Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de Marseille (LIF, UMR 6166)

Clocked Mazurkiewicz Traces and Partial Order Reductions for Timed Automata D. Lugiez, P. Niebert, S. Zennou Laboratoire d Informatique Fondamentale de Marseille (LIF, UMR 6166) A Partial Order Semantics approach to the clock explosion problem of timed automata

At least two previous presentations at Ametist meetings... « They talk and talk... » « Now they change the title... » « Where is the beef?! »

Thank you for your patience! Classical Zone Automaton Event Zone Automaton(ELSE)

Thank you for your patience! Classical Zone Automaton Event Zone Automaton(ELSE)

Thank you for your patience! Friendly Example: Dining Philosophers with timeouts Hostile Example: Fischers Protocol (almost sequential)

A long time misunderstanding... Partial order reduction methods Cut redundant branches in search tree Works well for discrete systems And for timed automata/time Petri nets? [Bengtson-Lilius-Johnsson-Yi 98], [Minea99],... Semantic restrictions B.J. : « sometimes not worse than without reduction... » Without citation : Buggy theorems, discretisation,...

Mazurkiewicz traces

Example parallel system 0 e d c ba f 3 g 34 ABC

0 e d c ba f 3 g 34 Property: Is it possible that A enters state 2 ABC

Witness path to property 0 e d c ba f 3 g 34 ABC

State graph = synchronous product

The state graph d c a a a a a a a b b b b b b c c d d e e f 1,0,01,1,0 0,0,0 1,0,21,1,2 0,0,20,1,2 1,1,1 0,0,1 0,2,1 1,2,1 2,3,1 0,1,0 0,1,1 1,0,1 c d c d 3,4,0 3,4,2 3,4,1 g g g d d d 0,2,2 2,2,3 f a

The state graph d c a a a a a a a b b b b b b c c d d e e f 1,0,01,1,0 0,0,0 1,0,21,1,2 0,0,20,1,2 1,1,1 0,0,1 0,2,1 1,2,1 2,3,1 0,1,0 0,1,1 1,0,1 c d c d 3,4,0 3,4,2 3,4,1 g g g ddd 0,2,2 2,2,3 f a Property: It is possible that A enters state 2!

The witness path d c a a a a a a a b b b b b b c c d d e e f 1,0,01,1,0 0,0,0 1,0,21,1,2 0,0,20,1,2 1,1,1 0,0,1 0,2,1 1,2,1 2,3,1 0,1,0 0,1,1 1,0,1 c d c d 3,4,0 3,4,2 3,4,1 g g g d d d 0,2,2 2,2,3 f a Property: It is possible that A enters state 2!

d c a a a a a a a b b b b b b c c d d e e f 1,0,01,1,0 0,0,0 1,0,21,1,2 0,0,20,1,2 1,1,1 0,0,1 0,2,1 1,2,1 2,3,1 0,1,0 0,1,1 1,0,1 c d c d 3,4,0 3,4,2 3,4,1 g g g d d d 0,2,2 2,2,3 f a Equivalent executions a b c d e d f a b c d e d f a b d e c d f a b d e f c d

The misunderstanding Dont « try to avoid redundancy in search of zone automaton». Instead, see to have less zones!

Actually (a,-,X:=0) (b,-,Y:=0) (1,X=Y=0) a (2,X=0,Y 0) (2,X 0,Y=0) b (4,X 0,Y=0) (4,X=0,Y 0) ba

An artificial example

Classical Zone Automaton Event Zone Automaton(ELSE)

Our work about this Theoretical foundation, now to treat Alur-Dill automata without any restriction Infinite symbolic « event zone automaton » with full commutation Finite index equivalence that preserves reachability (only) A tool! (Well, still a prototype, of course...)

Context (other works) [DSouza-Tjagarajan98] : Complementation for a sub class of timed automata « Distributed Interval Automata » Petri nets with final states Surprise : Construction based on Mazurkiewicz traces without time Potential basis for a new formalisation

Timed Automata - and independence?

