02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
02917 Advanced Topics in Embedded Systems
Model Checking for Duration Calculus using Presburger Arithmetic
Michael R. Hansen
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Overview
∙ Overview of fundamental (un)decidability results
∙ A basic decidability results – with non-elementary complexity
∙ Towards efficient model checking based on approximations Using Presburger Arithmetic: first-order logic of natural numbers with addition
∙ Decision procedure for Presburger Arithmetic
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Overview
∙ Overview of fundamental (un)decidability results
∙ A basic decidability results – with non-elementary complexity
∙ Towards efficient model checking based on approximations Using Presburger Arithmetic: first-order logic of natural numbers with addition
∙ Decision procedure for Presburger Arithmetic
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Overview
∙ Overview of fundamental (un)decidability results
∙ A basic decidability results – with non-elementary complexity
∙ Towards efficient model checking based on approximations Using Presburger Arithmetic: first-order logic of natural numbers with addition
∙ Decision procedure for Presburger Arithmetic
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Overview
∙ Overview of fundamental (un)decidability results
∙ A basic decidability results – with non-elementary complexity
∙ Towards efficient model checking based on approximations Using Presburger Arithmetic: first-order logic of natural numbers with addition
∙ Decision procedure for Presburger Arithmetic
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Overview
∙ Overview of fundamental (un)decidability results
∙ A basic decidability results – with non-elementary complexity
∙ Towards efficient model checking based on approximations Using Presburger Arithmetic: first-order logic of natural numbers with addition
∙ Decision procedure for Presburger Arithmetic
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Basic Decidability Properties of Duration Calculus
Zhou Hansen Sestoft 93 Restricted Duration Calculus:
∙ ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
Satisfiability is reduced to emptiness of regular languages Decidable result for both discrete and continuous time Seemingly small extensions give undecidable subsets
RDC
1(Cont. time) RDC
2RDC
3∙ ℓ = r , ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ∫ S
1= ∫
S
2∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ℓ = x, ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ (∃x)𝜙
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Basic Decidability Properties of Duration Calculus
Zhou Hansen Sestoft 93 Restricted Duration Calculus:
∙ ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
Satisfiability is reduced to emptiness of regular languages Decidable result for both discrete and continuous time Seemingly small extensions give undecidable subsets
RDC
1(Cont. time) RDC
2RDC
3∙ ℓ = r , ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ∫ S
1= ∫
S
2∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ℓ = x, ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ (∃x)𝜙
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Basic Decidability Properties of Duration Calculus
Zhou Hansen Sestoft 93 Restricted Duration Calculus:
∙ ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
Satisfiability is reduced to emptiness of regular languages Decidable result for both discrete and continuous time Seemingly small extensions give undecidable subsets
RDC
1(Cont. time) RDC
2RDC
3∙ ℓ = r , ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ∫ S
1= ∫
S
2∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ℓ = x, ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ (∃ x)𝜙
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Basic Decidability Properties of Duration Calculus
Zhou Hansen Sestoft 93 Restricted Duration Calculus:
∙ ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
Satisfiability is reduced to emptiness of regular languages Decidable result for both discrete and continuous time Seemingly small extensions give undecidable subsets
RDC
1(Cont. time) RDC
2RDC
3∙ ℓ = r , ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ∫ S
1= ∫
S
2∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ℓ = x, ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ (∃ x)𝜙
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Basic Decidability Properties of Duration Calculus
Zhou Hansen Sestoft 93 Restricted Duration Calculus:
∙ ⌈⌈S⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
Satisfiability is reduced to emptiness of regular languages Decidable result for both discrete and continuous time Seemingly small extensions give undecidable subsets
RDC
1(Cont. time) RDC
2RDC
3∙ ℓ = r , ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ∫ S
1= ∫
S
2∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ ℓ = x, ⌈⌈ S ⌉⌉
∙ ¬𝜙, 𝜙 ∨ 𝜓, 𝜙
⌢𝜓
∙ (∃ x)𝜙
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Decidability of RDC for Discrete Time
Satisfiability is reduced to emptiness of regular languages
Idea: a ∈ Σ describes a piece of an interpretation, e.g. P
1∧ ¬P
2∧ P
3Discrete time — one letter corresponds to one time unit.
