On Decidability of Prebisimulation for Timed Automata Shibashis Guha - PowerPoint PPT Presentation

On Decidability of Prebisimulation for Timed Automata Shibashis Guha , Chinmay Narayan, S. Arun-Kumar Department of Computer Science & Engineering Indian Institute of Technology, Delhi July 12, 2012

Motivation • Real time systems require performance and timing constraints are satisfied. • Given two systems with same behavior, determine which performs better in terms of time. CAV 2012 2

Example Timed Automata formalism to model systems A A’ x = 1 x = 1 a a { x } B B’ x ≤ 2 a { x } a x ≤ 2 C C’ Figure: Example: An at least as fast as relation CAV 2012 3

Contribution • Defined a relation between two timed (automata) systems to compare their performances. Timed Performance Prebisimulation • Designed an algorithm to decide timed performance prebisimulation relation CAV 2012 4

Related Work • Timed Actor Interfaces [Geilen, Tripakis, Wiggers 11] • Performance Preorder [Corradini, Gorrieri, Roccetti 95] • Efficiency Preorder [S. Arun-Kumar, Hennessy 91] CAV 2012 5

Timed Automata Definition • Set of clocks C , finite set of actions Act . • The clock constraints B ( C ) over a set of clocks C can be specified using the following grammar: g ::= x ⌣ c | g ∧ g where c ∈ N and x ∈ C and ⌣ ∈ { <, ≤ , = , >, ≥} . • timed automaton over a finite set of clocks C and finite set of actions Act is the quadruple ( L , ℓ 0 , E , I ) , where L is a finite set of locations, ranged over by ℓ , ℓ 0 ∈ L is the initial location, E ⊆ L × B ( C ) × Act × 2 C × L is a finite set of edges , and I : L → B ( C ) assigns invariants to locations. CAV 2012 6

Timed automaton Semantics: Timed Labeled Transition System (TLTS) • Infinite transition graph structure • Nodes are timed automaton states or configurations; tuple ( ℓ, v ) • Two types of transitions g , a , r a → ( ℓ ′ , v ′ ) if there is an edge ( ℓ → ℓ ′ ) ∈ E a ∈ Act : ( ℓ, v ) − − = g , v ′ = v [ r ] and v ′ | and v | = I ( ℓ ′ ) d d ∈ R ≥ 0 : ( ℓ, v ) − → ( ℓ, v + d ) such that v | = I ( ℓ ) and v + d | = I ( ℓ ) . CAV 2012 7

Timed Equivalences Timed Bisimulation p and q are two timed valuations. R t p q a d a d p’ q’ R t a ∈ Act , d ∈ R ≥ 0 CAV 2012 8

Timed Equivalences Time Abstracted Bisimulation R u p q a d ′ d a p’ q’ R u a ∈ Act , d, d ′ ∈ R ≥ 0 CAV 2012 9

Timed Performance Prebisimulation R p p q d ′ a a d ≤ p’ q’ R p a ∈ Act , d, d ′ ∈ R ≥ 0 ∼ t ⊆ � ⊆ ∼ u captures functional behaviour and performance simultaneously CAV 2012 10

Decidability • Timed Bisimualation and Time Abstracted bisimulation have been proved to be decidable for timed automata. • Is Timed Performance Prebisimulation decidable? Yes CAV 2012 11

Decidability • Timed Bisimualation and Time Abstracted bisimulation have been proved to be decidable for timed automata. • Is Timed Performance Prebisimulation decidable? Yes CAV 2012 12

Algorithm Outline • Given two timed automata A 1 and A 2 or two reachable configurations p and q , in timed automata, create the zone valuation graphs Z ( A 1 , p ) and Z ( A 2 , q ) . • Check for strong bisimilarity between the initial nodes of the zone valuation graphs and simultaneously for every pair ( s 1 , s 2 ) of bisimilar nodes in these two zone valuation graphs check if the span of s 1 is ≤ (or ≥ ) the span of s 2 . CAV 2012 13

