1
Efficient Verification of Timed Automata
Kim Guldstrand Larsen Paul Pettersson Mogens Nielsen BRICS@Aalborg BRICS@Aarhus
2
REGIONSreview
3Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
RegionsFinite partitioning of state space
x
y Definition
max
'
n
nxxnx
w'www
jii
where
and
form the
of conditions same exact the
satisfy and iff
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
4Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
RegionsFinite partitioning of state space
x
y Definition
max
'
n
nxxnx
w'www
jii
where
and
form the
of conditions same exact the
satisfy and iff
An equivalence class (i.e. a region)
Successor regions, Succ(r)
r
1 2 3
1
2
5Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
RegionsFinite partitioning of state space
x
y
Definition
max
'
n
nxxnx
w'www
jii
where
and
form the
of conditions same exact the
satisfy and iff
An equivalence class (i.e. a region) r
{x}r
{y}r
r
Resetregions
sat
sat
then Whenever
','
,
''
vl,u
vl,u
vuuv
THEOREM
1 2 3
1
2
6Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers again A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2Y<1
X:=0
Y:=0
X>1
Y>1
X<1
A1,A2,v=1
A1,B2,v=2
A1,CS2,v=2
B1,CS2,v=1
CS1,CS2,v=1
Untimed case
A1,A2,v=1x=y=0
A1,A2,v=10 <x=y <1
A1,A2,v=1x=y=1
A1,A2,v=11 <x,y
A1,B2,v=20 <x<1
y=0
A1,B2,v=20 <y < x<1
A1,B2,v=20 <y < x=1
y=0
A1,B2,v=20 <y<1
1 <x
A1,B2,v=21 <x,y
A1,B2,v=2y=11 <x
A1,CS2,v=21 <x,y
No further behaviour possible!!
Timed case
PartialRegion Graph
7Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Regions – Alternativ Definition
x
y
1 2 3
1
2
8Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Problem with regions
Number of regions over n clocks:
Cx
Explosion in number of clocks
Explosion in maximal constant
Reachability is PSPACE complete for asingle TA
9
THE UPPAAL ENGINE
Reachability & ZonesProperty and system dependent
partitioning
10Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
ZonesFrom infinite to finite
State(n, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set)(n, )
Zone:conjunction ofx-y<=n, x<=>n
3y4,1x1
11Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
conjuncts to
projects to
x
y
1<=x<=41<=y<=3
x
y1<=x, 1<=y-2<=x-y<=3
x
y 3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)Thus (n,1<=x<=4,1<=y<=3) =a => (m,3<x, y=0)
a
12Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
A1 B1 CS1V:=1 V=1
A2 B2 CS2V:=2 V=2
Init V=1
2´
VCriticial Section
Fischer’s Protocolanalysis using zones
Y<10
X:=0
Y:=0
X>10
Y>10
X<10
13Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
A1
14Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
X
Y
A1
15Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
X
Y
A1
10X
Y1010
16Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
17Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
10X
Y10
18Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Fischers cont. B1 CS1
V:=1 V=1
A2 B2 CS2V:=2 V=2Y<10
X:=0
Y:=0
X>10
Y>10
X<10
A1,A2,v=1 A1,B2,v=2 A1,CS2,v=2 B1,CS2,v=1 CS1,CS2,v=1
Untimed case
Taking time into account
A1
10X
Y10
X
Y10
10X
Y10
19Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Forward Rechability
Passed
WaitingFinal
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Init -> Final ?
20Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else (explore) add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
Init -> Final ?
21Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Forward Rechability
Passed
Waiting Final
Init
n,Z
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
Init -> Final ?
22Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Forward Rechability
Passed
Waiting Final
Init
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed then STOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
n,Z’
m,U
n,Z
Init -> Final ?
23Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Canonical Dastructures for ZonesDifference Bounded Matrices Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=2y-x<=3y<=3z-y<=3z<=7
x<=2y-x<=3y<=3z-y<=3z<=7
D1
D2
Inclusion
0
x
y
z
1 2
29
0
x
y
z
2 3
37
3
? ?
Graph
Graph
24Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Bellman 1958, Dill 1989
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=2y-x<=3y<=3z-y<=3z<=7
x<=2y-x<=3y<=3z-y<=3z<=7
D1
D2
Inclusion
0
x
y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0
x
y
z
1 2
25
0
x
y
z
2 3
37
0
x
y
z
2 3
36
3
3 3
Graph
Graph
? ?