ℒ(⌈⌈ S ⌉⌉) = (DNF (S))
+ℒ(𝜑 ∨ 𝜓) = ℒ(𝜑) ∪ ℒ(𝜓) ℒ(¬𝜑) = Σ
∗∖ ℒ(𝜑) ℒ(𝜑
⌢𝜓) = ℒ(𝜑) ℒ(𝜓)
∙ ℒ(𝜙) is regular
∙ 𝜙 is satisfiable iff ℒ(𝜙) ∕= ∅
∙ Satisfiability problem for RDC is decidable
non-elementary complexity
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Decidability of RDC for Discrete Time
Satisfiability is reduced to emptiness of regular languages
Idea: a ∈ Σ describes a piece of an interpretation, e.g. P
1∧ ¬P
2∧ P
3Discrete time — one letter corresponds to one time unit.
ℒ(⌈⌈ S ⌉⌉) = (DNF (S))
+ℒ(𝜑 ∨ 𝜓) = ℒ(𝜑) ∪ ℒ(𝜓) ℒ(¬𝜑) = Σ
∗∖ ℒ(𝜑) ℒ(𝜑
⌢𝜓) = ℒ(𝜑) ℒ(𝜓)
∙ ℒ(𝜙) is regular
∙ 𝜙 is satisfiable iff ℒ(𝜙) ∕= ∅
∙ Satisfiability problem for RDC is decidable
non-elementary complexity
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Decidability of RDC for Discrete Time
Satisfiability is reduced to emptiness of regular languages
Idea: a ∈ Σ describes a piece of an interpretation, e.g. P
1∧ ¬P
2∧ P
3Discrete time — one letter corresponds to one time unit.
ℒ(⌈⌈ S ⌉⌉) = (DNF (S))
+ℒ(𝜑 ∨ 𝜓) = ℒ(𝜑) ∪ ℒ(𝜓) ℒ(¬𝜑) = Σ
∗∖ ℒ(𝜑) ℒ(𝜑
⌢𝜓) = ℒ(𝜑) ℒ(𝜓)
∙ ℒ(𝜙) is regular
∙ 𝜙 is satisfiable iff ℒ(𝜙) ∕= ∅
∙ Satisfiability problem for RDC is decidable
non-elementary complexity
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Decidability of RDC for Discrete Time
Satisfiability is reduced to emptiness of regular languages
Idea: a ∈ Σ describes a piece of an interpretation, e.g. P
1∧ ¬P
2∧ P
3Discrete time — one letter corresponds to one time unit.
ℒ(⌈⌈ S ⌉⌉) = (DNF (S))
+ℒ(𝜑 ∨ 𝜓) = ℒ(𝜑) ∪ ℒ(𝜓) ℒ(¬𝜑) = Σ
∗∖ ℒ(𝜑) ℒ(𝜑
⌢𝜓) = ℒ(𝜑) ℒ(𝜓)
∙ ℒ(𝜙) is regular
∙ 𝜙 is satisfiable iff ℒ(𝜙) ∕= ∅
∙ Satisfiability problem for RDC is decidable
non-elementary complexity
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Decidability of RDC for Discrete Time
Satisfiability is reduced to emptiness of regular languages
Idea: a ∈ Σ describes a piece of an interpretation, e.g. P
1∧ ¬P
2∧ P
3Discrete time — one letter corresponds to one time unit.
ℒ(⌈⌈ S ⌉⌉) = (DNF (S))
+ℒ(𝜑 ∨ 𝜓) = ℒ(𝜑) ∪ ℒ(𝜓) ℒ(¬𝜑) = Σ
∗∖ ℒ(𝜑) ℒ(𝜑
⌢𝜓) = ℒ(𝜑) ℒ(𝜓)
∙ ℒ(𝜙) is regular
∙ 𝜙 is satisfiable iff ℒ(𝜙) ∕= ∅
∙ Satisfiability problem for RDC is decidable
non-elementary complexity
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Status
∙ A DC fragment based on (propositional logic and chop) with almost no notion of duration has non-elementary complexity.
No existing tool is used on a daily basis.
∙ Fragments (propositional logic and chop) having simple notions of duration are undecidable.
So what about tool support?
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Status
∙ A DC fragment based on (propositional logic and chop) with almost no notion of duration has non-elementary complexity.
No existing tool is used on a daily basis.
∙ Fragments (propositional logic and chop) having simple notions of duration are undecidable.
