Lecture 19: Quasi-Equal Clocks - uni-freiburg.de...2018/01/25 · Lecture 19: Quasi-Equal Clocks...
11
– 19 – 2018-01-25 – main – Real-Time Systems Lecture 19: Quasi-Equal Clocks 2018-01-25 Dr. Bernd Westphal Albert-Ludwigs-Universität Freiburg, Germany Motivation – 19 – 2018-01-25 – main – 2/45 WFAS Self-Monitoring – 19 – 2018-01-25 – Sdiamond – 3/45 (Arenis et al., 2016) • Periodically, each sensor sends a“hi master, I’m still here” message to its master. • If a master misses that message from one of its sensors: report incidence. • To avoid message collision, employ a TDMA (time division multiple access) scheme. 0 ··· slot (aka. window) frame (aka. cycle) Sensor 1 says “I’m here” to its master WFAS Self-Monitoring – 19 – 2018-01-25 – Sdiamond – 3/45 (Arenis et al., 2016) 0 ··· slot (aka. window) frame (aka. cycle) Sensor 1 says “I’m here” to its master Experiments (A[] not deadlock) – 19 – 2018-01-25 – Sdiamond – 4/45 10 6 states 5 · 10 6 states 8 · 10 6 states 1 GiB 1000 seconds 2 GiB 2000 seconds n : 3 • • 4 • • 5 • • 6 • • 7 • • 8 • • 9 • • 10 • • 11 • • 12 • • 13 • • 14 • • • 15 • • • 16 • • • 17 • • • 18 • • • 19 • • • 20 • • • 21 • • 22 • • • 23 • • • 24 13 states 0.000 s 24,156 KiB 8,217 states 0.320 s 24,900 KiB 262,179 states 28.540 s 75,188 KiB 8,388,653 states 1472.63 s 2,341,188 KiB out of memory A Closer Look – 19 – 2018-01-25 – Sdiamond – 5/45 • Option 1: well, that’s exponential space complexity, we need to accept that. • Option 2: take a closer look. x 0 =0 x 1 =0 x 2 =0 x 0 = C x 1 = C x 2 = C x 0 =0 x 1 = C x 2 = C x 0 =0 x 1 =0 x 2 = C x 0 =0 x 1 =0 x 2 =0
Transcript of Lecture 19: Quasi-Equal Clocks - uni-freiburg.de...2018/01/25 · Lecture 19: Quasi-Equal Clocks...
– 19 – 2018-01-25 – main –
Rea
l-Tim
eSystem
s
Lectu
re19:
Quasi-E
qual
Clo
cks
2018-0
1-2
5
Dr.B
erndW
estphal
Albert-Ludw
igs-UniversitätFreiburg,G
ermany
Mo
tivatio
n
– 19 – 2018-01-25 – main –
2/45
WFA
SS
elf-Mo
nito
ring
– 19 – 2018-01-25 – Sdiamond –
3/45
(Arenis
etal.,2016)
•Periodically,e
achse
nso
rsendsa
“him
aster,I’m
stillhe
re”m
essageto
itsm
aster.
•Ifa
masterm
issesthatm
essagefrom
oneofits
sensors:reportincidence.
•To
avoidm
essage
collisio
n,employ
aTD
MA
(time
divisionm
ultipleaccess)schem
e.
0
···
slot(aka.w
indow)
frame
(aka.cycle)
Sen
sor
1sa
ys“I’m
here”
toits
ma
ster
WFA
SS
elf-Mo
nito
ring
– 19 – 2018-01-25 – Sdiamond –
3/45
(Arenis
etal.,2016)
0
···
slot(aka.w
indow)
frame
(aka.cycle)
Sen
sor
1sa
ys“I’m
here”
toits
ma
ster
Exp
erimen
ts(A[]
not
deadlock)
– 19 – 2018-01-25 – Sdiamond –
4/45
106
states
5·106
states
8·106
states
1G
iB
1000
seco
nd
s
2G
iB
2000
seco
nd
s
n:
3 •• •4 •• •
5 •• •6 •• •
7 •• •8 •• •
9 •• •10 •• •
11 •• •
12 •• •
13 •• •
14 •• •
15 •• •
16 •• •
17 •• •
18 •• •
19 •• •
20 •• •
21 •• •
22 •• •
23 •• •
24
13sta
tes0
.00
0s
24,15
6K
iB
8,217
states
0.3
20s
24,9
00
KiB
262,179
states
28.5
40
s75
,188
KiB
8,3
88
,65
3sta
tes14
72.63
s2,3
41,18
8K
iBout of memory
AC
loser
Lo
ok
– 19 – 2018-01-25 – Sdiamond –
5/45
•O
ption1:w
ell,that’sexponentialspace
complexity,w
eneed
toacceptthat.
