Ground-based translation: temporal automation: semantics, algorithms, and tools

Document directory

• 1. Introduction
• 2. Automatic time Cluster
• 3. symbol semantics and Verification
• 4. DBM: algorithm and Data Structure
• 5. uppaal
• 6. Appendix

The original question of this article is timed automata semantics, algorithms and tools", I graduated from the design related to this, research for a long time, now translated by yourself. Reprinted with copyright.

Temporal automation: semantics, algorithms, and tools

Johan Bengtsson and Wang Yi

 

Uppsala University

Email: {johanb, Yi} @ it. uu. se

Zhu Wei http://bitzhuwei.cnblogs.com)

Abstract: This document describes the semantics and algorithms used as a verification tool in the tutorial of temporal automation. This article describes the specific semantics, abstract semantics, decision-making problems, and algorithms of time-based automated machines (mainly the concepts of conversion rules, regions, and bandwidths ). DBM (difference bound matrices) is a common data structure used by time-based automated machine theory verification tools. This article describes the principles in detail. Finally, this article takes uppaal as an example to introduce the basic principle and usage of this time-based automated machine verification tool.

1. Introduction

A theory of modeling and verifying real-time systems. This theory is an outstanding achievement of Alur and dill. Many verification tools (such as uppaal) are created based on the theory of temporal automation. This article describes the semantics and algorithms of the time-based automatic machines that these tools depend on.

A time-based automatic machine is a finite automatic machine with a clock set. A clock set is a set of limited clocks. Each clock is a variable with a value range of 0 or positive. Only when the clock constraints are met can the transition between the statuses of the time-based automated machines occur. The status of a time-based automatic machine can be attached with the "location immutability" attribute, which is also a clock constraint to ensure that the status will not remain unchanged. This type of automatic machine is called a "time security automatic machine". This type of automatic machine is discussed by default in this article.

The following section describes the syntax and semantics of the time automatic machine and the decision-making problems related to automated verification. In this article, the deterministic and non-deterministic attributes are considered as the basic attributes of the computing model. Section 3rd describes abstract semantics based on region and band. Section 4th describes the data structure of DBM. Section 5th describes the verification tool uppaal. Finally, the pseudocode of DBM related algorithms is provided in the appendix.

2. Automatic time Cluster

A time-based automatic machine is a finite automatic machine with several real-value variables (a graph composed of finite nodes, positions, and finite edges ). A time-based automatic machine is an abstract model of a time-series system. The variable simulates the logical clock. The clock starts from scratch and increases synchronously. The clock constraint on the edge (such as guard) limits the jump behavior of the automatic machine. Only when the clock value meets guard can the edge of guard jump. You can reset the clock to zero during redirection.

The following figure 1 shows an example of a time-based Automatic Machine and Its location immutability. The time series is implemented by two clocks X and Y. Clock X is used to control the self-loop of loop nodes. When X is 1, an auto-loop may occur in the loop. Clock y controls the complete operation of the entire automatic machine. An automatic machine may leave the Start Node at any time point of 10 <= Y <= 20, or it can reach the end node from the loop at any time point of 40 <= Y <= 50.

Figure 1 time automatic mechanism and location immutability

Timed B ü Chi Automata

Guard only specifies that a jump can take place within a certain period of time, but does not force a jump. (Insufficient conditions are required)

Time Security Automation(Omitted)

2.1 regular syntax

Represents a finite set of real-value variables or clock (clock), and its elements are represented by equal.

Represents a finite set of actions, and its elements are represented by equal.

Atomic Clock constraint: a child in the form of OR, and

Clock constraint: A combination of atomic clock constraints. Used as a conversion condition. It is represented by equal.

Indicates the set of clock constraints.

Definition 1 (timed automation)

A time-based automatic machine token is a quad-tuple, where

-Is a finite set of locations (or States ).

-Is the initial position

-Is a set of edges.

-Is the ing from immutations to locations.

If yes, it can be recorded, that is, there is a conversion from position.

In uppaal, location immutability is defined in the form of x <= N or x <n.

Concurrency and Interaction

(Omitted)

2.2 operation semantics

The semantics of a time-based automatic machine is a state conversion system. The status consists of the current position and the current value of all clocks.

