Symbolic Simulation-Checking of Dense-Time Automata

1
Symbolic Simulation-Checking of Dense-Time
Automata

• Farn Wang
• Dept. of Electrical Engineering
• National Taiwan University

2
Background

• Two ways of specification for timed systems

• Virtual machines
• state machines
• guarded commands
• executable models
• what should happen.
• - shows the flow how
• - basis for synthesis
• model refinement

• Emergent properties
• logic formulas
• TCTL, TPTL, MTL
• usually not executable
• what shouldnt happen.
• does not tell how
• checking for synthesis
• spec. composition

3
Background (contd)

• Two ways of specification for timed systems

Emergent properties
Virtual machines
model
??(p ? ??q)
specification
4
Motivation
A disparity!

• Disparity between the verification for
• the two ways for timed systems

An efficient algorithm for simulation/bisimulation
checking for timed systems ?

• Emergent properties
• model-checking
• well studied
• symbolic algorithms with zones
• tools

• Virtual machines
• simulation-checking
• bisimulation-checking
• studied
• algorithms with
• - regions
• - linear hybrid systems
• no tools for a whole
• task

5
Timed automata

• A??, X, G, L, I, H, E, ?, ?, ??

clock-reset set of transitions
event set
global discrete set
Triggering condition on transitions
Initial constraint
transition set
local discrete set
local clock set with radings in R?0.
Invariance constraint
event labeling on transitions
6
Timed automata (contd)

• A??, X, G, L, I, H, E, ?, ?, ??

State a mapping from X?G?L ?t ? through time
progress of t time units ??(t,e)?? can go to
? from ?t through transition e Run a
(?0,t0)(?k,tk)such that for all k?0, ?kt?H
? ?ktk1-tk? ?k1
7
(Branching) Simulation Definition

• A1??, X1, G, L1, I1, H1, E1, ?1, ?1, ?1?
• A2??, X2, G, L2, I2, H2, E2, ?2, ?2, ?2?, L1?
  L2 ?, X1? X2 ?
• A simulation from A1 to A2 is a Q? VA1?VA2 s.t.
  ?(?0, ?0) ?Q.
• ?0 and ?0 agree on valuation of variables in G.
  
• For every transition e1 that A1 can make at ?0 ?
• ? a run-seg. (?0,t0) (?n,tn) of A2 s.t.
• at the end, A2 can make a transition to match
  e1,
• all states at time t in the run-seg is in Q with
  ?0 t
• all transitions in the run-seg are internal to A2

8
A formulation of simulation
play?e1(?0)
match?e1(?0,?0, Q)

• A1??, X1, G, L1, I1, H1, E1, ?1, ?1, ?1?
• A2??, X2, G, L2, I2, H2, E2, ?2, ?2, ?2?, L1?
  L2 ?, X1? X2 ?
• A simulation from A1 to A2 is a Q? VA1?VA2 s.t.
  ?(?0, ?0) ?Q.
• ?0 and ?0 agree on valuation of variables in G.
  
• ? ??R?0 and e1?E1, if ?0?(?,e1)?(?0?) ?1(e1),
  then
• ? e2? Ee12 and ? a run-seg. (?0,t0)
  (?n,tn) of A2 s.t.
• ?n?(0, e2)??n ?2(e2),
• ((?0?)?1(e1), ?n ?2(e2)) ? Q, and
• transitions to ?k ,1?k?n, are all ?
• (?0tk-t0t,?k t)?Q, 0?kltn, t?0,tk1-tk
  (?0tn-t0,?n)?Q

9
A formulation of simulation (contd)
Simulation can be computed with a greatest
fixpoint procedure.

• Let not_simDe1(?,?, Q) be
• ? ??D(play?e1(?) ? ? match?e1(?,?, Q))
• Q is a simulation from A1 to A2 iff
• Q(?,?) ??H1,??H2,
• ??e1?E1(not_simR?0e1(?,?,Q))

10
(Branching) Simulation Definition

• A1??, X1, G, L1, I1, H1, E1, ?1, ?1, ?1?
• A2??, X2, G, L2, I2, H2, E2, ?2, ?2, ?2?,
• L1? L2 ?, X1? X2 ?
• A1 is simulated by (or implements, refines) A2
• if ? a simulation Q such that
• ? ? ? I1 ?? ? I2 ((?, ?) ? Q)

11
Why is simulation-checking for timed systems
difficult ?

• A1??, X1, G, L1, I1, H1, E1, ?1, ?1, ?1?
• A2??, X2, G, L2, I2, H2, E2, ?2, ?2, ?2?,
• L1? L2 ?, X1? X2 ?