•O
ption2:take
acloserlook.
x0=
0x1=
0x2=
0
x0=
Cx1=
Cx2=
C
x0=
0x1=
Cx2=
C
x0=
0x1=
0x2=
C
x0=
0x1=
0x2=
0
Co
nten
t
– 19 – 2018-01-25 – Scontent –
6/45
•Q
uasi-E
qu
alC
locks
•D
efin
ition,P
rop
ertie
s
•Q
EC
lock
Re
du
ction
•T
he
simp
le,an
dw
ron
gap
pro
ach
•Tran
sform
ation
exam
ple
•E
xpe
rime
nts
•S
imp
leand
Co
mp
lex
Ed
ges
•Tran
sform
ation
sche
me
s
•C
orre
ctne
sso
fth
eTran
sform
ation
•E
xcursio
n:
Bisim
ulatio
nP
roo
fs
•P
roo
fo
fQ
E-C
orre
ctne
ss
•a
particularw
eak
bisim
ulatio
nre
lation
•M
ore
Exp
erim
en
ts
Qu
asi-E
qu
al
Clo
cks
– 19 – 2018-01-25 – main –
7/45
Qu
asi-E
qu
al
Clo
cks
– 19 – 2018-01-25 – Sqe –
8/45
De
finitio
n.
LetN
bea
network
oftim
edautom
ataw
ithclocks
X.
Two
clocksx,y
∈X
arecalled
quasiequal,denotedby
x≃y,if
andonly
if,forallreachable
configurationsof
N,x
andy
areequaloratleastone
hasvalue
0,i.e.∀〈 ~ℓ
0 ,ν0 〉,t
0λ1
−→〈 ~ℓ
1 ,ν1 〉,t
1...
∈P
ath
s(N)∀i∈N
0 •
νi|=
(x=y∨x=
0∨y=
0).
Exa
mp
le
– 19 – 2018-01-25 – Sqe –
9/45
∀〈 ~ℓ
0 ,ν0 〉,t
0...
∈P
ath
s(N)∀i∈N
0•νi|=
(x=y∨x=
0∨y=
0).
⟨i,0i,0⟩
,0→
∗⟨w
,0.1
i,0.1
⟩
,0.1→
∗⟨d
,w−
1i,w
−1
⟩
,w
−1→
∗⟨d
,w
+1
w,w
+1
⟩
,w
+1→
∗⟨d
,c
d,c
⟩
,c→
⟨
i,0d,c
⟩
,c
⟨d,c
i,0⟩
,c
→⟨i,0
i,0⟩
,c→
∗
win
do
wlen
gthcycle
length
Pro
perties
of
Qu
asi-E
qu
ality
– 19 – 2018-01-25 – Sqe –
10/45
∀〈 ~ℓ
0 ,ν0 〉,t
0...
∈P
ath
s(N)∀i∈N
0•νi|=
(x=y∨x=
0∨y=
0).
Lem
ma.Q
uasi-Equalityis
anequivalence
relation.
Pro
of:
•re
flexive:obvious.
•sy
mm
etric:obvious.
•tran
sitive:abittricky
(inductionovera
strongerproperty).
Qu
asi-E
qu
al
Clo
ckR
edu
ction
– 19 – 2018-01-25 – main –
11/45
Idea
:U
seJu
stO
ne
Clo
ck
– 19 – 2018-01-25 – Statrafo –
12/45
X
X
XX
XX
z
z
zz
zz
X
X
XX
XX
z
z
zz
zz
•B
eh
aviou
r:
⟨i,0i,⟩
,0→
∗⟨w
,0.1
i,⟩
,0.1→
∗⟨d
,c
d,
⟩
,c
րց
⟨
i,0d,
⟩
,c
⟨d,0
i,⟩
,c
AM
ore
Ela
bo
rate
Tra
nsfo
rma
tion
– 19 – 2018-01-25 – Statrafo –
13/45
Ho
wD
oes
ItW
ork?
– 19 – 2018-01-25 – Statrafo –
14/45
⟨i,0i,0⟩
,0→
∗⟨w
,0.1
i,0.1
⟩
,0.1→
∗⟨d
,w−
1i,w
−1
⟩
,w
−1→
∗⟨d
,w
+1
w,w
+1
⟩
,w+
1→
∗⟨d
,c
d,c
⟩
,c→
⟨
i,0d,c
⟩
,c
⟨d,c
i,0⟩
,c
→⟨i,0
i,0⟩
,c→
∗
⟨
i,1i,1i,0
⟩
,0→
∗⟨
w,1
i,1
i,0.1
⟩
,0.1→
∗⟨
d,1
d,1
i,c
⟩
,c→⟨
i,0i,0n,c
⟩
,c→⟨
i,1i,1i,0
⟩
,c→
∗
Exp
erimen
ts(A[]
true)
– 19 – 2018-01-25 – Statrafo –
15/45
106
states
5·106
states
8·106
states
1G
iB
1000
seco
nd
s
2G
iB
2000
seco
nd
s
n:
3 •• •4 •• •
5 •• •6 •• •
7 • • •8 •• •
9 •• •10 •• •
11 •• •
12 •• •
13 • • •
14 • • •
15 • • •
16 • • •
17 •• •
18 •• •
19 •• •
20 •• •
21 •• •
22 •• •
23 •• •
24 •• •
8sta
tes0
.00
0s
24,5
72K
iB
28sta
tes0
.00
1s
24,70
8K
iB
38
states
0.0
00
s24
,80
4K
iB
48
states
0.0
00
s24
,876
KiB
Sim
ple
Ed
ges
– 19 – 2018-01-25 – Statrafo –
16/45
De
finitio
n.A
nedge
e=
(ℓ,α,ϕ,~r,ℓ
′)resetting
atleast
onequasi-equal
clockis
calledsim
pleedge
ifandonly
ifthefollow
ingconditions
aresat-
isfied:
(i)α=τ,
ϕ≡x≥c,
~r=
〈x:=
0〉,
forsome
constantc
andlo
calclockx,
(ii)I(ℓ)
=x≤c,
(iii)e
isp
re-
andp
ost-d
elay
ed,and
(iv)e
isthe
onlyedge
with
sourceℓ.
