Transcript Clocked Mazurkiewicz Traces and Partial Order Reductions

Clocked Mazurkiewicz Traces and
Partial Order Reductions for
Timed Automata
D. Lugiez, P. Niebert, S. Zennou
Laboratoire d ’Informatique Fondamentale de Marseille
(LIF, UMR 6166)

Clocked Mazurkiewicz Traces and
Partial Order Reductions for
Timed Automata
D. Lugiez, P. Niebert, S. Zennou
Laboratoire d ’Informatique Fondamentale de Marseille
(LIF, UMR 6166)
At least two previous presentations
at Ametist meetings ...

« They talk and talk ... »
« Now they change the title ... »

« Where is the beef?! »

Thank you for your patience!
Classical Zone Automaton
Event Zone Automaton(ELSE)
Thank you for your patience!
Classical Zone Automaton
Event Zone Automaton(ELSE)
Thank you for your patience!
Friendly Example: Dining Philosophers with timeouts
#Phil
classical
eventzone
ratio
2
11
10
1,1
3
55
35
1,57
4
337
118
2,86
5
2456
392
6,27
6
21037
1297
16,22
7
8
9
207677 not on my laptop
4799
14158
46763
43,28
Hostile Example: Fischer’s Protocol (almost sequential)
#Proc
2
3
4
5
UppAal -n1
34345
UppAal -n2
2865
Else "classical"25 229 2393 26961
eventzone
24 209 2048 21077
ratio
1,04 1,10 1,17 1,28
A long time misunderstanding ...
Partial order reduction methods
 Cut redundant branches in search tree


Works well for discrete systems
And for timed automata/time Petri nets?
[Bengtson-Lilius-Johnsson-Yi 98], [Minea99], ...



Semantic restrictions
B.J. : « sometimes not worse than without reduction ... »
Without citation :

Buggy theorems, discretisation, ...
Mazurkiewicz traces
Example parallel system
A
0
0
B
C
0
a
b
c
1
1
1
d
g
3
2
4
e
2
f
2
3
Example parallel system
A
0
0
B
a
b
1
1
C
c
Property:
1
Is it
d possible that A
enters state 2
g
3
2
4
e
2
f
2
0
3
Witness path to property
A
0
0
B
C
0
a
b
c
1
1
1
d
g
3
2
4
e
2
f
2
3
State graph =
synchronous product
The state graph
3,4,0
g
1,0,0
1,1,0
c
b
a
b
0,0,0
c
a
c
3,4,1
g
0,1,0
b
1,0,1
a
c
c
da
d
2,3,1
d
f
3,4,2
b
0,0,1
1,1,1
g
0,1,1
b
1,0,2
1,1,2
e
d
1,2,1
2,2,3
d
d
a
0,0,2
b
a
0,1,2
a
e
d
0,2,1
f
0,2,2
d
a
0,2,2
The state graph
Property:
It is possible that A
enters state 2!
3,4,0
g
1,0,0
1,1,0
c
b
a
b
0,0,0
c
a
c
3,4,1
g
0,1,0
b
1,0,1
a
c
c
da
d
2,3,1
d
f
3,4,2
b
0,0,1
1,1,1
g
0,1,1
b
1,0,2
1,1,2
e
d
1,2,1
2,2,3
d
d
a
0,0,2
b
a
0,1,2
a
e
d
0,2,1
f
0,2,2
d
a
0,2,2
The witness path
Property:
It is possible that A
enters state 2!
3,4,0
g
1,0,0
1,1,0
c
b
a
b
0,0,0
c
a
c
3,4,1
g
0,1,0
b
1,0,1
a
c
c
da
d
2,3,1
d
f
3,4,2
b
0,0,1
1,1,1
g
0,1,1
b
1,0,2
1,1,2
e
d
1,2,1
2,2,3
d
d
a
0,0,2
b
a
0,1,2
a
e
d
0,2,1
f
0,2,2
d
a
0,2,2
Equivalent executions
3,4,0
g
1,0,0
1,1,0
c
b
a
b
0,0,0
c
a
c
3,4,1
g
0,1,0
b
1,0,1
a
c
c
da
d
2,3,1
d
f
3,4,2
b
0,0,1
1,1,1
g
0,1,1
b
1,0,2
1,1,2
e
d
1,2,1
2,2,3
d
d
a
0,0,2
b
a
0,1,2
a
e
d
0,2,1
f
0,2,2
d
a
0,2,2
The misunderstanding
Don’t « try to avoid redundancy in
search of zone automaton».
Instead, see to have less zones!
Actually ...
(1,X=Y=0)
1
a
b
2
3
4
(2,X=0,Y0)
b
(4,X0,Y=0)
(2,X0,Y=0)
a
(4,X=0,Y0)
An artificial example
An artificial example
Classical Zone Automaton
Event Zone Automaton(ELSE)
Our work about this




