Download
1 / 17
170 likes | 249 Views
Compatibility between shared variable valuations in timed automaton network model-checking. Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang. Presented by ZHAO Jianhua. Background (Time Automata).
E N D
Compatibility between shared variable valuations in timed automaton network model-checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented by ZHAO Jianhua
Background (Time Automata) • A timed automaton can be viewed as a conventional finite state automaton plus some clock variables, which are used to constraint time distances between events. Clocks: x, y E1:x < 5, y := 0 x < 5 y < 8 A B E2: y < 8, x := 0
Background (timed automaton network) • A timed automaton network is a finite set of timed automata which interact with each other. • These timed automata may interact with each other through a finite set of shared variables. • For each timed automaton network, an equivalent timed automaton can be built.
Background (timed automaton network) • An example: Clocks: x Clocks: y E11:x < 5, x:=0 v:=1 E21:y < 8, y:=0 v==1 x < 5 x < 8 y < 3 A B 1 2 E12: x < 8, x := 0 v==0 y<8 E12: y < 3, y := 0 v:=0
Background(reachability analysis 1) • Many interesting properties (for example, safety) can be expressed as reachability of locations of timed automata. • Because the state spaces of timed automata are infinite, model checking techniques can not be applied to timed automaton directly. • Symbolic representation of states are used in automatically reachability analysis.
Background(Symbolic States) • A symbolic state of a timed automaton network is a tuple (l,s, D) • l is the global location of the network. • s is the valuation of the set of shared variables. • D is a conjunction of formulas like x-y<c. • A symbolic state (l,s, D ) represents a set of concrete states (l,s,v), where v satisfies D. • Given a symbolic state S, the set of concrete states which are reachable from a concrete state in S through a given transition t can also be represented as a symbolic state. We call it as the successor of S w.r.t. t.
Background (Basic reachability analysis algorithm 1) Wait = { S0}, Passed = {}, where S0 is the initial symbolic state while (Wait != {} ) do { S = a symbolic state in Wait; Wait = Wait – {S} for each transition t leaving S do { S’ = successor of S w.r.t. t; if (S’!= Φ and S’ is not contained by any state in Passed) Wait = Wait + {S’} if (the location of S’ is the target location) return true; } Passed = Passed + {S} }
Background (Basic reachability analysis algorithm 2) • The algorithm explores the state space by generating successors of generated states continuously. • The algorithm will not generated the successors of a generated symbolic state (l,s, D1 ) only if • another symbolic state (l, s, D2 ) containing (l,s, D1 ) has already been generated. • a symbolic state S1 contains another one S2, if the set of concrete states represented by S1contains the one represented by S2.
Compatibility between shared variable valuations • A shared variable valuations s1 is compatible with s2 on a tuple (l,D) if for each transition e leaving l, one of the following conditions holds. • s1 and s2are identical. • The conjunction of D and g is false, where g is the time guard of e. • Neither s1 nor s2 satisfies the shared variable guards of e. • The variable guard of e is satisfied by s1, and the transition e sets s1 and s2 to two compatible variable valuations.
An example of Compatibility • (v1 = 3; v2 = 3) is compatible with (v1 = 2; v2 = 3) on ((A,M), (x > 3 ^ y < 10)) Shared variables: v1, v2 Clocks: y Clocks: x B B e11 : x > 5; v2 = 3 x:=0, v1:=0 e21 : y < 10;v1:=v2+1, y:= 0 A M N e12 : x < 3; v1 = 3 x:=0, v1:=v1+1 C
Compatibility contain • Definition 3. Let (l, s1, D1) and(l, s2, D2) be two symbolic states of a timed automatonnetwork. We say(l, s1, D1) compatibility contains(l, s2 ,D2) • if s1is compatible with s2on (l, D1) and • D1 containsD2.
A lemma about the compatibility contain • Lemma • Let S1, and S2 be two symbolic states of a timed automaton network. We have that all the locations reachable from S2 are also reachable from S1if S1 compatibility contains S2. • Intuitively, (l, s1, D1) is more like to reach the target location than (l, s2, D2) is. • The algorithm can avoid generating successors of a generated symbolic state (l, s, D1 ) if • another symbolic state which compatibility-contains (l, s, D) has already been generated. • This condition is weaker than the basic one.
Find the compatible valuations • During the reachability analysis, if a symbolic state (l,s,D) is generated, an algorithm can be used to find valuations with which s is compatible on (l,D). • This algorithm uses a backward propagation method to compute such valuations based on the definition of compatibility. • All these valuations are recorded in valuation sets attached to the generated states. • For each generated state (l, s’,D’), it is compatibility contained by (l,s,D) if D’ is contained by D and s is found to be compatible with s’.
A compact data structure • Let v1, v2, …, vn be a set of shared variables. We proved that the attached valuation sets can be represented as Cartesian products s1×s2 × … ×sn • This observation leads to a compact data structure to record the compatible shared variable valuations.
The optimization • The algorithm is optimized as follows • A shared variable valuation set is attached to each generated state. (using the compact data structure) • Avoid generating successor of (l, s, D) if there is another generated state (l, s’, D’) such that s is in the attached set of (l, s’, D’)and D’ contains D • During the reachability analysis, the attached sets are continuously expanded by backward propagation.
The performance(2)(the Bang&Olufsion audio protocol) • The optimized algorithm uses only about 40% memories as the original one does.