Otherw
isee
iscalled
complex
edge.
Tra
nsfo
rma
tion
Sch
eme:
Va
riab
lesa
nd
Ch
an
nels
– 19 – 2018-01-25 – Statrafo –
17/45
Given
anetw
orkN
oftimed
automata,the
variable
san
dch
ann
els
ofQ
E-tran
sform
ation
ofN
′areobtained
bythe
following
procedure:
•re
mo
veallquasi-equalclocks
fromN
,
•foreach
eq
uivale
nce
classofquasi-equalclocks
Y,
add
afresh
clockxY
toN
′
•ad
da
freshboolean
variabletx
toN
′
foreachquasi-equalclock
xinN
,initialvalue:t
x:=
1,
•ad
da
freshchannel
resetY
toN
′.
Tra
nsfo
rma
tion
Sch
eme
(for
Sim
ple
Ed
ges)
– 19 – 2018-01-25 – Statrafo –
18/45
ℓℓ′
I(ℓ)
ϕ
x:=
0
ℓℓ′
Γ(I(ℓ))
Γ(ϕ
)tx:=
0 resetY!
Γ(ϕ
)tx:=
0
resetY?
Co
nstra
int
Tra
nsfo
rma
tionΓ
– 19 – 2018-01-25 – Statrafo –
19/45
De
finitio
n.
LetN
bea
network.
LetY,W
∈ECN
besets
ofquasi-equal
clocksof
N,x
∈Y
andy∈W
clocks.
Given
aclock
constraintϕclk ,w
edefine:
Γ0 (ϕ
clk )
:=
((xY∼c∧
tx)∨(0
∼c∧
¬tx))
,ifϕclk=x∼c,
((xY−xW
∼c∧
tx∧
ty )
,ifϕclk=x−y∼c,
∨(0
−xW
∼c∧
¬tx∧
ty )
∨(x
Y−0∼c∧
tx∧
¬ty )
∨(0
∼c∧
¬tx∧
¬ty ))
Γ0 (ϕ
1 )∧Γ0 (ϕ
2 ),ifϕclk=ϕ1∧ϕ2 .
ThenΓ(ϕ
clk∧ψin
t ):=
Γ0 (ϕ
clk)∧ψin
t .
Here,E
CN
isthe
setofe
qu
ivalen
ceclasse
sof
qu
asi-eq
ualclo
cksinN
.
Resetter
Co
nstru
ction
(for
Sim
ple
Ed
ges)
– 19 – 2018-01-25 – Statrafo –
20/45
•Foreach
equivalenceclass
Y=
x1 ,...,x
n∈ECN
add
are
sette
rR
Yto
N′:
Unst
resetY?
xY:=
0,tx1:=
1,...,txn:=
1
Tra
nsfo
rma
tion
Exa
mp
le(fo
rC
om
plex
Ed
ges)
– 19 – 2018-01-25 – Scomplex –
21/45
Co
rrectness
of
the
Tra
nsfo
rma
tion
– 19 – 2018-01-25 – main –
22/45
QE
-Tra
nsfo
rma
tion
Co
rrectness
– 19 – 2018-01-25 – Scorr –
23/45
Th
eo
rem
.LetN
bea
network
oftimed
automata
andCF
aconfiguration
formula
overN
.Then
N|=
∃♦CF
⇐⇒
N′|=
∃♦Ω(C
F).
Qu
eryT
ran
sform
atio
n
– 19 – 2018-01-25 – Scorr –
24/45
De
finitio
n.Let
N=
A1 ,...,A
n
bea
network
with
equivalenceclasses
ofquasi-equalclocksECN
=Y
1 ,...,Ym
andβ
abasic
formula
overN.
Ω0 (β
)=
ℓ∨(ℓ
′∧x)
,ifβ=
Ai .ℓ,
(ℓ,α,ϕ,〈x
:=0〉,ℓ
′)sim
ple.
(ℓ′∧
¬x)
,ifβ=
Ai .ℓ
′,(ℓ,α
,ϕ,〈x
:=0〉,ℓ
′)sim
ple.
β,ifβ∈A
i .ℓ,Ai .ℓ
′,(ℓ,α
,ϕ,~r,ℓ
′)notsim
ple.
Γ(β
)[tx /(t
x∨x)|x∈Y,Y
∈ECN]
,ifβ=ϕclk∧ϕin
t .