Theoretical foundation, now to treat Alur-Dill
automata without any restriction
Infinite symbolic « event zone automaton »
with full commutation
Finite index equivalence that preserves
reachability (only)
A tool! (Well, still a prototype, of course ...)
Context (other works)
[D’Souza-Tjagarajan98] :

Complementation for a sub class of timed automata
« Distributed Interval Automata »
Petri nets with final states


Surprise : Construction based on Mazurkiewicz traces
without time
Potential basis for a new formalisation
Timed Automata - and
independence?
Formalisation
Separate state graph from constraints
« Clocked labels »
Timed Automata



={, , , ,…} of finite clocked label
alphabet
Set of clocks C
An automaton A=(Q,s0,,F) over 




Q finite set of states
s0 Q initial state
  Q x  x Q transition relation
F  Q final states
Timed Automata

Clocked label =(a,c,r) of action + constraint + reset




Action over ={a, b, c, d,…} finite
Constraint c maps clocks to intervals with integer or infinite
bounds
Reset r  C
Clocked words = sequence of clocked labels
Ex: 
Timed and Clocked Words

Timed word = (w,t) with w * and t maps
positions in w to time stamps


Ex: (a, 3.2)(c, 2.5)(b, 6.3)
Normal timed word (w,t) s.t. t(i)  t(j) if i  j

Ex: (a, 3.2)(c, 4.5)(b, 6.3)
Symbolic states of timed
automata


Combination of discrete states and
regions or
zones of clock values
Zones: conjunctions of

clock bounds “X (- 0) < 3”
clock difference bounds “X-Y < 3”

difference bounds matrix

of dimension n+1 (clocks and “zero”)

Algorithms
Linking Clocked and Timed Words

Standard realization of a clocked word  with
i=(ai,ci,ri), 1 i  n = (w,t) s.t.



w=a1…an
(w,t) normal
t(k)-t(l)  ck(C) l=last reset of C in 1…k-1
Ex: (a, 3.2)(c, 4)(b, 6.2) = normal realization of 
Lt(A) set of clocked words =1...n which have a
standard realization and s.t.
s01 s1...n sn  F

Independence of clocked labels



One transition does not constrain clocks the
other transition resets.
One transition does not reset clocks the other
transition resets.
Same as independence for shared variables


read a variable written by another process implies
dependency
writing the same variable implies dependency
Relaxing constraints

Standard zones incomparable zones
Ex: ab -------> c2  c1
ba -------> c1  c2

Normal timed words (w,t) w.r.t I realizing  with
i=(ai,ci,ri) s.t.



w=a1…an
t(i)  t(j) if i  j and not ai I aj
t(k)-t(l)  ck(C) l=last reset of C in 1…k-1
Ex: (c, 4)(a, 3.2)(b, 6.2) for 
Commuting clocked labels and
time stamps together!

Clocked word
(a,X<1,X:=0)(b,Y<1,Y:=0)(c,X<1&Y>1,-)

Normal timed word w.r.t. I 
(a,0.7)(b,0.5)(c,1.6)

Equivalent Clocked word
(b,Y<1,Y:=0)(a,X<1,X:=0) (c,X<1&Y>1,-)

Equivalent timed word, normal!
(b,0.5)(a,0.7)(c,1.6)
What is it good for



Realisability w.r.t. I characterises classical
realisability up to commutations
Any realisation w.r.t. I can be transformed
into a classical realisation.
Hence, we can search for error traces modulo
independence, then retrieve normal ones.
Towards Algorithmics
Relaxing constraints

Standard zones incomparable zones
Ex: ab -------> c2  c1
ba -------> c1  c2

Normal timed words (w,t) w.r.t I realizing  with
i=(ai,ci,ri) s.t.



w=a1…an
t(i)  t(j) if i  j and not ai I aj
t(k)-t(l)  ck(C) l=last reset of C in 1…k-1
Ex: (c, 4)(a, 3.2)(b, 6.2) for 
Clocked Words and Event Zones

One variable per position in 
+ one for the beginning (empty word)
Ex:  -------> V={x0, x1, x2, x3}


Only constraints between dependent clocked labels
are added
Commuting independent clocked labels gives
isomorphic constraint set
Differences and Graph Algorithms
X-Yc, Y-Z  d implies X-Z  c+d
Graph coding:
Shortest path = Strongest Consequence
d
Z
Y
c+d
c
X
Solving via graph algorithms (Ford-Bellman, Floyd-Warshall):
• shortest path with negative weights
• negative cycles = no solution
On the level of traces ...