Zone Graph A zone is a set of all clock valuations which satisfy a collection of formula of the form x ⌣ c or x − y ⌣ c . For a timed automaton A = ( L , l 0 , E , I ) , a zone graph is a transition system ( S , s 0 , Lep , → ) , where • Lep = Act ∪ { ε } , • ε is an action corresponding to delay transitions of the processes of the zone, • S ⊆ L × Φ ∨ ( C ) is the set of nodes, s 0 = ( l 0 , φ 0 ( C )) , →⊆ S × Lep × S is connected, • φ 0 ( C ) is the formula where all the clocks in C are 0. CAV 2012 14

Zone Valuation Graph A zone graph Z = ( S , s 0 , Lep , → ) with the following properties 1. set S is finite. 2. For every node s ∈ S the zone corresponding to the constraints φ s is convex. 3. v l j | = φ s r . Note that v l j may or may not satisfy φ 0 ( C ) . 4. For any two processes p , q ∈ T ( A ) , if their valuation satisfies the formula φ r for the same node r ∈ S then p ∼ u q , i.e. p is time abstracted bisimilar to q . 5. For two timed automata A 1 , A 2 and two processes p ∈ T ( A 1 ) and q ∈ T ( A 2 ) , Z ( A 1 , p ) ∼ Z ( A 2 , q ) ⇔ p ∼ u q . 6. It is minimal to the extent of preserving convexity of the zones. CAV 2012 15

Stages of Creating Zone Valuation Graph Q = l 0 , null l 0 ← − dequeue ( Q ) x > 2 x > 5 l 0 l 1 l 2 x ≤ 2 x > 2 a b { x } l 0 l 0 c ε x > 8 (a) T l 0 = { l 0 } , T l 1 = { l 0 } , T l 2 = ∅ Q = l 1 , null l 1 ← − dequeue ( Q ) (b) l 0 ← − dequeue ( Q ) l 2 ← − dequeue ( Q ) x ≤ 2 2 < x ≤ 5 x > 5 x ≤ 2 2 < x ≤ 5 x > 5 l 0 l 0 l 0 ε ε l 0 l 0 l 0 ε ε a a a a l 1 l 1 ε x > 5 l 1 l 1 ε 2 < x ≤ 5 x > 5 b 2 < x ≤ 5 T l 0 = { l 0 , l 1 } , T l 1 = { l 0 , l 1 } , T l 2 = { l 0 , l 1 } Q = l 2 , null (c) ε ε l 2 l 2 l 2 x = 0 x > 8 0 < x ≤ 8 T l 0 = { l 0 , l 1 , l 2 } , T l 1 = { l 0 , l 1 } , T l 2 = { l 0 , l 1 , l 2 } Q = l 1 , l 0 , null (d) Figure: Successive stages of creating the zone valuation graph CAV 2012 16

Stages of Creating Zone Valuation Graph l 1 ← − dequeue ( Q ) l 0 ← − dequeue ( Q ) x ≤ 2 5 < x ≤ 8 2 < x ≤ 5 x > 8 l 0 l 0 l 0 l 0 ε ε ε a a a 2 < x ≤ 5 l 1 l 1 l 1 ε ε 5 < x ≤ 8 x > 8 b b ε ε l 2 l 2 l 2 x > 8 (e) c x = 0 0 < x ≤ 8 T l 0 = { l 0 , l 1 , l 2 } , T l 1 = { l 0 , l 1 , l 2 } , T l 2 = { l 0 , l 1 , l 2 } Q = null Figure: Final zone valuation graph CAV 2012 17

Not the Full Story x ≥ 1 & y = 1 a y:= 0 true Figure: Timed Automaton with infinite zone graph 0 ≤ x < 1 x > 1 x > 2 x = 1 x − y = 1 x = y x = y x = y ε ε a ε ε ε a ... x = 1 x = 2 1 < x < 2 x = 2 x − y = 1 x − y = 1 x − y = 1 x − y = 2 Figure: Infinite zone graph CAV 2012 18