Ω(C
F)=
∃x1 ,...,x
|X(N
)| •Ω
0 (CF)∧κN
,where
κN
:=∧
1≤i≤
n,
1≤j≤m
,
(ℓ,α
,ϕ,〈x
:=0〉,ℓ
′)∈Sim
pEdgesYj(A
i )
κ(x),
κ(x):(x
=⇒
∨
(ℓ,α
,ϕ,〈x
:=0〉,ℓ
′)∈Sim
pEdgesYj(A
i )
ℓ′∧
ℓnstR
Yj ).
Bystructuralinduction
Ω0
transforms
configurationform
ulasCF
.
Exa
mp
le
– 19 – 2018-01-25 – Scorr –
25/45
⟨
i,1i,10,0
⟩
,→
∗⟨
w,1
i,1
0.1,0
.1
⟩
,→
∗⟨
d,1
d,1
c,c
⟩
,→
⟨
i,0i,0c,c
⟩
,→
⟨
i,1i,10,c
⟩
,→
∗
•N
|=∃♦
S0.idle
∧S1.done
•N
′|=
∃♦(∃x0 ,x
1•(S0
.idle∧¬x0 )
∧(S1.done
∨(S1.idle
∧x1 ))
∧(x
0=⇒
(S0.idle
∧nst))
∧(x
1=⇒
(S1.idle∧
nst)))
Exa
mp
le
– 19 – 2018-01-25 – Scorr –
25/45
⟨
i,1i,10,0
⟩
,→
∗⟨
w,1
i,1
0.1,0
.1
⟩
,→
∗⟨
d,1
d,1
c,c
⟩
,→
⟨
i,0i,0c,c
⟩
,→
⟨
i,1i,10,c
⟩
,→
∗
•N
|=∃♦(x
0=
0∧x1>
0)
•N
′|=
∃♦(∃x0 ,x
1•((x
0=
0∧(t
x0∨x0 ))
∨(0
=0∧¬(t
x0∨x0 )))
∧((x
1>
0∧(t
x1∨x1 ))
∨(0>
0∧¬(t
x1∨x1 )))
∧(x
0=⇒
(S0.idle
∧nst))
∧(x
1=⇒
(S1.idle∧
nst)))
Bisim
ula
tion
Pro
ofs
– 19 – 2018-01-25 – main –
26/45
Pro
of
Sketch
– 19 – 2018-01-25 – Sbisim –
27/45
•U
sea
we
akb
isimu
lation
relatio
n—
thebasic
idea:
•Let
Ti=
(Confi ,Λ
i ,λ−→|λ∈Λi ,C
ini,i ),i=
1,2,be
labelledtransition
systems
with
(forsimplicity)C
ini,i=
cini,i .
•A
relationR
⊆Conf1×Conf2
iscalled
we
akb
isimu
lation
ifandonly
if
(i)the
initialco
nfig
uratio
ns
arerelated,i.e.(c
ini,1,c
ini,2 )∈R
,
(ii)tw
orelated
configurationssatisfy
the
same
term
s,i.e.
∀c1,c2,term
•(c
1,c2 )
∈R
=⇒
(c1|=
term
⇐⇒
c2|=
term
)
(iii)given
two
relatedconfigurations
(c1,c2 )
∈R
,
a)ifT1
hasaλ
-transitionfrom
c1
tosom
ec′1 ,
thenT2
hasτ-
andλ
-transitionsfrom
c2
toa
relatedc′2 ,i.e.
∀c′1•c1
λ−→c′1
=⇒
∃c′2•c2
λ−→∗c′2∧(c
′1,c′2 )
∈R
b)sim
ilarlyfor
T2
toT1 ,i.e.
∀c′2•c2
λ−→c′2
=⇒
∃c′1•c1
λ−→∗c′1∧(c
′1,c′2 )
∈R
•T1
andT2
arecalled
we
aklyb
isimilariffthere
existsa
weak
bisimulation
forT1 ,T
2 .
On
ceA
ga
in
– 19 – 2018-01-25 – Sbisim –
28/45
(i)(c
ini,1,c
ini,2 )∈R
,
(ii)∀c1,c2,term
•(c
1,c2 )
∈R
=⇒
(c1|=
term
⇐⇒
c2|=
term
)
(iii)forall(c
1,c2 )
∈R
,
a)“T
2can
simu
latetran
sition
so
fT1 ”:
c1
λ−→c′1
c2
R=⇒
∃c′2•
c1
λ−→c′1
c2
λ−→∗c′2
RR
(usingany
finitenum
berofτ-transitions
inbetw
een)
b)“T
1can
simu
latetran
sition
so
fT2 ”:
c1
c2
λ−→c′2
R=⇒
∃c′1•
c1
λ−→∗c′1
c′2 R
Exa
mp
le
– 19 – 2018-01-25 – Sbisim –
29/45
(i)(c
ini,1,c
ini,2)∈
R,
(ii)∀c1,c2,term
•(c
1,c
2)∈
R=⇒
(c1|=
term
⇐⇒
c2|=
term
)
(iii)forall(c
1,c2)∈
R,
a)c1
λ−→c′1
c2
R=⇒
∃c′2•
c′1
c2
λ−→∗c′2 R
b)
c1
c2
λ−→c′2
R=⇒
∃c′1•
c1
λ−→∗c′1
c′2 R
A1 :
A2 :
Exa
mp
le
– 19 – 2018-01-25 – Sbisim –
29/45
(i)(c
ini,1,c
ini,2)∈
R,
(ii)∀c1,c2,term
•(c
1,c
2)∈
R=⇒
(c1|=
term
⇐⇒
c2|=
term
)
(iii)forall(c
1,c2)∈
R,
a)c1
λ−→c′1
c2
R=⇒
∃c′2•
c′1
c2
λ−→∗c′2 R
b)
c1
c2
λ−→c′2
R=⇒
∃c′1•
c1
λ−→∗c′1
c′2 R
A1 :
A3 :
Wh
at
isIt
Go
od
Fo
r?