... these constraints characterise realisability
... can be used for « bounded model
checking » [FTRTFT2002]
And for exhaustive exploration ???
Zone automata?
Technical problem :
 The longer the trace, the more variables?!
Fundamental problem :
 Constraints X-Yc with c unbounded


Classical zone automata : abstraction (the
greatest constant ...)
P.Bouyer : yes, but be careful!
Bounding dimensions

Transitions add variables and constraints
linking them to an interface « Last »



Last clock resets
Last occurrences of independent actions
Decomposition of shortest paths
s1
s2
s3
Distances in the interface
s1
s3
s2
Distances in the interface

Projection of the event zone to the interface
can be computed incrementally :




add new event
normalise (incremental Floyd-Warshall)
garbage collection:
project events no longer in the interface
Dimensions :


at worst (#clocks +1) * #processes
classical timed automata #clocks + 1
Data structure event zone
rX rY rZ rU
rX rY rZ rU p1 p2 p3
e2
e3
e4
e1 e2 e4 e7
<3
t(e3)-t(e2)<3
The fundamental problem

Languages of realisable traces are not always
finite state
=(X=1,a,X:=0)
=(Y=1,b,Y:=0)
1
=(X=5,Y=5,c,-)
2
R = realisable traces
R{,}* ={u  | u {,}*, |u|= |u|} not recognisable
The fundamental problem - what to do


Give up
semantic Restrictions (BLJY98,M99)



No Zeno cycles + invariants
deduce new bounds (huge) for the abstraction

Our choice : maintain the classical
abstraction, sacrifice some commutations

New approach: Compute without
abstraction, compare with abstraction
A formal language view



Clock zone automaton, also with abstraction,
gives Nerode congruence of finite index
Optimisations of timed automata mean
smaller index
No such automaton can exist for realisable
traces, but ...
The trick for event zones



« Separate past and future before comparing »
Separator transition « $ », commutes with
nothing.
Insertion of separator in sequence u$v changes
nothing, except:
all of
u happens temporally before all of v


IN-preorder to replace zone inclusion
Theorem: Reachability w.r.t. classical semantics
preserved
The trick and formal language view
Practically

Compute with event zones Zu WITHOUT
separators

Compare not Zu and Zv , but Zu$ and Zv$

Dimension of Zu$ at most #Clocks+1

Same abstractions and data structures as for
Clock zones possible!
« UppAal killer » does not kill Else


In fact, asymmetric bounds
analysis included,
Difference to -n2 switch:
No location based analysis
used
And the counterexample?
=(X=1,a,X:=0)
=(Y=1,b,Y:=0)
1
=(X=5,Y=5,c,-)
2
And the counterexample?
Classical Zone Automaton
Event Zone Automaton(ELSE)
The reachability algorithm
Practical aspects of algorithm

Zones with higher dimensions in « Gray set »
(Waiting List)



Potentially higher cost of computing successors
Potentially more memory needed
Zones with classical dimensions in « Black
set » (Past List)

All fancy data structures work here (compressed
clock zones, CDDs, ...)
ELSE - a new timed automata tool
Contributors until now:
Manuel Yguel, Sarah Zennou, Peter Niebert,
Marcos Kurban (U.Twente)
Our tool approach



Aim: Platform for experiments with algorithms
for timed automata and more ...
No intention to invent new specification
language
Currently use IF 2 (VERIMAG) as input syntax


But semantic coverage very limited
(lazy implementation)
Sometime 2004: Open Source Distribution,
Invitation to participate
Software structure of ELSE
Much like Murphi, Spin, IF, ...
 Compiler




Frontend(s), maybe add UppAal (Tool Interaction!)
Internal data structure to generalize frontends ...
Backend(s) for exploration, generate C-code
Libraries


memory management, output (graph drawing),
exploration ...
Some parts as include files
Current state of development

« Prototype »





Almost complete chain
Very little language coverage
Sufficient for exhaustive exploration experiments
Good memory management
Urgent todo list before alpha release





Sequence extraction
Basic urgency
Efficient data structures for « past list »
A bit more of static analysis
A few algorithmic improvements
Conclusion, outlook




Fundamental contribution, clean theory
A substantial contribution to timed automata
algorithmics
Strong potential for resource allocation
problems (linear priced version would be
interesting)
A new tool, still needs work for serious case
studies