So what about tool support?
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Status
∙ A DC fragment based on (propositional logic and chop) with almost no notion of duration has non-elementary complexity.
No existing tool is used on a daily basis.
∙ Fragments (propositional logic and chop) having simple notions of duration are undecidable.
So what about tool support?
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
An example
Given Kripke structure K and a (certain kind of) DC formula 𝜙.
∙ Does K ∣ = 𝜙 hold? every trace t r satisfies 𝜙 non-elementary
Example: A simple Kripke structure K :
¬ p 1
p 3
2 4
¬ p p
Problem: K ∣ = □ (ℓ < 4 ⇒ ∫
p < 3)? YES
∙ Example run:
tr = (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (3 : ) satisfies □(ℓ < 4 ⇒ ∫
p < 3)
Branching-time approximations for efficient verification
Fr ¨anzleHansen 08,09
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
An example
Given Kripke structure K and a (certain kind of) DC formula 𝜙.
∙ Does K ∣ = 𝜙 hold? every trace t r satisfies 𝜙 non-elementary
Example: A simple Kripke structure K :
¬ p 1
p 3
2 4
¬ p p
Problem: K ∣ = □ (ℓ < 4 ⇒ ∫
p < 3)? YES
∙ Example run:
tr = (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (3 : ) satisfies □(ℓ < 4 ⇒ ∫
p < 3)
Branching-time approximations for efficient verification
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
An example
Given Kripke structure K and a (certain kind of) DC formula 𝜙.
∙ Does K ∣ = 𝜙 hold? every trace t r satisfies 𝜙 non-elementary
Example: A simple Kripke structure K :
¬ p 1
p 3
2 4
¬ p p
Problem: K ∣ = □ (ℓ < 4 ⇒ ∫
p < 3)? YES
∙ Example run:
tr = (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (3 : ) satisfies □(ℓ < 4 ⇒ ∫
p < 3)
Branching-time approximations for efficient verification
Fr ¨anzleHansen 08,09
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
An example
Given Kripke structure K and a (certain kind of) DC formula 𝜙.
∙ Does K ∣ = 𝜙 hold? every trace t r satisfies 𝜙 non-elementary
Example: A simple Kripke structure K :
¬ p 1
p 3
2 4
¬ p p
Problem: K ∣ = □ (ℓ < 4 ⇒ ∫
p < 3)? YES
∙ Example run:
tr = (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (1 : ¬ p) (2 : p) (3 : ) satisfies □(ℓ < 4 ⇒ ∫
p < 3)
Branching-time approximations for efficient verification
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Branching-time approximations: Counting semantics
Ideas:
∙ All traces between two vertices are treated uniformly
∙ Add information on the frequency of visits to vertices.
m : Mset = V −→
partℕ a multiset
The counting semantics: K [[𝜙]]
c: V → V → Mset → 2
𝔹:
∙ K [[𝜙]]
ci j m = {true} when t r ∣ =
K𝜙, for any run t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {false} when t r ∕∣ =
K𝜙, for any t r from i to j which is consistent with m
∙ K [[𝜙]]
ci j m = {true, false} if K is not consistent with m, i, j
∙ K [[𝜙]]
ci j m = ∅ otherwise.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Main idea
Given K , 𝜙 and a vector m = dom m of variables.
We mark situation pairs (i, j), with (𝜓, b, lin(m)), b ∈ {true, false}, where 𝜓 is a subformula of 𝜙
∙ and lin(m) is a side-condition (Presburger formula) with m as free variables.
Key properties for marking (𝜓, true, lin(m)):
∙
true ∈ K [[𝜓]] i j m for any m satisfying lin(m)
There are similar properties for a marking (𝜓, false, lin(m))
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Main idea
Given K , 𝜙 and a vector m = dom m of variables.
We mark situation pairs (i, j), with (𝜓, b, lin(m)), b ∈ {true, false}, where 𝜓 is a subformula of 𝜙
∙ and lin(m) is a side-condition (Presburger formula) with m as free variables.
Key properties for marking (𝜓, true, lin(m)):
∙
true ∈ K [[𝜓]] i j m for any m satisfying lin(m)
There are similar properties for a marking (𝜓, false, lin(m))
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Main idea
Given K , 𝜙 and a vector m = dom m of variables.