– 19 – 2018-01-25 – Sbisim –
30/45
(i)(c
ini,1,c
ini,2)∈
R,
(ii)∀c1,c2,term
•(c
1,c2)∈
R=⇒
(c1|=
term
⇐⇒
c2|=
term
)
(iii)forall(c
1,c2)∈
R,
a)c1
λ−→c′1
c2
R=⇒
∃c′2•
c′1
c2
λ−→∗c′2 R
b)
c1
c2
λ−→c′2
R=⇒
∃c′1•
c1
λ−→∗c′1
c′2 R
•Let
term
bea
termovertw
ow
eaklybisim
ilarnetworks
Nand
N′.
•C
laim:N
|=∃♦term
⇐⇒
N′|=
∃♦term
.
•P
roo
f:
•Because
Nand
N′are
weakly
bisimilar,there
isa
simu
lation
relatio
nR
.
•D
irection“=⇒
”:LetN
|=∃♦term
.
•Thus
thereis
aco
mp
utatio
np
athc1,0
λ1
−→
c1,1
λ2
−→
...
λn
−−→c1,n
with
c1,n
|=term
.
•In
du
ction
ove
rle
ng
tho
fp
ath:
•C
asen=
0:Then
c1,0
|=term
andc0,1
isan
initialconfiguration,thus
c2,0
isR
-related(by
(i))andthus
c2,0
|=term
(by(ii)).
•C
asen→
n+
1:
Forthepath
c1,0
λ1
−→
...
λn
−−→c1,n
λn+
1−−−→
c1,n
+1 ,there
is(by
ind
uctio
nh
yp
oth
esis)
anR
-relatedconfiguration
c2,m
,m≥
n, re
achab
leinN
′.
By(iii).a),there
isa
configurationc′2,m
,which
isR
-relatedto
c1,n
+1 ,
andre
achab
lefrom
c2,m
,thus,by(ii),c
1,n
+1|=
term
.
•D
irection“⇐
=”:sim
ilar.
Pro
of
of
QE
-Co
rrectness
– 19 – 2018-01-25 – main –
31/45
An
oth
erW
eak
Bisim
ula
tion
Rela
tion
No
tion
– 19 – 2018-01-25 – Sproof –
32/45
De
finitio
n.[W
eak
Bisim
ulatio
n]
Netw
orksN,N
′arecalled
weakly
bisimilarifand
onlyif
thereis
aw
eakbisim
ulationrelation
QE
⊆Conf(N
)×Conf(N
′)such
that:
(i)∀s∈C
ini (N
)∃r∈C
ini (N
′)•(s,r)
∈QE
,∀r∈C
ini (N
′)∃s∈C
ini (N
)•(s,r)
∈QE
.
(ii)∀CF
∈CF
N∀(s,r)
∈QE
•s|=
δCF
=⇒
r|=
δΩ(C
F).
(iii)∀CF
∈CF
N∀(s,r)
∈QE
•
r|=
δΩ(C
F)=⇒
∃s∈Conf(N
)•(s,r)
∈QE
∧s|=
δCF.
(iv)∀(s,r)
∈QE
∀λ,s
′•s
λ−→s′=⇒
∃r′•r
λ−→∗r′∧
(s′,r
′)∈QE
(v)∀CF
∈CF
N∀(s,r)
∈QE
∀λ,r
′•
rλ−→r′∧r′|=
δ′Ω
0 (CF)=⇒
∃s′•s
λ−→∗s′∧
(s′,r
′)∈QE
.
Here,r
τ−→∗r′denotes
zeroorm
oresuccessive
τ-transitionsfrom
rtor′.
AW
eak
Bisim
ula
tion
Rela
tion
for
QE
-Tra
nsfo
rma
tion
– 19 – 2018-01-25 – Sproof –
33/45
•Let
Nbe
anetw
orkoftim
edautom
ataand
N′the
network
obtainedby
QE-transform
ationof
N.Then
QE
:Conf(N
)→
2ConfN
′definedas
follows
isa
we
akb
isimu
lation
relatio
n.