There are two types of state conversion: delayed conversion and action conversion. Clock ing is introduced to express the operation semantics of the time automatic machine. Clock ing is a ing from non-negative real numbers, expressed in. It is satisfied with the mapped clock value, that is, the action conversion may occur. . Set the clock value in the specified range to zero, and the external clock value is determined ().

Definition 2 (Operational Semantics)

The semantics of a time automatic machine is defined as a conversion system. The state of the time automatic machine is a binary group <L, u>, and the conversion is defined:

① If and,

② If, and

2.3 verification problems

The operation semantics is the basis for the verification of the time automatic mechanism. The following describes the testability issues based on the conversion system. (Omitted)

Define 3 (statement run)

Based on the operation semantics, we can define a time language of a time-based automatic machine. If there is a time series, the following sequence is true:

, Where

So we call it a statement.

Definition 4 (similar to bisimulation)

(Omitted)

Accessibility analysis Definition 5 (Accessibility)

(Omitted)

3. symbol semantics and Verification

The clock is real-value, so there are countless situations in the status transition system, which cannot be used for automated verification. To solve this problem, the following concepts of region, band, and symbol semantics are proposed.

3.1 region, with and symbol Semantics

Regional equivalence is the basis for determining the attributes of a temporal automatic machine.

Definition 6 (region equivalent region equivalence)

(Omitted)

Figure 2 system regions with two clocks

(Omitted)

A more efficient way to express the state space of a time-based automatic machine is to use a "with diagram ". "With" indicates the symbol status. The method and Algorithm for constructing a graph are described in section 4th. Figure 3 shows an example of a time Automatic Machine and Its band chart. This band chart has only eight States, but its region chart has more than 50 States.

Figure 3 the time Automatic Machine and Its Band Graph

One belt is a clock constraint. Strictly speaking, it is a set of all solutions that meet the clock constraints. The band can be expressed in dBm, and the research in this area is very mature. In the future, D can represent both the clock constraint and the band, so it can represent the band set.

The symbolic State of a time-based automatic machine is a binary group <L, D>. <L, D> In fact, it is a set of certain States of the time automatic machine, where L is the position, and D is the band. Symbol Conversion describes all possible conversions between these State sets.

Definition 7 (Symbolic Transition)

Section 4th describes these operations in detail. Among them, d branch writes up (D), R (d) writes reset (D, R: = 0 ). The calculation result is still "band" (the calculation result of the matrix is still a matrix ). It can be simplified like an algebraic form, and the final form of simplification is unique. This is the key structure of symbolic semantics to ease state space explosion.

Symbol semantics corresponds to operation semantics. That is to say, if <L, D> à <l', d'>, then all u'' belong to d', there must be uε D, making <L, u>-> <l', U'>. Symbolic semantics is the essential description of Definition 2.

Theorem 1 (integrity and existence of symbolic semantics)

Set the initial status of the time automatic machine to <l0, U0>

Integrity means that if the initial symbolic State can reach the final symbolic state, all specific States in the final symbolic State should be reachable. Existence means that if a specific State is reachable, there is a symbolic conversion relationship that includes this state.

Unfortunately, the transition of the symbolic State is infinite, so the band chart of the time-based automatic machine may be infinite. Consider the following example in Figure 4 to generate an infinite time automatic machine with graphs, and the clock y grows infinitely, thus creating an infinite Band Graph.

Figure 4: generate an infinite time automatic machine with Graphs

The solution is to use a technology similar to the extension operation to convert the band containing any large constant into a type of band. Intuitively, once the clock value exceeds a constant, it doesn't matter how much it is.

3.2 normalization of without difference Constraints

The difference constraint is the guard in the form of x-y <= n. In the original theory, the difference constraint is not allowed as guard, and only the form of x <= N is allowed. This is a non-diagonal automatic machine. This type of automatic machines can be normalized with K. This is what uppaal does.

Define 8 (k normalization K-normalization)

If D is a band and K is the upper limit of the clock, the semantics of the K normalization operation on D is as follows:

Normk (d) can be implemented by performing the following two operations on d in the simplest form.