We mark situation pairs (i, j), with (𝜓, b, lin(m)), b ∈ {true, false}, where 𝜓 is a subformula of 𝜙
∙ and lin(m) is a side-condition (Presburger formula) with m as free variables.
Key properties for marking (𝜓, true, lin(m)):
∙
true ∈ K [[𝜓]] i j m for any m satisfying lin(m)
There are similar properties for a marking (𝜓, false, lin(m))
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Main idea
Given K , 𝜙 and a vector m = dom m of variables.
We mark situation pairs (i, j), with (𝜓, b, lin(m)), b ∈ {true, false}, where 𝜓 is a subformula of 𝜙
∙ and lin(m) is a side-condition (Presburger formula) with m as free variables.
Key properties for marking (𝜓, true, lin(m)):
∙
true ∈ K [[𝜓]] i j m for any m satisfying lin(m)
There are similar properties for a marking (𝜓, false, lin(m))
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
A Condition for Consistency
C(K , i
0, j
0, m) is a system of linear equations:
m-consistency wrt. K , i
0and j
0is equivalent to satisfiability of C(K , i
0, j
0, m) Variables:
∙ x
ifor every i ∈ V,
∙ x
ijfor every edge (i, j) ∈ E
∙ m[k] for every k ∈ dom m Main ideas:
∙ The ”inflow” is the same as the ”outflow” for any vertex k.
∙ i
0has an extra inflow of 1 and j
0has an extra outflow of 1.
∙ x
k= m[k] for every k ∈ dom m.
For example, for every k ∈ V ∖ {i
0, j
0}:
Σ
(l,k)∈Ex
lk= x
kand x
k= Σ
(k,l)∈Ex
kl02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
A Condition for Consistency
C(K , i
0, j
0, m) is a system of linear equations:
m-consistency wrt. K , i
0and j
0is equivalent to satisfiability of C(K , i
0, j
0, m) Variables:
∙ x
ifor every i ∈ V,
∙ x
ijfor every edge (i, j) ∈ E
∙ m[k] for every k ∈ dom m Main ideas:
∙ The ”inflow” is the same as the ”outflow” for any vertex k.
∙ i
0has an extra inflow of 1 and j
0has an extra outflow of 1.
∙ x
k= m[k] for every k ∈ dom m.
For example, for every k ∈ V ∖ {i
0, j
0}:
Σ
(l,k)∈Ex
lk= x
kand x
k= Σ
(k,l)∈Ex
kl02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
A Condition for Consistency
C(K , i
0, j
0, m) is a system of linear equations:
m-consistency wrt. K , i
0and j
0is equivalent to satisfiability of C(K , i
0, j
0, m) Variables:
∙ x
ifor every i ∈ V,
∙ x
ijfor every edge (i, j) ∈ E
∙ m[k] for every k ∈ dom m Main ideas:
∙ The ”inflow” is the same as the ”outflow” for any vertex k.
∙ i
0has an extra inflow of 1 and j
0has an extra outflow of 1.
∙ x
k= m[k] for every k ∈ dom m.
For example, for every k ∈ V ∖ {i
0, j
0}:
Σ
(l,k)∈Ex
lk= x
kand x
k= Σ
(k,l)∈Ex
kl02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
A Condition for Consistency
C(K , i
0, j
0, m) is a system of linear equations:
m-consistency wrt. K , i
0and j
0is equivalent to satisfiability of C(K , i
0, j
0, m) Variables:
∙ x
ifor every i ∈ V,
∙ x
ijfor every edge (i, j) ∈ E
∙ m[k] for every k ∈ dom m Main ideas:
∙ The ”inflow” is the same as the ”outflow” for any vertex k.
∙ i
0has an extra inflow of 1 and j
0has an extra outflow of 1.
∙ x
k= m[k] for every k ∈ dom m.
For example, for every k ∈ V ∖ {i
0, j
0}:
Σ
(l,k)∈Ex
lk= x
kand x
k= Σ
(k,l)∈Ex
kl02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜓 = ∫ S < k
Markings for (i , j):
∙ (
∫ S < k, true, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] < k ))
∙ ( ∫
S < k, false, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] ≥ k ))
This is easily generalized to formulas of the form:
Σ
ni=1c
i∫ S
i⊲ k
where ⊲ ∈ {<, ≤, =, ≥, >} .
