Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg

UCb

Symbolic Reachabilityand Beyound

or how UPPAAL really works

Kim Guldstrand Larsen BRICS@Aalborg

2DTU March 7, 2002. Kim G. Larsen

UCb

Timed Automata

n

m

a

Alur & Dill 1990

Clocks: x, y

x<=5 & y>3

x := 0

Guard Boolean combination of integer boundson clocks and clock-differences.

ResetAction perfomed on clocks

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )

a

State ( location , x=v , y=u ) where v,u are in R

Actionused

for synchronization


UCb

n

m

a

Clocks: x, y

x<=5 & y>3

x := 0

Transitions

( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )

e(1.1)

( n , x=2.4 , y=3.1415 )

e(3.2)

x<=5

y<=10

LocationInvariants

g1g2 g3

g4

Timed Automata Invariants

Invariants ensure

progress!!

Invariants ensure

progress!!


UCb

A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s Protocolanalysis using zones

Y<10

X:=0

Y:=0

X>10

Y>10

X<10

UCb

THE UPPAAL ENGINE

Symbolic Reachability Checking


UCb ZonesFrom infinite to finite

State(n, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set)(n, )

Zone:conjunction ofx-y<=n, x<=>n

3y4,1x1


UCb

Symbolic Transitions

n

m

x>3

y:=0

delays to

conjuncts to

projects to

x

y

1<=x<=41<=y<=3

x

y1<=x, 1<=y-2<=x-y<=3

x

y 3<x, 1<=y-2<=x-y<=3

3<x, y=0

x

y

Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)

a


UCb

A1 B1 CS1V:=1 V=1

A2 B2 CS2V:=2 V=2

Init V=1

2´

VCriticial Section

Fischer’s Protocolanalysis using zones

Y<10

X:=0

Y:=0

X>10

Y>10

X<10


UCb

Fischers cont. B1 CS1

V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10

A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1

Untimed case

A1


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case

Taking time into account

X

Y

A1


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


X

Y

A1

10X

Y1010


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10


UCb


V:=1 V=1

A2 B2 CS2V:=2 V=2Y<10

X:=0

Y:=0

X>10

Y>10

X<10


Untimed case


A1

10X

Y10

X

Y10

10X

Y10


UCb

Forward Rechability

Passed

WaitingFinal

Init

INITIAL Passed := Ø; Waiting := {(n0,Z0)}

REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add

{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed

UNTIL Waiting = Ø or Final is in Waiting

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add



n,Z’

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init

n,Z


REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add



n,Z’

m,U

Init -> Final ?


UCb

Forward Rechability

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


UCb Canonical Dastructures for Zones

Difference Bounded Matrices Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

0

x

y

z

2 3

37

3

? ?

Graph

Graph


UCb

Bellman 1958, Dill 1989

x<=1y-x<=2z-y<=2z<=9

x<=1y-x<=2z-y<=2z<=9

x<=2y-x<=3y<=3z-y<=3z<=7

x<=2y-x<=3y<=3z-y<=3z<=7

D1

D2

Inclusion

0

x

y

z

1 2

29

ShortestPath

Closure

ShortestPath

Closure

0

x

y

z

1 2

25

0

x

y

z

2 3

37

0

x

y

z

2 3

36

3

3 3

Graph

Graph

? ?

Canonical Dastructures for ZonesDifference Bounded Matrices

Canonical Form


UCb

Bellman 1958, Dill 1989

x<=1y>=5y-x<=3

x<=1y>=5y-x<=3

D

Emptyness

0y

x1

3

-5

Negative Cycleiffempty solution set

Graph



UCb

1<= x <=41<= y <=3

1<= x <=41<= y <=3

D

Future

x

y

x

y

Future D

0

y

x4

-1

3

-1

ShortestPath

Closure

Removeupper

boundson clocks

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

y

x

-1

-1

3

2

0

4

3



UCb Canonical Dastructures for Zones

Difference Bounded Matrices

x

y

D

1<=x, 1<=y-2<=x-y<=3

1<=x, 1<=y-2<=x-y<=3

y

x

-1

-1

3

2

0

Remove allbounds

involving yand set y to 0

x

y

{y}D

y=0, 1<=xy=0, 1<=x

Reset

y

x

-1

0

0 0


UCb Improved DatastructuresCompact Datastructure for Zones

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Canonical wrt =Space worst O(n^2) practice O(n)

RTSS’97


UCb SPACE PERFORMANCE

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Per

cen

t Minimal Constraint

Global Reduction

Combination


UCb TIME PERFORMANCE

0

0,5

1

1,5

2

2,5

Per

cen

t Minimal Constraint

Global Reduction

Combination


UCb

v and w are both redundantRemoval of one depends on presence of other.

v and w are both redundantRemoval of one depends on presence of other.