1. Remove the constraints of x <= m, x-y <= m for all M> K (X;

2. replace x> = m and x-y> = m of all M> K (x) with x> = k (x), respectively) and x-y> = k (x ).

The following figure shows the result of the regularization of the Band Graph in the time automatic machine that generates an infinite Band Graph in Figure 4. The upper limit of the clock is the maximum clock constant that appears in the timer.

Note that for a limited number of clocks, given the upper limit of their clock, there is only a limited regularization band. That is to say, through regularization, we can convert infinite band Graphs into finite band graphs.

Figure 5 regularization with Graphs

Definition 9 (regular jump)

The regular jump of a time-based automatic machine without Corner Points satisfies the integrity, existence, and limitations.

Theorem 2 time-based automated machine without corner

Set the time automatic machine to an initial state <l0, U0>. The maximum clock constant limit is determined by function K and does not include the difference constraint. So:

Unfortunately, the integrity of a time-based automatic machine that contains the difference constraint is not satisfied. This article uses the following example. Consider the automatic mechanism shown in the following figure 6 counter example. The last node is inaccessible. Because at the S2 node, the clock band is (x-y> 2 and x> 2 ); the guard from S2 to S3 is (x <Z + 1 and z <Y + 1 ), this is equivalent to (x-z <1 and Z-Y <1 and x-y <2 ). Obviously, S2 will never satisfy guard, and the last conversion will not happen.

Counter Example in Figure 6

However, the maximum constant of X clock is 1, Y is 2, and S2 is (x-y> 2 and x> 2) normalization is (x-y> 1 and x> 1), so that the guard from S2 to S3 can be satisfied. In this way, the normalization-based symbolic accessibility analysis fails.

The simplest example is listed below. All the implied clocks are not listed as non-negative numbers.

The band of counter example in Figure 7

Note that S0 and S1 are the same before and after normalization. The problem is that the intersection of S2.

3.3 normalization of time automatic machines with difference Constraints

Normalization with difference constraints is very useful.

Define 10 (use the normalization using difference constraints of the difference constraint)

The semantics of the K normalization operation defined by optimization can be expressed:

The optimized region is equivalent to the clock upper limit k function and Guard set G. The normalization operation is also.

Because the region obtained by K equivalence calculation is limited, and the guard in G is also limited, the optimized K normalization operation also produces a limited number of regions. This means that a given operation with D, normk, and G (d) only contains a finite equivalent region. However, this area is not convex. This area can be composed of a union of finite convex areas. The next section describes algorithms in detail.

Definition 11 (optimized K normalization jump)

Set the time automatic machine to an initial state <l0, U0>. The maximum clock constant limit is determined by function K. The difference sequence set in guards is expressed by G. Integrity, existence, and limitations are met:

3.4 symbol Accessibility Analysis

Model detection involves two types of attributes: liveness and safety. The algorithm used to detect liveness is loop detection, which is very time-consuming. The time series system is mainly detected by safety, and the related algorithms are used to traverse the state space of the time automatic machine.

Algorithm 1 Accessibility Analysis

Accessibility analysis is used to check the nature of the status. The core idea is to calculate the state space of the time automatic machine in two steps, and then search for the state space that meets the conditions or conflicts with it. The first step can be processed in advance or in real time during the search process. The latter is more advantageous, because you only need to process the status that requires verification. But sometimes this does not work, but it still needs to process all the state spaces.

We will explain the core verification engine of uppaal. Uppaal is a tool for accessibility analysis based on symbolic semantics and graphs.

The maximum number of clock constants is defined by the maximum number of constants in a and F, G indicates the set of difference constraints in A and F. Algorithm 1 can be used to check whether the initial state can reach such a State: its position is lf, and its clock value meets the requirements of Phi F. It computes a's dashboard in real time and searches for the signed state in which the position is LF and the dashboard has an intersection with Phi F.

Algorithm 1 works in a limited state space, so it will be terminated. On the other hand, its return value must be correct, which is demonstrated in the previous definition 11.

Algorithm 1 also prompts the key issues that the model validators of the time automatic machine should solve, such as status, with representation and operation. In addition, it also requires the determination of null and mutual inclusion, as well as compression storage, state space compression and approximate computing technologies.