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜓 = ∫ S < k
Markings for (i , j):
∙ (
∫ S < k, true, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] < k ))
∙ ( ∫
S < k, false, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] ≥ k ))
This is easily generalized to formulas of the form:
Σ
ni=1c
i∫ S
i⊲ k
where ⊲ ∈ {<, ≤, =, ≥, >} .
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜓 = ∫ S < k
Markings for (i , j):
∙ (
∫ S < k, true, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] < k ))
∙ ( ∫
S < k, false, (
C(K , i, j, m, e) ∧ ∑
v∈domm,v∣=S
m[v] ≥ k ))
This is easily generalized to formulas of the form:
Σ
ni=1c
i∫ S
i⊲ k
where ⊲ ∈ {<, ≤, =, ≥, >} .
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜙 = 𝜓 1 ∧ 𝜓 2
Markings for (i , j):
∙ The true marking is (𝜓
1∧ 𝜓
2, true, 𝜇 ∧ 𝜈) iff (i, j) is marked with (𝜓
1, true, 𝜇) and (𝜓
2, true, 𝜈)
∙ The false marking is (𝜓
1∧ 𝜓
2, false, 𝜇 ∨ 𝜈) iff (i, j) is marked
with (𝜓
1, false, 𝜇) and (𝜓
2, false, 𝜈)
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜙 = 𝜓 1 ∧ 𝜓 2
Markings for (i , j):
∙ The true marking is (𝜓
1∧ 𝜓
2, true, 𝜇 ∧ 𝜈) iff (i, j) is marked with (𝜓
1, true, 𝜇) and (𝜓
2, true, 𝜈)
∙ The false marking is (𝜓
1∧ 𝜓
2, false, 𝜇 ∨ 𝜈) iff (i, j) is marked
with (𝜓
1, false, 𝜇) and (𝜓
2, false, 𝜈)
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜙 = ¬ 𝜓
Markings for (i , j):
∙ The true marking is (¬𝜓, true, 𝜇) iff (i, j) is marked with (𝜓, false, 𝜇)
∙ The false marking is (¬𝜓, false, 𝜈)
iff (i, j) is marked with (𝜓, true, 𝜈)
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking: Case 𝜙 = ¬ 𝜓
Markings for (i , j):
∙ The true marking is (¬𝜓, true, 𝜇) iff (i, j) is marked with (𝜓, false, 𝜇)
∙ The false marking is (¬𝜓, false, 𝜈)
iff (i, j) is marked with (𝜓, true, 𝜈)
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Case 𝜓 = 𝜓 1 ⌢ 𝜓 2 true marking
(k .j) : (𝜓
2, true, 𝜇
2)
j (i, k) : (𝜓
1, true, 𝜇
1)
i
k
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Case 𝜓 = 𝜓 1 ⌢ 𝜓 2 true marking
(k .j) : (𝜓
2, true, 𝜇
2)
j (i, k) : (𝜓
1, true, 𝜇
1)
i
(i, j ) :(𝜓
1⌢𝜓
2, true, 𝜇) k
where 𝜇 is
⋁ {
∃m
1, m
2: Split (k,m, m
1, m
2)
∧ ∀ m
1, m
2: Split (k,m, m
1, m
2) ⇒ (𝜇
1[m
1/m] ∧ 𝜇
2[m
2/m])
}
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Case 𝜓 = 𝜓 1 ⌢ 𝜓 2 false marking
(k .j) : (𝜓
2, false, 𝜈
2)
j
i
(i, k) : (𝜓
1, false, 𝜈
1)
k
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Case 𝜓 = 𝜓 1 ⌢ 𝜓 2 false marking
(k , j) : (𝜓
2, false, 𝜈
2)
j
i
(i, k) : (𝜓
1, false, 𝜈
1)
(i, j ) :(𝜓
1⌢𝜓
2, false, 𝜈) k
where 𝜈 is C(i , j, m)∧ ⋀
∀ m
1, m
2: (Split (k, m, m
1, m
2) ⇒ 𝜈
1[m
1/m] ∨ 𝜈
2[m
2/m])
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking 2: Example. Simplified markings
For dom m = {1, 2, 4} and 𝜁 = ∫
true < 4 ∧ ¬ ∫ p < 3.