QE(〈 ~ℓ
s,νs 〉)
=
r=
〈(ℓr,1,...,ℓ
r,n,ℓR
Y1,...,ℓR
Ym),ν
r〉|
(∀x∈
V(N
)•νr(x
)=
νs(x
))(6.2.1)
∧∀1≤
i≤
n•
(6.2.2)(
(
ℓr,i=
ℓs,i∧∀x∈
X(A
i )•νs(x
)=
νr(x
x)·νr(t
x))
(6.2.2a)
∨(
∃(ℓ,α
,ϕ,〈x
:=0〉,ℓ
′)∈
Sim
pEdgesY(A
i )•ℓR
Y6=
ℓin
iRY
∧
ℓs,i=
ℓ∧ℓr,i=
ℓ′∧νs(x
)=
νr(x
x)∧νr(t
x)=
0∧
∀y∈
X(A
i )\x•νs(y)=
νr(x
y)·νr(t
y))
)
(6.2.2b)
∧∀Y
∈ECN
•(
(νr(s
Ai
Y)=
1⇐⇒
∃(ℓ,α,ϕ
,~r,ℓ′)
∈Sim
pEdgesY(A
i )•ℓr,i=
ℓ)(6.2.3)
∧νr(prio
Y)=
1⇐⇒
(ℓr,R
Y=
ℓnstR
Y))
(6.2.4)
Exa
mp
le
– 19 – 2018-01-25 – Sproof –
34/45
⟨i,0i,0⟩
,0→
∗⟨w
,0.1
i,0
.1
⟩
,0.1→
∗⟨d
,c
d,c
⟩
,c→
⟨
i,0d,c
⟩
,c
⟨d,c
i,0⟩
,c
→⟨i,0
i,0⟩
,c→
∗
⟨
i,1i,1i,0
⟩
,0→
∗⟨
w,1
i,1
i,0.1
⟩
,0.1→
∗⟨
d,1
d,1
i,c
⟩
,c→⟨
i,0i,0n,c
⟩
,c→
⟨
i,1i,1i,0
⟩
,c→
∗
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
t
r
tτ
τ
ss′
rr′
λ
λλ
ss′
rr′
λ0
ss′
rr′
λ
λ′
λ
ss′
rr′
λλ
•s
λ−→s′to
rλ−→
∗
r′:
Case
s:
•delay
d>
0:s
s′
rr′
t
r
tτ
τ
resettermay
needto
goback
toidle,
thendo
same
delay.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
t
r
tτ
τ
ss′
rr′
λ
λλ
ss′
rr′
λ0
ss′
rr′
λ
λ′
λ
ss′
rr′
λλ
•s
λ−→s′to
rλ−→
∗
r′:
Case
s:
•delay
d>
0
•firstsim
pleedge:
ss′
rr′
λ
λλ
firstsimple
edgespushes
resetterandallothersim
ples.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
t
r
tτ
τ
ss′
rr′
λ
λλ
ss′
rr′
λ0
ss′
rr′
λ
λ′
λ
ss′
rr′
λλ
•s
λ−→s′to
rλ−→
∗
r′:
Case
s:
•delay
d>
0
•firstsim
pleedge
•othersim
pleedge:
ss′
rr′
λ0
resetterisin
nst,donothing
inN
′.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
t
r
tτ
τ
ss′
rr′
λ
λλ
ss′
rr′
λ0
ss′
rr′
λ
λ′
λ
ss′
rr′
λλ
•s
λ−→s′to
rλ−→
∗
r′:
Case
s:
•delay
d>
0
•firstsim
pleedge
•othersim
pleedge
•non-reset,oratleastone
complex:
ss′
rr′
λ
λ′
λ
resettermay
needto
pushsim
plesfirst,then
takesam
eedge
inN
′.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
t
r
tτ
τ
ss′
rr′
λ
λλ
ss′
rr′
λ0
ss′
rr′
λ
λ′
λ
ss′
rr′
λλ
•s
λ−→s′to
rλ−→
∗
r′:
Case
s:
•delay
d>
0
•firstsim
pleedge
•othersim
pleedge
•non-reset,oratleastone
complex
•delay
d=
0:s
s′
rr′
λλ
dosam
edelay
inN
′.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
λλ
ss′
rr′
0λ
ss′
rr′
λ
λλ
•r
λ−→r′to
sλ−→
∗
s′:
Case
s:
•delay
d>
0:s
s′
rr′
λλ
dosam
edelay
inN
.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
λλ
ss′
rr′
0λ
ss′
rr′
λ
λλ
•r
λ−→r′to
sλ−→
∗
s′:
Case
s:
•delay
d>
0
•com
plex,ornon-resetting:s
s′
rr′
λλ
takesam
eedge
inN
.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
λλ
ss′
rr′
0λ
ss′
rr′
λ
λλ
•r
λ−→r′to
sλ−→
∗
s′:
Case
s:
•delay
d>
0
•com
plex,ornon-resetting
•resetterto
nst,orreturns
(nosim
plesenab.in
N):
ss′
rr′
0λ
donothing
inN
.
Pro
of
of
Ha
ving
Ind
eeda
Bisim
ula
tion
– 19 – 2018-01-25 – Sproof –
35/45
ss′
rr′
λλ
ss′
rr′
0λ
ss′
rr′
λ
λλ
•r
λ−→r′to
sλ−→
∗
s′:
Case
s:
•delay
d>
0
•com
plex,ornon-resetting
•resetterto
nst,orreturns
(nosim
plesenab.in
N)
•resetterreturns
(some
simples
enab.inN
):s
s′
rr′
λ
λλ
takeallenabled
simple
edgesinN
.