4. DBM: algorithm and Data Structure

The previous article explains the key points in symbolic accessibility analysis. Recall that the zone is defined by the clock range (clock assignment. We have not yet elaborated on how the zone is calculated. The following describes the zone expression (data structure), Zone Operation (algorithm), and verification (checking whether an attribute exists. The pseudocode of related operations is attached.

5.1 dBm basic

The clock constraint on the clock set C is a combination of atomic constraints. The atomic constraint is X ~ M or x-y ~ N format, where X and Y are elements of the clock set C ,~ Belong to {≤, <, =,>, ≥}, m, n belongs to the natural number. The zone represented by the clock interval D is a set of clock values that satisfy d. (X, Y that meets the clock constraints... The most important property of the Zone (or the reason for getting the zone) is that the zone can be expressed in a matrix, that is, DBM (difference bound matrices ). The following describes the structure and properties of DBM.

In order to facilitate mathematical expression, we introduce "zero-hour clock ". The zero-hour clock means that the value is 0 at any time. If C0 = C clock {zero hour} is set, any zone can be written in the form of x-y <= n. (N is an integer)

Obviously, the zone can be expressed with an atomic constraint of | C0 | two shapes, such as x-y <= n. Therefore, we use a matrix of | C0 | × | C0 | to represent the zone. An element of the matrix corresponds to an atomic constraint. This atomic constraint represents the difference between the two clocks, so it is called a difference matrix. Dij is used to represent elements in dBm (I, j. (DBM indicates zone, or D)

The following is a method for constructing dBm.

First, sort the C0 clock by 0,..., n, and set the serial number of the zero-hour clock to 0 ,. A row in the matrix represents a clock. The calculation rules are as follows:

For constraints such as Xi-XJ <= N, let dij = (n, <=)

For dij undefined by Xi-XJ, let dij = (∞, <=) infinity be expressed in a special value in the data structure.

In special cases: 0-xi <= 0 and Xi-xi <= 0

Example: A zone, D = x-0 <20 and Y-0 <= 20 and Y-x <= 10 and x-y <=-10 and 0-z <5. This zone is converted into a matrix as follows:

DBM elements can be compared and added. The rules are as follows:

If n1 <N2, (n, <= 1) <(N1, <=) <(N2, <= 2 ).

(N, <) <(n, <=)

B1 + ∞ = ∞

(M, <=) + (n, <=) = (m + n, <=)

(M, <) + (n, <=) = (m + n, <)

Canonical dBm

Generally, there are infinite zones which are essentially the same, but they have only one simplest form.

To find the most simplified dBm, we use the weight graph to represent the zone. The C0 element is represented by the node, and the atomic constraint is represented by the edge. X-y <= N is converted to an edge from the y node to the x node, marked with (n, <=, this means that the maximum distance from Y to X is N.

Illustration and closure form of the sample matrix in Figure 8

After analyzing (process omitted), we can see that D is equivalent to D with the strictest boundary. It can be obtained through the shortest path algorithm of the two nodes in the diagram! (Good conclusion, the Floyd-warshall algorithm can be used.) because this algorithm is time-consuming, we require that the storage of DBM and the storage of operation results be in the simplest form.

Minimum constraint system

A zone may contain redundant constraints. For example, D = x-y <2, Y-z <5, X-z <7. X-z <7 can be inferred from the first two. Remove redundancy constraints. The minimum constraint matrix can be represented by a sparse matrix, which relieves the State Space explosion problem. The minimum constraint system has been thoroughly studied. Below we will summarize the achievements of our predecessors.

(Summary) There is pseudocode in algorithm 4 in the appendix. Just read the code.

Well, we can get the simplest form of DBM. To reduce the burden, we will start to solve the DBM computing problem.

5.2 Basic dBm operations

This section describes all basic operations except zone standardization. These operations are used for model verification and forward and backward analysis of the time automatic machine. In the next section, we will talk about zone standardization ).

To make the description simple, the zones discussed in this section are compatible (not empty) and most simplified.