Timed Automata Extension of automata by clocks Transitions with Conditions/Assignments Time passes in the states...

Timed Automata Problem for the analysis : Infinite state space Solutions : Discretisation (if possible) Symbolic representations

Formalisation Separate state graph from constraints « Clocked labels »

Timed Automata ={,,,,…} of finite clocked label alphabet Set of clocks C An automaton A=(Q,s 0,,F) over Q finite set of states s 0 Q initial state Q x x Q transition relation F Q final states

Timed Automata Clocked label =(a,c,r) of action + constraint + reset Action over ={a, b, c, d,…} finite Constraint c maps clocks to intervals with integer or infinite bounds Reset r C Clocked words = sequence of clocked labels Ex:

Timed and Clocked Words Timed word = (w,t) with w * and t maps positions in w to time stamps Ex: (a, 3.2)(c, 2.5)(b, 6.3) Normal timed word (w,t) s.t. t(i) t(j) if i j Ex: (a, 3.2)(c, 4.5)(b, 6.3)

Timed Automata Semantics: sequences of transitions with « time stamps »

Symbolic states of timed automata Combination of discrete states and regions or zones of clock values Zones: conjunctions of clock bounds X (- 0) 3 clock difference bounds X-Y 3 difference bounds matrix of dimension n+1 (clocks and zero) Algorithms

Linking Clocked and Timed Words Standard realization of a clocked word with i =(a i,c i,r i ), 1 i n = (w,t) s.t. w=a 1 …a n (w,t) normal t(k)-t(l) c k (C) l=last reset of C in 1 … k-1 Ex: (a, 3.2)(c, 4)(b, 6.2) = normal realization of L t (A) set of clocked words = 1... n which have a standard realization and s.t. s 0 1 s 1... n s n F

Independence of clocked labels One transition does not constrain clocks the other transition resets. One transition does not reset clocks the other transition resets. Same as independence for shared variables read a variable written by another process implies dependency writing the same variable implies dependency

Relaxing constraints Standard zones incomparable zones Ex: ab > c 2 c 1 ba > c 1 c 2 Normal timed words (w,t) w.r.t I realizing with i =(a i,c i,r i ) s.t. w=a 1 …a n t(i) t(j) if i j and not a i I a j t(k)-t(l) c k (C) l=last reset of C in 1 … k-1 Ex: (c, 4)(a, 3.2)(b, 6.2) for

Commuting clocked labels and time stamps together! Clocked word (a,X 1,-) Normal timed word w.r.t. I (a,0.7)(b,0.5)(c,1.6) Equivalent Clocked word (b,Y 1,-) Equivalent timed word, normal! (b,0.5)(a,0.7)(c,1.6)

What is it good for Realisability w.r.t. I characterises classical realisability up to commutations Any realisation w.r.t. I can be transformed into a classical realisation. Hence, we can search for error traces modulo independence, then retrieve normal ones.

Towards Algorithmics

Relaxing constraints Standard zones incomparable zones Ex: ab > c 2 c 1 ba > c 1 c 2 Normal timed words (w,t) w.r.t I realizing with i =(a i,c i,r i ) s.t. w=a 1 …a n t(i) t(j) if i j and not a i I a j t(k)-t(l) c k (C) l=last reset of C in 1 … k-1 Ex: (c, 4)(a, 3.2)(b, 6.2) for

Clocked Words and Event Zones One variable per position in + one for the beginning (empty word) Ex: > V={x 0, x 1, x 2, x 3 } Only constraints between dependent clocked labels are added Commuting independent clocked labels gives isomorphic constraint set

Differences and Graph Algorithms X-Y c, Y-Z d implies X-Z c+d X Y Z c d c+d Graph coding: Shortest path = Strongest Consequence Solving via graph algorithms (Ford-Bellman, Floyd-Warshall): shortest path with negative weights negative cycles = no solution

On the level of traces these constraints characterise realisability... can be used for « bounded model checking » [FTRTFT2002]

And for exhaustive exploration ???

