10 Things That Will Shape the Future of Education.pdf
Zhao
1. Compatibility between shared
variable valuations in
timed automaton network modelchecking
Zhao Jianhua, Zhou Xiuyi,
Li Xuandong, Zheng Guoliang
Presented by ZHAO Jianhua
2. Background (Time Automata)
♦ A timed automaton can be viewed as a
conventional finite state automaton plus some
clock variables , which are used to
constraint time distances between events.
Clocks: x, y
E1:x < 5, y := 0
x<5
A
y<8
B
E2: y < 8, x := 0
3. Background
(timed automaton network)
♦ A timed automaton network is a finite set of
timed automata which interact with each
other.
♦ These timed automata may interact with
each other through a finite set of shared
variables.
♦ For each timed automaton network, an
equivalent timed automaton can be built.
4. Background
(timed automaton network)
♦ An example:
Clocks: x
Clocks: y
E11:x < 5, x:=0
x<5
A
v:=1
E21:y < 8, y:=0
x<8
B
E12: x < 8, x := 0
v==0
v==1
1
y<8
y<3
2
E12: y < 3, y := 0
v:=0
5. Background
(reachability analysis 1)
♦ Many interesting properties (for example,
safety) can be expressed as reachability of
locations of timed automata.
♦ Because the state spaces of timed automata
are infinite, model checking techniques can
not be applied to timed automaton directly.
– Symbolic representation of states are used in
automatically reachability analysis.
6. Background
(Symbolic States)
♦ A symbolic state of a timed automaton network is
a tuple (l,s, D)
– l is the global location of the network.
– s is the valuation of the set of shared variables.
– D is a conjunction of formulas like x-y<c.
♦ A symbolic state (l,s, D ) represents a set of
concrete states (l,s,v), where v satisfies D.
♦ Given a symbolic state S, the set of concrete states
which are reachable from a concrete state in S
through a given transition t can also be represented
as a symbolic state. We call it as the successor of S
w.r.t. t.
7. Background (Basic reachability
analysis algorithm 1)
Wait = { S0}, Passed = {}, where S0 is the initial symbolic state
while (Wait != {} ) do
{ S = a symbolic state in Wait;
Wait = Wait – {S}
for each transition t leaving S do
{ S’ = successor of S w.r.t. t;
if (S’!= Φ and S’ is not contained by any state in Passed)
Wait = Wait + {S’}
if (the location of S’ is the target location)
return true;
}
Passed = Passed + {S}
}
8. Background (Basic reachability
analysis algorithm 2)
♦ The algorithm explores the state space by
generating successors of generated states
continuously.
♦ The algorithm will not generated the successors of
a generated symbolic state (l,s, D1 ) only if
– another symbolic state (l, s, D2 ) containing (l,s, D1 ) has
already been generated.
– a symbolic state S1 contains another one S2, if the set of
concrete states represented by S1 contains the one
represented by S2.
9. Compatibility between shared
variable valuations
♦ A shared variable valuations s1 is compatible with s2
on a tuple (l,D) if for each transition e leaving l,
one of the following conditions holds.
– s1 and s2 are identical.
– The conjunction of D and g is false, where g is the time
guard of e.
– Neither s1 nor s2 satisfies the shared variable guards of e.
– The variable guard of e is satisfied by s1, and the
transition e sets s1 and s2 to two compatible variable
valuations.
10. An example of Compatibility
Shared variables: v1, v2
Clocks: y
Clocks: x
e11 : x > 5; v2 = 3
x:=0, v1:=0
B
A
e12 : x < 3; v1 = 3
x:=0, v1:=v1+1
M
e21 : y < 10;
v1:=v2+1, y:= 0
N
C
♦ (v1 = 3;v2 = 3) is compatible with (v1
= 2;v2 = 3) on ((A,M), (x>3 ^y<10))
11. Compatibility contain
♦ Definition 3. Let (l,s1,D1) and (l,s2,D2) be
two symbolic states of a timed
automaton network. We say (l,s1,D1)
compatibility contains (l,s2,D2)
– if s1 is compatible with s2 on (l, D1) and
– D1 contains D2.
12. A lemma about the compatibility
contain
♦ Lemma
– Let S1,and S2 be two symbolic states of a timed
automaton network. We have that all the locations
reachable from S2 are also reachable from S1 if S1
compatibilitycontainsS2.
♦ Intuitively, (l,s1,D1) is more like to reach the
target location than (l,s2,D2) is.
♦ The algorithm can avoid generating successors of
a generated symbolic state (l, s, D1 ) if
– another symbolic state which compatibility-contains (l,
s, D) has already been generated.
♦ This condition is weaker than the basic one.
13. Find the compatible valuations
♦ During the reachability analysis, if a symbolic state (l,s,D)
is generated, an algorithm can be used to find valuations
with which s is compatible on (l,D).
♦ This algorithm uses a backward propagation method to
compute such valuations based on the definition of
compatibility.
♦ All these valuations are recorded in valuation sets attached
to the generated states.
♦ For each generated state (l, s’,D’), it is compatibility
contained by (l,s,D) if D’ is contained by D and s is found
to be compatible with s’.
14. A compact data structure
♦ Let v1, v2, …, vn be a set of shared variables.
We proved that the attached valuation sets
can be represented as Cartesian products
s1× s2 × … × sn
♦ This observation leads to a compact data
structure to record the compatible shared
variable valuations.
15. The optimization
♦ The algorithm is optimized as follows
– A shared variable valuation set is attached to
each generated state. (using the compact data
structure)
– Avoid generating successor of (l,s,D) if there
is another generated state (l, s’, D’) such that s
is in the attached set of (l, s’, D’) and D’
contains D
– During the reachability analysis, the attached
sets are continuously expanded by backward
propagation.