DBM operations are divided into two types:

Property Verification: this type of operation includes verifying dBm compatibility, the inclusion relationship between zones, and the fact that zone masters meet given atomic constraints.

Deformation: this type of operation includes calculating the strongest and weakest preconditions for the zone based on guards, latency, and clock reset.

1. Property Verification 1) consistent (d)

The most basic operation. Determine whether DBM is not null (null indicates that this band does not contain any meaningful clock value ). For example, whether the set of the clock solution is empty. This is used to remove the incompatible (empty) state in the status space detection. (Remove the impossible states and reduce the number of States)

Set d00 to negative.

2) relation (D, D ')

The inclusion relationship is also an important check. For all I, j belongs to C0, and dij <= D 'ij is a sufficient and sufficient condition for D contained in D. For more information, see algorithm 5.

3) satisfied (D, Xi-XJ <= m)

Sometimes it is necessary to determine whether a zone meets certain constraints. For example, determine whether D is compatible with Xi-XJ <= m without modifying D. From the definition of consistent, we know whether the zone is compatible depends on whether it contains a negative ring. Therefore, the satisfied detection adds this guard to d to check whether it produces a negative ring. For the most simplified dBm, you only need to check whether (M, <=) + DJI is negative.

2. Deformation

1) Up (d)

Calculate the range of the clock intervals that are included in D due to latency, that is, up (d ). So up (d) = {u + d | u, D, R + }. The meaning of the algorithm is that up can erase the upper limit of all clocks (the di0 of DBM is set to ∞ ). Because all clocks move at the same rate, the difference between any two clocks does not exceed the limit. (Because it is in the form of x-y <= N, the increase or decrease of X and Y synchronization will not damage this relationship)

I still don't understand the relationship between up and the strongest post condition. In terms of information, up is the most powerful post-condition for computing.

2) Down (d)

Similar to Up, down (d) = {u | u + D, D, R + }. In algorithm, the first line of DBM (the row where the clock is located) is set to (0, <= ). However, this may result in no less concise dBm which needs further processing. The algorithm is: when calculating X, set all other clocks to 0, check the difference constraint Yi-X, and set the boundary with the strongest constraint. For more information, see algorithm 7.

3) and (D, Xi-YJ <= B)

Adding a constraint to a zone is the most common operation. The basic step is: If (B, <=) <dij, set dij to (B, <=), and then adjust the new zone to the simplest form. The adjustment method uses the Special Algorithm of O (n2. The special algorithm uses only dij to change this fact and the nature of the Floyd algorithm, reducing the computational workload. For more information, see algorithm 8.

4) Free (D, X)

Removes all constraints on the given clock. That is to say, the X clock can take any positive number. Free (D, x) = {u [x = D] | u, D, R + }. Used for backward check of status space. For more information, see algorithm 9.

5) reset (D, X: = m)

The forward check is used to set the clock to a specific value. Reset (, R: = m) = {u [x = m] | u in D }. If you do not require the simplest result, you only need to set dx0 = (M, <=), d0x = (-M, <=), and the boundary of all x rows. However, the simplest result can be obtained by using a similar free method. For more information, see algorithm 10.

6) Copy (D, X: = y)

Use the forward status space check. Copy the value of Y to X. Define copy (D, X: = y) = {u [x = U (y)] | u ∈ d }. The implementation method is very simple. set both dxy and dyx to (0, <=), and replace X in other places with the value of Y. For more information, see algorithm 11.

7) shift (D, X: = x + M)

Increase or decrease clock X by an integer. Shift (D, X: = x + M) = {u [x = u (x) + M] | u ∈ d }. You only need to replace the original X with X-M. For more information, see algorithm 12.

5.3 normalization of zones

The purpose of the band regularization is to convert the band containing any large constant into a band containing only constants that do not exceed the upper limit, so as to convert the infinite Band Graph of the time-based automatic machine to a finite Band Graph.

If the time automatic machine does not contain the difference constraint, use normk (d) to normalize it. In fact, you only need to do two things. One is to delete the constraint corresponding to the <= difference constraint that exceeds the upper limit; the other is to change the absolute value> = difference constraint that exceeds the upper limit. For the most simplified dBm data structure, if (M, <=)> (k (x), <=), the difference constraint x-y <= m is removed; if (M, <=) <(-K (Y), <), change x-y <= m to x-y <-K (y ).