The set of ?
Q(?,?) ??H1,??H2,
??e1?E1(not_sim R?0 e1(?,?,Q))
Since we dont have a bound for ?, we cannot use
DBM or zones to represent a simulation.
12
Related work

• Tasiran, Alur, Kurshan, Brayton. CONCUR'96.
• Region equivalence induces a simulaiton if any.
• EXPTIME of timed simulation checking.
• Simulation-checking through region graphs.
• Henzinger, Henzinger, Kopke. FOCS95.
• Time-abstract simulation
• Does not preserve timing properties

13
Related work (contd)

• Nakata, 1997.
• Discrete-time systems.
• Beyer, CHARMES00.
• Discrete-time systems.
• Lin, Wang. Acta Informatica, 2002.
• Axiomatization
• A proof system
• Aceto, Ingólfsdóttir, Pedersen, Poulsen,
  Theoretical Informatics and Applications, 2000.
• Conversion to model-checking problem.
• Not representable with zones.
• representable with convex polyhedra of LHA.

14
Related work (contd)

• Cassez, David, Fleury, Larsen, Lime, 2005
• UPPAAL-TIGA
• timed game automata
• controllable uncontrollable actions
• reachability game
• the executability of each action is determined
  with regions (zones)
• It is not clear how to reduce simulation checking
  to reachability game.

15
What is our proposal ?

• A1??, X1, G, L1, I1, H1, E1, ?1, ?1, ?1?
• A2??, X2, G, L2, I2, H2, E2, ?2, ?2, ?2?,
• L1? L2 ?, X1? X2 ?

A pair can be refuted if it can be refuted with a
transition in E1 in C12 time units.
The set of ?
Q(?,?) ??H1,??H2,
??e1?E1(not_sim e1(?,?,Q))
R?0
0,C12
This makes it possible to use zones to manipulate
simulation now.
C12 is the biggest timing constant used in A1 and
A2.
16
Central lemma

• if play?e1(?) ? ? match?e1(?,?, Q) , then
• ?t?0,? ?(?,?) ?Q either
• play?e1(?) ? ? match?e1(?,?, Q) or
• play??(?) ? ? match?? (?,?, Q)

17
Central lemma (proof idea, contd)

• if play?e1(?) ? ? match?e1(?,?, Q) , then
• ?t?0,? ?(?,?) ?Q either
• play?e1(?) ? ? match?e1(?,?, Q) or
• play??(?) ? ? match?? (?,?, Q)
• Proof
• A refuting stuttering segment of length ? from ?

case 1 cannot match e1
?
case 2 falls out of Q before ?
18
Central lemma (proof idea, contd)

• if play?e1(?) ? ? match?e1(?,?, Q) , then
• ?t?0,? ?(?,?) ?Q either
• play?e1(?) ? ? match?e1(?,?, Q) or
• play??(?) ? ? match?? (?,?, Q)
• Proof A refuting stuttering tree of height ?