Mo
reE
xperim
ents
– 19 – 2018-01-25 – main –
36/45
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
H.E.Jensen,K.G
.Larsen,etal.“Mo
dellin
ga
nd
An
alysis
of
aC
ollisio
nA
void
an
ceP
roto
colusin
gS
PIN
an
dU
pp
aa
l”.In:DIM
AC
S.Vol.32.DIM
AC
S.1996,pp.33-50.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
B.Bérard,P.Bouyer,etal.“An
alysin
gth
eP
GM
Pro
toco
lwith
UP
PA
AL”.In:IJPR
42.14(20
04),pp.
2773-2791.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 • • •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
N.Petalidis.“V
erificatio
no
fa
Fieldb
usS
ched
uling
Pro
toco
lUsin
gT
imed
Auto
ma
ta”.In:CI28
.5(20
09),pp.655-672.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
S.Limal,S.Potier,etal.“Fo
rma
lVerifica
tion
of
Red
und
an
tM
edia
Exten
sion
of
Eth
ernet
Po
werLin
k”.In:ETFA
.IEEE,200
7,pp.1045-10
52.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
P.Kordy,R.Langerak,etal.“R
e-verificatio
no
fa
LipS
ynch
ron
izatio
nP
roto
colU
sing
Ro
bust
Rea
cha
bility”.In:FM
A.Vol.20
.EPTCS.20
09,pp.49-62.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
W.Steinerand
W.Elm
enreich.“Auto
ma
ticR
ecovery
of
the
TT
P/AS
enso
r/Actua
tor
Netw
ork”.In:
WISES.V
iennaU
niversityofTechnology,20
03,pp.25-37.
Ca
seS
tud
ies
– 19 – 2018-01-25 – Scasestudies –
37/45
CD
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 •••9 •••
10 •••
11 •••
12 •••
13 •••
14 •••
89
,39
6.8
9kS
ts9
,49
2.4M
iB6
,45
7.8s
15 •
CD
-K
50·106
states
10
GiB
5000
sec
6 • ••7 • ••
8 • ••9 • ••
10 • ••
11 • ••
12 •••
13 •••
14 •••
15 •••
93
8.18
kSts
146
.8M
iB4
2.9s
PG
100·106
states
5GiB
104
sec
9 •• •10 •• •
11 •• •
69
2.24kS
ts29
.5M
iB17,76
3.6
s
12 •
13 •
14 •
15 •
16 •
17 •
18 •
PG-K
100·106
states
5GiB
104
sec
9 •••10 •••
11 •••
12 •••
13 •••
14 •••
15 •• •
16 •• •
17 •• •
18 •• •
202,113
.18kS
ts6
,234
.1M
iB9
,179.0
s
FB
25·106
states
10
GiB
5000
sec
14 • ••
15 • • •
16 • • •
17 • • •
18 •• •
39
3,24
kSts
86
.7M
iB9
,427.0
s
19 •
20 •
21 •
22 •
23 •
FB-K
25·106
states
10
GiB
5000
sec
14 • ••
15 •••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •••
22 •••
23 •••
50
,33
1.70kS
ts8
,732.3
MiB
8,6
04
.0s
EP
30·106
states
10
GiB
5000
sec
15 • ••
16 •••
17 •••
18 •••
19 •••
20 •••
21 •• •
22 •• •
23 •• •
25,16
5.9
0kS
ts4
,46
2.5M
iB5
,921.0
s
24 •
EP-K
30·106
states
10
GiB
5000
sec
15 • ••
16 • ••
17 • ••
18 • ••
19 • ••
20 • ••
21 • ••
22 • ••
23 • ••
24 • ••
50
,33
1.73kS
ts12,5
06
.5M
iB6
,64
0.1
s
LS
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •• •
33
,743
.86
kSts
3,4
01.2
MiB
3,4
27.3s
LS-K
15·106
states
5GiB
2000
sec
1 • ••2 • ••
3 • ••4 • ••
5 • ••6 •••
7 •••8 •••
9 •••
10 •••
34
,45
1.53
kSts
5,5
56
.2M
iB1,5
61.8
s
TT
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 •••
5 •••6 •••
7 •••
10,8
47.6
1kS
ts6
25.3
MiB
236
.3s
TT-K
10·106
states
2GiB
1000
sec
1 • ••2 • ••
3 • ••4 • ••
5 •••6 •••
7 •••
11,05
4.9
7kS
ts1,23
2.3M
iB19
7.2s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
FS
20·106
states
5GiB
2000
sec
9 •• •16
,910
.28kS
ts1,8
44
.4M
iB3
,30
0.7
s
10 •
15 •
20 •
40 •
60 •
80 •100•
•126•
FS-K
20·106
states
5GiB
2000
sec
9 • ••10 • ••
15 • ••
20 • ••
40 • ••
60 • ••
80 • ••
100
• ••• ••126
• ••
6,9
82.76
kSts
7,58
0.9
MiB
2,102.4
s
D.D
ietsch,A.Podelski,etal.“D
isam
bigua
tion
of
Ind
ustrialS
tan
da
rds
Th
rough
Form
aliza
tion
an
dG
rap
hica
lLan
guages”.In:R
E.IEEE,2011,pp.265-270
.
