility-contains (l, s,

D) has already been generated. This condition is weaker than the basic

one.

Find the compatible valuations During the reachability analysis, if a symbolic state (l,s,D)

is generated, an algorithm can be used to find valuations with which s is compatible on (l,D).

This algorithm uses a backward propagation method to compute such valuations based on the definition of compatibility.

All these valuations are recorded in valuation sets attached to the generated states.

For each generated state (l, s’,D’), it is compatibility contained by (l,s,D) if D’ is contained by D and s is found to be compatible with s’.

A compact data structure

Let v1, v2, …, vn be a set of shared variables. We proved that the attached valuation sets can be represented as Cartesian products

s1× s2 × … × sn

This observation leads to a compact data structure to record the compatible shared variable valuations.

The optimization

The algorithm is optimized as follows– A shared variable valuation set is attached to

each generated state. (using the compact data structure)

– Avoid generating successor of (l, s, D) if there is another generated state (l, s’, D’) such that s is in the attached set of (l, s’, D’) and D’ contains D

– During the reachability analysis, the attached sets are continuously expanded by backward propagation.

The performance (1)(The bounded retransmission protocol)

The performance (2)(the Bang&Olufsion audio protocol) The optimized algorithm uses only about

40% memories as the original one does.