(?,?)
a segment in case 1
All segments in case 2
(?,?) at height t
19
Lemma 3 in the paper

• Q is a simulation from A1 to A2 iff
• Q(?,?) ??H1,??H2,
• ??e1?E1(not_sim0,C12e1(?,?,Q))
• proof for ?
• ??e1?E1 (not_simR ?0 e1(?,?,Q))
• ? ??e1?E1 ? ?? R?0 (play?e1(?) ? ? match?e1(?,?,
  Q))
• ? ?e1?E1 ??? R?0 ? (play?e1(?) ? ? match?e1(?,?,
  Q))
• ? ?e1?E1 ??? 0,C12 ? (play?e1(?) ? ?
  match?e1(?,?, Q))
• ? ? ?e1?E1 ??? 0,C12 (play?e1(?) ? ?
  match?e1(?,?, Q))
• ? ? ?e1?E1 (not_sim0,C12e1(?,?,Q))

20
Lemma 3 in the paper (contd)

• Q is a simulation from A1 to A2 iff
• Q(?,?) ??H1,??H2,
• ??e1?E1(not_sim0,C12e1(?,?,Q))
• proof for ?
• ? ?e1?E1 (not_sim0,C12e1(?,?,Q))
• ? ?e1?E1 (? not_sim0,C12e1(?,?,Q)? ?
  not_sim0,C12?(?,?,Q))
• ? ?e1?E1 (? not_simR?0e1(?,?,Q)) Lemma 2
• ? (?,?) ??H1,??H2, ??e1?E1(not_sim0,C12e1(?,?,
  Q))
• (?,?) (not_sim0,C12e1(?,?,Q)?not_simR?
  0e1(?,?,Q))
• (?,?) (not_simR?0e1(?,?,Q))

21
Implementation

• Q is a simulation from A1 to A2 iff
• Q(?,?) ??H1,??H2,
• ??e1?E1(not_sim0,C12e1(?,?,Q))
• Since L1? L2 ?, X1? X2 ?, zones for all
  variables in G ? L1 ? L2 ? X1 ? X2 to represent
  Q.
• MDDCRD of RED to implement the zones.
• The bulk-evaluation technique described in Wang
  ICFEM 2005 to implement the precondition
  evaluation
• A greatest fixpoint procedure.
• EDGF IEEE TSE 2006 also used to speed up the
  greatest fixpoint evaluation.

22
GFP procedure

• B H1?H2 B false
• while B?B
• B B
• for each e1 in E1
• Let p1 be the timed precondition of e1.
• Let p2 be the disjuctions of precondtions of
  all (e1,e2)
• with e2 matching e1.
• Let p3 be the backward reachability of p2
  through transitions
• internal to A2.
• Let B B (p1-p3)
• If I1 ? ?L2 ? X2(I1?B) return false else return
  true.

23
A performance issue
An under-approximation of not_sim(C12,?)e1(?,?,Q)
implementable with zone with over-approximation
of match?e1(?,?,Q) with ??(C12,?)
Q(?,?) ??H1,??H2,
??e1?E1(not_sim0,C12e1(?,?,Q)),
??e1?E1(unot_sim(C12,?)e1(?,?,Q))

• In the original formulation, we can refute a pair
  with any ? in a GFP iteration.
• In the new one, we can only refute a pair with a
  ??0,C12 in a GFP iteration.
• A refutation step may now have to be done with a
  sequence of short refutation steps through
  transitivity.
• Can that hurt the performance ?

24
Experiment
Memory for data-structures
CPU time in sec.
concurrency sizes of either party
Nr. of GFP iterations
Benchmarks size Sim ? New formula. Speed up
Fischers 6 yes 304s/1518k/8 281s/1319k/8
Fischers 6 no 86s/957k/3 86.7s/955k/3
CSMA/CD 3 yes 122s/3509k/7 125s/3503k/7
CSMA/CD 3 no 21.7s/2089k/2 25.7s/2089k/2
Consumer /producer 5 yes 1.21s/76k/2 0.53s/75k/2
Consumer /producer 5 no 1.17s/83k/4 1.16s/83k/4
2 periodical tasks 17/19 yes 125s/18M/20 22.4s/8444k/3
2 periodical tasks 17/19 no 125s/18M/18 20.5s/8448k/1
25
Summary

• A new formulation for branching simulation of
  dense-time systems
• It is now possible to implement
  simulation-checking for dense-time systems
• Can also be adapted to bisimulation-checking
• Implementation
• In general, the new formulation does not hurt the
  performance.
• We find a way to speed-up for some tasks