Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Published byHector Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented."— Presentation transcript:

1 Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented by ZHAO Jianhua

2 Background (Time Automata)  A timed automaton can be viewed as a conventional finite state automaton plus some clock variables , which are used to constraint time distances between events. AB Clocks: x, y E1:x < 5, y := 0 E2: y < 8, x := 0 x < 5y < 8

3 Background (timed automaton network)  A timed automaton network is a finite set of timed automata which interact with each other.  These timed automata may interact with each other through a finite set of shared variables.  For each timed automaton network, an equivalent timed automaton can be built.

4 Background (timed automaton network)  An example: AB Clocks: x E11:x < 5, x:=0 v:=1 E12: x < 8, x := 0 v==0 x < 5x < 8 12 E21:y < 8, y:=0 v==1 E12: y < 3, y := 0 v:=0 y<8 y < 3 Clocks: y

5 Background (reachability analysis 1)  Many interesting properties (for example, safety) can be expressed as reachability of locations of timed automata.  Because the state spaces of timed automata are infinite, model checking techniques can not be applied to timed automaton directly. –Symbolic representation of states are used in automatically reachability analysis.

6 Background (Symbolic States)  A symbolic state of a timed automaton network is a tuple (l,s, D) –l is the global location of the network. –s is the valuation of the set of shared variables. –D is a conjunction of formulas like x-y<c.  A symbolic state (l,s, D ) represents a set of concrete states (l,s,v), where v satisfies D.  Given a symbolic state S, the set of concrete states which are reachable from a concrete state in S through a given transition t can also be represented as a symbolic state. We call it as the successor of S w.r.t. t.

7 Background (Basic reachability analysis algorithm 1) Wait = { S 0 }, Passed = {}, where S 0 is the initial symbolic state while (Wait != {} ) do { S = a symbolic state in Wait; Wait = Wait – {S} for each transition t leaving S do {S’ = successor of S w.r.t. t; if (S’!= Φ and S’ is not contained by any state in Passed) Wait = Wait + {S’} if (the location of S’ is the target location) return true; } Passed = Passed + {S} }

8 Background (Basic reachability analysis algorithm 2)  The algorithm explores the state space by generating successors of generated states continuously.  The algorithm will not generated the successors of a generated symbolic state (l,s, D 1 ) only if –another symbolic state (l, s, D 2 ) containing (l,s, D 1 ) has already been generated. –a symbolic state S 1 contains another one S 2, if the set of concrete states represented by S 1 contains the one represented by S 2.

9 Compatibility between shared variable valuations  A shared variable valuations s 1 is compatible with s 2 on a tuple (l,D) if for each transition e leaving l, one of the following conditions holds. –s 1 and s 2 are identical. –The conjunction of D and g is false, where g is the time guard of e. –Neither s 1 nor s 2 satisfies the shared variable guards of e. –The variable guard of e is satisfied by s 1, and the transition e sets s 1 and s 2 to two compatible variable valuations.

10 An example of Compatibility  (v1 = 3; v2 = 3) is compatible with (v1 = 2; v2 = 3) on ((A,M), (x > 3 ^ y < 10)) A B Clocks: x MN Clocks: y Shared variables: v1, v2 B C e11 : x > 5; v2 = 3 x:=0, v1:=0 e12 : x < 3; v1 = 3 x:=0, v1:=v1+1 e21 : y < 10; v1:=v2+1, y:= 0

11 Compatibility contain  Definition 3. Let (l, s 1, D 1 ) and (l, s 2, D 2 ) be two symbolic states of a timed automaton network. We say (l, s 1, D 1 ) compatibility contains (l, s 2,D 2 ) –if s 1 is compatible with s 2 on (l, D 1 ) and –D 1 contains D 2.

12 A lemma about the compatibility contain  Lemma –Let S 1, and S 2 be two symbolic states of a timed automaton network. We have that all the locations reachable from S 2 are also reachable from S 1 if S 1 compatibility contains S 2.  Intuitively, (l, s 1, D 1 ) is more like to reach the target location than (l, s 2, D 2 ) is.  The algorithm can avoid generating successors of a generated symbolic state (l, s, D 1 ) if –another symbolic state which compatibility-contains (l, s, D) has already been generated.  This condition is weaker than the basic one.

13 Find the compatible valuations  During the reachability analysis, if a symbolic state (l,s,D) is generated, an algorithm can be used to find valuations with which s is compatible on (l,D).  This algorithm uses a backward propagation method to compute such valuations based on the definition of compatibility.  All these valuations are recorded in valuation sets attached to the generated states.  For each generated state (l, s’,D’), it is compatibility contained by (l,s,D) if D’ is contained by D and s is found to be compatible with s’.

14 A compact data structure  Let v 1, v 2, …, v n be a set of shared variables. We proved that the attached valuation sets can be represented as Cartesian products s 1 × s 2 × … × s n  This observation leads to a compact data structure to record the compatible shared variable valuations.

15 The optimization  The algorithm is optimized as follows –A shared variable valuation set is attached to each generated state. (using the compact data structure) –Avoid generating successor of (l, s, D) if there is another generated state (l, s’, D’) such that s is in the attached set of (l, s’, D’) and D’ contains D –During the reachability analysis, the attached sets are continuously expanded by backward propagation.

16 The performance (1) (The bounded retransmission protocol)

17 The performance (2) (the Bang&Olufsion audio protocol)  The optimized algorithm uses only about 40% memories as the original one does.

Download ppt "Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
ESE601: Hybrid Systems Some tools for verification Spring 2006.

ESE601: Hybrid Systems Some tools for verification Spring 2006.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Similar presentations

Ads by Google