If the guard of the time-based automatic machine contains the difference constraint, it is more troublesome. A set of time automatic machine A with a difference constraint. The upper limit function K is used. Now we need to normalize a bucket with D. According to the normalization semantics of 10, the clock values of D and D satisfy or do not satisfy all the difference constraints of G at the same time. This inspired us to export the following normalization Core algorithms.

1. Collect all the difference constraints in Condition A that meet one of the following conditions:

(1) g and D is empty: This is where G is outside d

(2) (non-g) and D is empty: This is where G contains d

Set gunsat = the above g and non-G sets.

2. Calculate the normk (d) directly without considering the existence of the difference constraint)

3. the normalized D obtained in the previous step minus the gunsat part one by one, that is, normk (D) and (non-gunsat)

The purpose of step 2 is to ensure that the normalized D does not include the difference constraints that the D does not meet. Algorithm 14 provides pseudo code for K Core algorithms. The GD in the algorithm is a set of difference constraints in the time automatic machine.

However, normk (D) and (non-gunsat) are still not the normalization band we require. K Core algorithms do not deal with the situation where the difference constraint separates D. That is to say, there may be a G, so that G and D are not empty at the same time (not G) and D is not empty. Therefore, we use algorithm 15 to divide d into several parts and execute K Core algorithms for the split parts. Any split di should meet the following requirements: For all G, or DI, and G is null, or DI and G is di (that is, G contains di ). Finally, the result of normalization of each Di is the union of the normkg (d) we require)

The complete computing process is algorithm 16.

We use the S2 with D :( x-y> 2 and x> 2 in the counter example above to demonstrate the normalization process. In the example, the difference constraint is G1 = x-z <1 and G2 = z-Y <1. D contains both the parts that satisfy G1 and the parts that satisfy (not G1). Therefore, D must be separated before normalization, as shown in.

The intersection of D (A) and G2 is null, so it does not need to be separated. D (B) is also divided into G2 and non-G2 parts according to G2, so it is divided into the following form.

These three features require K Core algorithms.

The difference constraint sets that D (A), D (B), and D (c) do not meet are gunsat (A) = {non G1, G2}, gunsat (B) = {G1, non G2}, gunsat (A) = {G1, G2 }. Perform kg normalization on them respectively to obtain:

Because the normalized D (A), D (B), D (C) and gunsat have no intersection, we do not need to subtract the corresponding difference constraint. Finally, it is emphasized that the normalized ABC and G1 have no intersection with G2, And the jump from S2 to S3 has not changed. (Still cannot jump)

Memory representation of 5.4 dBm

(Omitted)

5. uppaal

Uppaal is the toolbox for modeling, simulation, and verification of temporal automation. It uses the data structure and algorithm described above. It was developed by Uppsala University and Aalborg University.

5.1 uppaal Modeling

The core of uppaal modeling is the time-based automated network. Uppaal has extended modeling and verification capabilities. Key points include integer variables, MPs queue now, and expiration location.

Time-Based Automated Network

(Omitted)

6. Appendix

The following lists the pseudocode of common dBm operations.

Algorithm 2 close (d) or canonical (d): The simplest Formula for Calculating d

Figure 9: The simplest Formula for Calculating d

Algorithm 3: remove the redundant constraint without a zero-ring graph

Figure 10 removes the redundancy constraint without a zero-ring graph

Algorithm 4: Remove General redundancy constraints with Graphs

Figure 11 removes General redundancy constraints with Graphs

Algorithm 5: determine the inclusion relationship between two bands

Figure 12 identifies the inclusion relationship between two bands

Algorithm 6 time elapsed

Figure 13 Time elapsed

Algorithm 7 back-in-time

Figure 14 time back

Algorithm 8 adds time constraints

Figure 15 Add a time constraint

Algorithm 9 cancels the entire clock Constraint

Figure 16 unbind the entire clock

Algorithm 10 reset the clock

Figure 17 reset the clock

Algorithm 11 replication clock

Figure 18 copy the clock

Algorithm 12 clock offset