Zone automata? Technical problem : The longer the trace, the more variables?! Fundamental problem : Constraints X-Y c with c unbounded Classical zone automata : abstraction (the greatest constant...) P.Bouyer : yes, but be careful!

Bounding dimensions Transitions add variables and constraints linking them to an interface « Last » Last clock resets Last occurrences of independent actions Decomposition of shortest paths s1s1 s2s2 s3s3

Distances in the interface s1s1 s2s2 s3s3

Projection of the event zone to the interface can be computed incrementally : add new event normalise (incremental Floyd-Warshall) garbage collection: project events no longer in the interface Dimensions : at worst (#clocks +1) * #processes classical timed automata #clocks + 1

Data structure event zone e2 r X r Y r Z r U e3 e1e4 e2e7 r X r Y r Z r U p 1 p 2 p 3 <3 t(e3)-t(e2)<3

The fundamental problem Languages of realisable traces are not always finite state 1 2 =(Y=1,b,Y:=0) =(X=1,a,X:=0) =(X=5,Y=5,c,-) R = realisable traces R {, }* ={u | u {, }*, |u| = |u| } not recognisable

The fundamental problem - what to do Give up semantic Restrictions (BLJY98,M99) No Zeno cycles + invariants deduce new bounds (huge) for the abstraction Our choice : maintain the classical abstraction, sacrifice some commutations New approach: Compute without abstraction, compare with abstraction

A formal language view Clock zone automaton, also with abstraction, gives Nerode congruence of finite index Optimisations of timed automata mean smaller index No such automaton can exist for realisable traces, but...

The trick for event zones « Separate past and future before comparing » Separator transition « $ », commutes with nothing. Insertion of separator in sequence u$v changes nothing, except: all of u happens temporally before all of v IN-preorder to replace zone inclusion Theorem: Reachability w.r.t. classical semantics preserved

The trick and formal language view

Practically Compute with event zones Z u WITHOUT separators Compare not Z u and Z v, but Z u$ and Z v$ Dimension of Z u$ at most #Clocks+1 Same abstractions and data structures as for Clock zones possible!

« UppAal killer » does not kill Else In fact, asymmetric bounds analysis included, Difference to -n2 switch: No location based analysis used

And the counterexample? 1 2 =(Y=1,b,Y:=0) =(X=1,a,X:=0) =(X=5,Y=5,c,-)

And the counterexample? Classical Zone Automaton Event Zone Automaton(ELSE)

The reachability algorithm

Practical aspects of algorithm Zones with higher dimensions in « Gray set » (Waiting List) Potentially higher cost of computing successors Potentially more memory needed Zones with classical dimensions in « Black set » (Past List) All fancy data structures work here (compressed clock zones, CDDs,...)

ELSE - a new timed automata tool Contributors until now: Manuel Yguel, Sarah Zennou, Peter Niebert, Marcos Kurban (U.Twente)

Our tool approach Aim: Platform for experiments with algorithms for timed automata and more... No intention to invent new specification language Currently use IF 2 (VERIMAG) as input syntax But semantic coverage very limited (lazy implementation) Sometime 2004: Open Source Distribution, Invitation to participate

Software structure of ELSE Much like Murphi, Spin, IF,... Compiler Frontend(s), maybe add UppAal (Tool Interaction!) Internal data structure to generalize frontends... Backend(s) for exploration, generate C-code Libraries memory management, output (graph drawing), exploration... Some parts as include files

Current state of development « Prototype » Almost complete chain Very little language coverage Sufficient for exhaustive exploration experiments Good memory management Urgent todo list before alpha release Sequence extraction Basic urgency Efficient data structures for « past list » A bit more of static analysis A few algorithmic improvements

Conclusion, outlook Fundamental contribution, clean theory A substantial contribution to timed automata algorithmics Strong potential for resource allocation problems (linear priced version would be interesting) A new tool, still needs work for serious case studies