Abstraction: Location Dependent Maximum Constants • Static Guard Analysis in Timed Automata Verification Behrmann et. al. 03 • For each clock x ∈ C and each locaion l ∈ L , a maximum constant max l x is determined beyond which the actual value of x in l is irrelevant. For a location l and a clock x , max l x ≤ c x , the global maximum constant with which clock x is compared. • Thus the number of nodes reduced compared to region graph abstraction. CAV 2012 19

Zone Graph with Abstraction for Automaton 0 ≤ x < 1 x > 1 x = 1 x = y y > 1 y = 1 ε ε ε a ε ε a x > 1 x > 1 x = 1 y = 1 y = 0 0 < y < 1 Figure: Abstracted zone graph of Timed Automaton for max l x = 1 and max l y = 1 CAV 2012 20

Zone Valuation graph with Abstraction for Automaton x ≥ 0 x ≥ 1 x > 1 y < 1 y > 1 y = 1 ε ε a Figure: Canonical abstracted zone graph of Timed Automaton for max l x = 1 and max l y = 1 CAV 2012 21

Algorithm Outline • Given two timed automata or two reachable configurations in timed automata, create the zone valuation graphs as mentioned above. • Check for strong bisimilarity between the initial nodes of the zone valuation graphs and simultaneously for every pair ( s 1 , s 2 ) of bisimilar nodes in these two zone valuation graphs check if the span of s 1 is ≤ (or ≥ ) the span of s 2 . CAV 2012 22

Example A A’ x = 1 x = 1 a a { x } B B’ x ≤ 2 a { x } a x ≤ 2 C C’ Figure: Example: An at least as fast as relation CAV 2012 23

Zone Valuation Graph: Check Span of Strongly Bisimilar Nodes Span : Minimum of ranges of clock valuations: M ( s ) for node s . critical clock of a node: range equals span (0) ( ∞ ) ( ∞ ) (0) 0 ≤ x < 1 x > 1 0 ≤ x < 1 x > 1 x = 1 x = 1 ε ε ε ε (1 − δ ) (1 − δ ) A A A A’ A’ A’ a a x > 2 x > 2 ε ε ( ∞ ) ( ∞ ) 1 ≤ x ≤ 2 B’ B B 0 ≤ x ≤ 2 B’ (1) (2) a a Z A 1 ,p Z A 2 ,q x ≥ 0 C x ≥ 0 C’ ( ∞ ) ( ∞ ) Figure: Zone Valuation Graphs of prebisimilar Timed Automata CAV 2012 24

Correctness of algorithm Flip in Delay (FID) Two zone valuation graphs: Z A 1 , p and Z A 2 , q . For any strong bisimulation relation B , between Z A 1 , p and Z A 2 , q consider two pairs of bisimilar nodes ( s p 1 , s q 1 ) and ( s p 2 , s q 2 ) s p 1 , s p 2 ∈ Z A 1 , p and s q 1 , s q 2 ∈ Z A 2 , q . FID exists if M ( s p 1 ) < M ( s q 1 ) and M ( s p 2 ) > M ( s q 2 ) . CAV 2012 25

Proof of Correctness Lemma : For p ∈ T ( A 1 ) and q ∈ T ( A 2 ) , FID ( Z ( A 1 , p ) , Z ( A 2 , q ) ) ⇒ ( p � � q ∧ q � � p ) Proof Outline: Assume p ∼ u q • M ( s p 1 ) > M ( s q 1 ) and M ( s p 2 ) < M ( s q 2 ) • s p 1 ∼ s q 1 and s p 2 ∼ s q 2 s q 1 s p 1 d = M ( s p 1 ) d ′ ≥ d p 1 Figure: M ( s p 1 ) > M ( s q 1 ) ⇒ p � � q Similarly, M ( s p 2 ) < M ( s q 2 ) ⇒ q � � p CAV 2012 26