Shortest Path Reduction1st attempt

Idea

Problem

w

<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!

w

v

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.

Observation: If no zero- or negative cycles then SAFE to remove all redundancies.


UCb Shortest Path ReductionSolution

G: weighted graph



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges



G: weighted graph

1. Equivalence classes based on 0-cycles.

2. Graph based on representatives. Safe to remove redundant edges

3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes


UCb

Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?


UCb

Earlier Termination

Passed

Waiting Final

Init





n,Z’

m,U

n,Z

Init -> Final ?

ZZ'


UCb


REPEAT - pick (n,Z) in Waiting - if for some (n,Z’) in Passed then STOP - else /explore/ add



Earlier Termination

Passed

Waiting Final

Init

n,Zk

m,U

n,Z

Init -> Final ?

n,Z1

n,Z2 ZZii

ZZ'


UCb Clock Difference Diagrams= Binary Decision Diagrams + Difference Bounded Matrices

CDD-representationsCDD-representations

CAV99

Nodes labeled with differences

Maximal sharing of substructures (also across different CDDs)

Maximal intervals Linear-time algorithms

for set-theoretic operations.

NDD’s Maler et. al

DDD’s Møller, Lichtenberg


UCb

SPACE PERFORMANCE

0

0,5

1

1,5

2

2,5

3

3,5

4

4,5

Per

cen

t CDD

Reduced CDD

CDD+BDD


UCb

TIME PERFORMANCE

0

1

2

3

4

5

6

Per

cen

t CDD

Reduced CDD

CDD+BDD

UCb

Beyond Reachability- Bounded Liveness- (Bi) simulations


UCb

Logical Formulas

Safety Properties:F ::= A[ ] P |

E<> P Always P

P ::= Proc.l | x = n | v = n | x<=n | x<n | P and P | not P | P or P | P imply P

Possibly P

where

atomic properties

Process Proc at location l

clock comparison

boolean combinations


UCb

Train Crossing

River

Crossing

Gate

StopableArea

[10,20]

[7,15]

Queue

[3,5]appr,stop

leave

go

emptynonemptyhd, add,rem

elel

Communication via channels andshared variable.


UCb Beyound SafetyDecoration

TACAS98a

l

n

Leadsto: Whenever l is reached then n is reached with t

l

n

Decorationnew clock Xboolean B

X:=0

B:=tt

B:=ff

A[] (B implies x<=t)

)( ba t AFAG


UCb Beyond SafetyTest automata

TACAS98b)( ba t AFAG

l

n

l

n

a!

b!

a?x:=0

x<=tx==tb?

b urgent!

A[] (not T.BAD)

BAD

TSS


UCb

Timed Bisimulation

Del.Acta allfor

Rt's's'ss'.t't ii)

Rt's't'tt'.s's i)

:holds following

the thensRt whenever if onbisimulati timed a is R

aa

aa

0Rd:dDel

R. onbisimulati timed

somefor sRt whenever t s write We

Wang’91


UCb

Timed Simulation

Del.Acta allfor

Rt's't'tt'.s's i)

:holds following

the thensRt whenever if simulation timed a is R

aa

0Rd:dDel

R. simulation

timed somefor sRt ifft s write We


UCb

Examples


UCb Abstraction & Compositionality dealing w stateexplosion

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

a

cb

1 2

43

1 2

43

2121

2211

AACCACAC

Concrete Abstract

simulation


UCb

Abstraction Example

a1 a2 a3 a4 a5

a b


UCb

Example Continued

abstractedby


UCb Proving abstractions using reachability

A[] not TestAbstPoP1.BAD

Recognizesall the BADcomputationsof PoP1

UCb

Documents

Symbolic Reachability and Beyound or how UPPAAL really works Kim Guldstrand Larsen BRICS@Aalborg