Canonical Dastructures for ZonesDifference Bounded Matrices
25Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Bellman 1958, Dill 1989
x<=1y>=5y-x<=3
x<=1y>=5y-x<=3
D
Emptiness
0y
x1
3
-5
Negative Cycleiffempty solution set
Graph
Canonical Dastructures for ZonesDifference Bounded Matrices
Compact
26Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
1<= x <=41<= y <=3
1<= x <=41<= y <=3
D
Future
x
y
x
y
Future D
0
y
x4
-1
3
-1
ShortestPath
Closure
Removeupper
boundson clocks
1<=x, 1<=y-2<=x-y<=3
1<=x, 1<=y-2<=x-y<=3
y
x
-1
-1
3
2
0
y
x
-1
-1
3
2
0
4
3
Canonical Dastructures for ZonesDifference Bounded Matrices
27Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Canonical Dastructures for ZonesDifference Bounded Matrices
x
y
D
1<=x, 1<=y-2<=x-y<=3
1<=x, 1<=y-2<=x-y<=3
y
x
-1
-1
3
2
0
Remove allbounds
involving yand set y to 0
x
y
{y}D
y=0, 1<=xy=0, 1<=x
Reset
y
x
-1
0
0 0
28Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Improved DatastructuresCompact Datastructure for Zones
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1 x2
x3x0
-4
10
22
5
3
x1 x2
x3x0
-4
4
22
5
3 3 -2 -2
1
ShortestPath
ClosureO(n^3)
RTSS 1997
29Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Improved DatastructuresCompact Datastructure for Zones
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5
x1 x2
x3x0
-4
10
22
5
3
x1 x2
x3x0
-4
4
22
5
3
x1 x2
x3x0
-4
22
3
3 -2 -2
1
ShortestPath
ClosureO(n^3)
ShortestPath
ReductionO(n^3) 3
Canonical wrt =Space worst O(n^2) practice O(n)
RTSS 1997
30Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
v and w are both redundantRemoval of one depends on presence of other.
v and w are both redundantRemoval of one depends on presence of other.
Shortest Path Reduction1st attempt
Idea
Problem
w
<=wAn edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!
An edge is REDUNDANT if there existsan alternative path of no greater weight THUS Remove all redundant edges!
w
v
Observation: If no zero- or negative cycles then SAFE to remove all redundancies.
Observation: If no zero- or negative cycles then SAFE to remove all redundancies.
31Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Shortest Path ReductionSolution
G: weighted graph
32Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Shortest Path ReductionSolution
G: weighted graph
1. Equivalence classes based on 0-cycles.
2. Graph based on representatives. Safe to remove redundant edges
33Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Shortest Path ReductionSolution
G: weighted graph
1. Equivalence classes based on 0-cycles.
2. Graph based on representatives. Safe to remove redundant edges
3. Shortest Path Reduction = One cycle pr. class + Removal of redundant edges between classes
34Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Other Symbolic Datastructures
Regions Alur, Dill
NDD’s Maler et. al.
CDD’s UPPAAL/CAV99
DDD’s Møller, Lichtenberg
Polyhedra HyTech
......
CDD-representationsCDD-representations
35Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Verification Options• Diagnostic Trace
• Breadth-First• Depth-First
• Local Reduction• Active-Clock Reduction• Global Reduction
• Re-Use State-Space
• Over-Approximation• Under-Approximation
• Diagnostic Trace
• Breadth-First• Depth-First
• Local Reduction• Active-Clock Reduction• Global Reduction
• Re-Use State-Space
• Over-Approximation• Under-Approximation
Case Studies
36Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Representation of symbolic states (In)Active Clock Reduction
x is only active in location S1
x>3x<5
x:=0
x:=0
S x is inactive at S if on all path fromS, x is always reset before beingtested.
Definitionx<7
Case Studies
37Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Representation of symbolic states Active Clock Reduction
x>3x<5
S
x is inactive at S if on all path fromS, x is always reset before beingtested.
Definitiong1
gkg2r1
r2 rk
iii
ii
rClocks/SAct
gClocks
)S(Act
S1
S2 Sk
Only save constraints on active clocks
38Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
When to store symbolic stateGlobal Reduction
No Cycles: Passed list not needed for termination
However,Passed list useful forefficiency
Case Studies
39Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
When to store symbolic stateGlobal Reduction
Cycles: Only symbolic states involving loop-entry points need to be saved on Passed list
Case Studies
40Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Reuse State Space
Passed
Waiting
prop1
A[] prop1
A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn
Searchin existingPassedlist beforecontinuingsearch
Which orderto search?
prop2
Case Studies
41Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Reuse State Space
Passed
Waiting
prop1
A[] prop1
A[] prop2A[] prop3A[] prop4A[] prop5...A[] propn
Searchin existingPassedlist beforecontinuingsearch
Which orderto search?Hashtable
prop2
Case Studies
42Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Over-approximationConvex Hull
x
y
Convex Hull
1 3 5
1
3
5
Case Studies
43Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Under-approximationBitstate Hashing
Passed
Waiting Final
Init
n,Z’
m,U
n,Z
44Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Under-approximationBitstate Hashing
Passed
Waiting Final
Init
n,Z’
m,U
n,Z
Passed= Bitarray
1
0
1
0
0
1
UPPAAL 8 Mbits
HashfunctionF
45Petri Net, June 2000 Kim G. Larsen, Mogens Nielsen, Paul Pettersson UCb
Bitstate Hashing
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
INITIAL Passed := Ø; Waiting := {(n0,Z0)}
REPEAT - pick (n,Z) in Waiting - if for some Z’ Z (n,Z’) in Passed thenthen STOPSTOP - else /explore/ add
{ (m,U) : (n,Z) => (m,U) } to Waiting; Add (n,Z) to Passed
UNTIL Waiting = Ø or Final is in Waiting
Passed(F(n,Z)) = 1
Passed(F(n,Z)) := 1
46
END