Notice □( ∫
true < 4 ⇒ ∫
p < 3) ⇐⇒ ¬ ♢𝜁.
i, j C(m) markings (𝜓, false, 𝜂) for 𝜓 = after simplification ∫
true < 4 ¬ ∫
p < 3 𝜁 ♢𝜁 1,1 m[1] = m[2] m[1] > 2 m[1] < 3 true true 1,2 m[1] = m[2] + 1 m[1] > 2 m[1] < 3 true true 1,3 m[1] = m[2] > 0 m[1] > 1 m[1] < 3 true true 1,4 m[1] = m[2] > 0 m[1] > 1 ∨ m[4] > 0 m[1] ≤ 1 true true 2,{1, 3} m[2] = m[1] + 1 m[1] > 1 m[1] < 2 true true
. . .
3,{1, 2} false true true true true
3,3 true false true true true
. .
.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Model checking 2: Example. Simplified markings
For dom m = {1, 2, 4} and 𝜁 = ∫
true < 4 ∧ ¬ ∫ p < 3.
Notice □( ∫
true < 4 ⇒ ∫
p < 3) ⇐⇒ ¬ ♢𝜁.
i, j C(m) markings (𝜓, false, 𝜂) for 𝜓 =
after simplification ∫
true < 4 ¬ ∫
p < 3 𝜁 ♢𝜁 1,1 m[1] = m[2] m[1] > 2 m[1] < 3 true true 1,2 m[1] = m[2] + 1 m[1] > 2 m[1] < 3 true true 1,3 m[1] = m[2] > 0 m[1] > 1 m[1] < 3 true true 1,4 m[1] = m[2] > 0 m[1] > 1 ∨ m[4] > 0 m[1] ≤ 1 true true 2,{1, 3} m[2] = m[1] + 1 m[1] > 1 m[1] < 2 true true
. . .
3,{1, 2} false true true true true
3,3 true false true true true
. .
.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Summary
∙ Algorithm is correct.
∙ Procedure is 4-fold exponential.
∙ Size of generated formula is exponential in the chop-depth.
∙ Presburger formulas are checked in triple-exponential time.
Remember undecidable (non-elementary) starting point
∙ Preciseness when all chops is under same polarity and all conjunctions under the dual polarity.
∙ Quantifier elimination of side-condition is possible when all chops are in negative polarity. Procedure is then ”just” 2-fold exponential.
∙ Prototype is implemented by William Pihl Heise in a using the
solver Z3 as backend. The prototype has just been used on
small examples. Algorithm seems promising.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Summary
∙ Algorithm is correct.
∙ Procedure is 4-fold exponential.
∙ Size of generated formula is exponential in the chop-depth.
∙ Presburger formulas are checked in triple-exponential time.
Remember undecidable (non-elementary) starting point
∙ Preciseness when all chops is under same polarity and all conjunctions under the dual polarity.
∙ Quantifier elimination of side-condition is possible when all chops are in negative polarity. Procedure is then ”just” 2-fold exponential.
∙ Prototype is implemented by William Pihl Heise in a using the
solver Z3 as backend. The prototype has just been used on
small examples. Algorithm seems promising.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Summary
∙ Algorithm is correct.
∙ Procedure is 4-fold exponential.
∙ Size of generated formula is exponential in the chop-depth.
∙ Presburger formulas are checked in triple-exponential time.
Remember undecidable (non-elementary) starting point
∙ Preciseness when all chops is under same polarity and all conjunctions under the dual polarity.
∙ Quantifier elimination of side-condition is possible when all chops are in negative polarity. Procedure is then ”just” 2-fold exponential.
∙ Prototype is implemented by William Pihl Heise in a using the
solver Z3 as backend. The prototype has just been used on
small examples. Algorithm seems promising.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
Summary
∙ Algorithm is correct.
∙ Procedure is 4-fold exponential.
∙ Size of generated formula is exponential in the chop-depth.
∙ Presburger formulas are checked in triple-exponential time.
Remember undecidable (non-elementary) starting point
∙ Preciseness when all chops is under same polarity and all conjunctions under the dual polarity.
∙ Quantifier elimination of side-condition is possible when all chops are in negative polarity. Procedure is then ”just” 2-fold exponential.
∙ Prototype is implemented by William Pihl Heise in a using the
solver Z3 as backend. The prototype has just been used on
small examples. Algorithm seems promising.
02917 Advanced
Topics in Embedded
Systems Michael R. Hansen
