theory of automaton

1. Compatibility between shared
variable valuations in
timed automaton network modelchecking
Zhao Jianhua, Zhou Xiuyi,
Li Xuandong, Zheng Guoliang
Presented by ZHAO Jianhua

2. Background (Time Automata)
♦ A timed automaton can be viewed as a
conventional finite state automaton plus some
clock variables ， which are used to
constraint time distances between events.
Clocks: x, y
E1:x < 5, y := 0
x<5
A
y<8
B
E2: y < 8, x := 0

3. Background
(timed automaton network)
♦ A timed automaton network is a finite set of
timed automata which interact with each
other.
♦ These timed automata may interact with
each other through a finite set of shared
variables.
♦ For each timed automaton network, an
equivalent timed automaton can be built.

4. Background
(timed automaton network)
♦ An example:
Clocks: x
Clocks: y
E11:x < 5, x:=0
x<5
A
v:=1
E21:y < 8, y:=0
x<8
B
E12: x < 8, x := 0
v==0
v==1
1
y<8
y<3
2
E12: y < 3, y := 0
v:=0

5. Background
(reachability analysis 1)
♦ Many interesting properties (for example,
safety) can be expressed as reachability of
locations of timed automata.
♦ Because the state spaces of timed automata
are infinite, model checking techniques can
not be applied to timed automaton directly.
– Symbolic representation of states are used in
automatically reachability analysis.

6. Background
(Symbolic States)
♦ A symbolic state of a timed automaton network is
a tuple (l,s, D)
– l is the global location of the network.
– s is the valuation of the set of shared variables.
– D is a conjunction of formulas like x-y<c.
♦ A symbolic state (l,s, D ) represents a set of
concrete states (l,s,v), where v satisfies D.
♦ Given a symbolic state S, the set of concrete states
which are reachable from a concrete state in S
through a given transition t can also be represented
as a symbolic state. We call it as the successor of S
w.r.t. t.

7. Background (Basic reachability
analysis algorithm 1)
Wait = { S0}, Passed = {}, where S0 is the initial symbolic state
while (Wait != {} ) do
{ S = a symbolic state in Wait;
Wait = Wait – {S}
for each transition t leaving S do
{ S’ = successor of S w.r.t. t;
if (S’!= Φ and S’ is not contained by any state in Passed)
Wait = Wait + {S’}
if (the location of S’ is the target location)
return true;
}
Passed = Passed + {S}
}

8. Background (Basic reachability
analysis algorithm 2)
♦ The algorithm explores the state space by
generating successors of generated states
continuously.
♦ The algorithm will not generated the successors of
a generated symbolic state (l,s, D1 ) only if
– another symbolic state (l, s, D2 ) containing (l,s, D1 ) has
already been generated.
– a symbolic state S1 contains another one S2, if the set of
concrete states represented by S1 contains the one
represented by S2.

9. Compatibility between shared
variable valuations
♦ A shared variable valuations s1 is compatible with s2
on a tuple (l,D) if for each transition e leaving l,
one of the following conditions holds.
– s1 and s2 are identical.
– The conjunction of D and g is false, where g is the time
guard of e.
– Neither s1 nor s2 satisfies the shared variable guards of e.
– The variable guard of e is satisfied by s1, and the
transition e sets s1 and s2 to two compatible variable
valuations.

10. An example of Compatibility
Shared variables: v1, v2
Clocks: y
Clocks: x
e11 : x > 5; v2 = 3
x:=0, v1:=0
B
A
e12 : x < 3; v1 = 3
x:=0, v1:=v1+1
M
e21 : y < 10;
v1:=v2+1, y:= 0
N
C
♦ (v1 = 3;v2 = 3) is compatible with (v1
= 2;v2 = 3) on ((A,M), (x>3 ^y<10))

11. Compatibility contain
♦ Definition 3. Let (l,s1,D1) and (l,s2,D2) be
two symbolic states of a timed
automaton network. We say (l,s1,D1)
compatibility contains (l,s2,D2)
– if s1 is compatible with s2 on (l, D1) and
– D1 contains D2.

12. A lemma about the compatibility
contain
♦ Lemma
– Let S1,and S2 be two symbolic states of a timed
automaton network. We have that all the locations
reachable from S2 are also reachable from S1 if S1
compatibilitycontainsS2.
♦ Intuitively, (l,s1,D1) is more like to reach the
target location than (l,s2,D2) is.
♦ The algorithm can avoid generating successors of
a generated symbolic state (l, s, D1 ) if
– another symbolic state which compatibility-contains (l,
s, D) has already been generated.
♦ This condition is weaker than the basic one.

13. Find the compatible valuations
♦ During the reachability analysis, if a symbolic state (l,s,D)
is generated, an algorithm can be used to find valuations
with which s is compatible on (l,D).
♦ This algorithm uses a backward propagation method to
compute such valuations based on the definition of
compatibility.
♦ All these valuations are recorded in valuation sets attached
to the generated states.
♦ For each generated state (l, s’,D’), it is compatibility
contained by (l,s,D) if D’ is contained by D and s is found
to be compatible with s’.

14. A compact data structure
♦ Let v1, v2, …, vn be a set of shared variables.
We proved that the attached valuation sets
can be represented as Cartesian products
s1× s2 × … × sn
♦ This observation leads to a compact data
structure to record the compatible shared
variable valuations.

15. The optimization
♦ The algorithm is optimized as follows
– A shared variable valuation set is attached to
each generated state. (using the compact data
structure)
– Avoid generating successor of (l,s,D) if there
is another generated state (l, s’, D’) such that s
is in the attached set of (l, s’, D’) and D’
contains D
– During the reachability analysis, the attached
sets are continuously expanded by backward
propagation.

16. The performance (1)
(The bounded retransmission protocol)

17. The performance (2)
(the Bang&Olufsion audio protocol)
♦ The optimized algorithm uses only about
40% memories as the original one does.