Sa
ving
s
– 19 – 2018-01-25 – main –
38/45
Up
per
Bo
un
do
nN
um
ber
of
Co
nfi
gu
ratio
ns
– 19 – 2018-01-25 – Ssavings –
39/45
Th
eo
rem
.LetNbe
anetw
orkoftim
edautom
ataw
ithequivalence
classesofquasi-equalclocks
ECN
=Y
1 ,...,Ym.
Thenthe
numberofconfigurations
ofN
′isbounded
aboveby:
|L(A
1 )×···×
L(A
n)×L(R
Y1 )
×···×
L(R
Ym)|
·(2c+2)
|ECN|·(4c
+3)
12|E
CN|·(|E
CN|−
1)
·2|Y
1∪···∪
Ym|,
where
c=
maxc
x|x∈X(N
).
On
lyS
imp
leE
dges
– 19 – 2018-01-25 – Ssavings –
40/45
Lem
ma.Let
Nbe
anetw
orkoftim
edautom
ataw
itha
setofequivalenceclasses
ofquasi-equalclocksECN
,where
•|Y
|≥
2,Y∈ECN
,and
•each
clockx∈Y
,Y∈ECN
,ise
xclusive
lyre
set
by
simp
lee
dge
s.
Then|ReachN
′|<
|ReachN|.
(Here,R
eachN
denotesthe
setofallreachable(zone
graph-)configurationsof
N.)
Pro
of:U
sethe
following
lemm
a.
Lem
ma.Let
Nbe
anetw
orkw
hereallquasi-equalclocks
areexclusively
resetbysim
pleedges.Then
|ReachN
′|=
|ReachN|−
(
∑
s∈RC
2|clks(s)|
)
+∑
s∈RC
[|class(s)|
+2]
.
Co
mp
lexE
dges
– 19 – 2018-01-25 – Ssavings –
41/45
•“it’s
(abitm
ore)complicated”
Co
nten
t
– 19 – 2018-01-25 – Scontent –
42/45
•Q
uasi-E
qu
alC
locks
•D
efin
ition,P
rop
ertie
s
•Q
EC
lock
Re
du
ction
•T
he
simp
le,an
dw
ron
gap
pro
ach
•Tran
sform
ation
exam
ple
•E
xpe
rime
nts
•S
imp
leand
Co
mp
lex
Ed
ges
•Tran
sform
ation
sche
me
s
•C
orre
ctne
sso
fth
eTran
sform
ation
•E
xcursio
n:
Bisim
ulatio
nP
roo
fs
•P
roo
fo
fQ
E-C
orre
ctne
ss
•a
particularw
eak
bisim
ulatio
nre
lation
•M
ore
Exp
erim
en
ts
Tell
Th
emW
ha
tYo
u’ve
To
ldT
hem
...
– 19 – 2018-01-25 – Sttwytt –
43/45
•The
space
com
ple
xityofPure-TA
reachability-checkingis
L1×···×
Ln×
Regions(X),
i.e.,exponentialinnum
berofclocks,ando
fTA
.
•Ifa
modelis
exp
en
siveto
che
ck,
•itm
aynecessarily
bethatexpensive,
•orartificially
/non-necessarily.
→take
acloserlook
(→exercises).
•O
neexam
ple:Qu
asi-eq
ualclo
cks
•advantage:can
be
goo
dfo
rvalid
ation,
•dis-advantage:e
xpe
nsive
toch
eck.
•The
QE
transfo
rmatio
n(source-to-source)
•e
limin
ates
inte
rleavin
so
fsim
ple
ed
ges,
•reduces
DB
Msize
to(n
um
be
ro
fe
qu
iv.classes)
2,
•re
flects
allqueries.
Referen
ces
– 19 – 2018-01-25 – main –
44/45
Referen
ces
– 19 – 2018-01-25 – main –
45/45
Arenis,S.F.,W
estphal,B.,Dietsch,D
.,Muñiz,M
.,Andisha,A
.S.,andPodelski,A
.(2016).Ready
fortesting:ensuring
conformance
toindustrialstandards
throughform
alverification.Fo
rma
lAsp
.Co
mp
ut.,28(3):499–527.
Herrera,C
.(2011).Reducing
quasi-equalclocksin
networks
oftimed
automata.M
aster’sthesis,
Albert-Ludw
igs-UniversitätFreiburg.
Herrera,C
.(2017).
Th
eC
lass
of
Tim
edA
utom
ata
with
Qua
si-Equa
lClo
cks.PhDthesis,A
lbert-Ludwigs-U
niversitätO
ldenburg.
Herrera,C
.andW
estphal,B.(2015).Q
uasi-equalclockreduction:Elim
inatingassum
ptionson
networks.In
Piterman,N
.,editor,HV
C,volume
9434of
LNC
S,pages173–18
9.Springer.
Herrera,C
.andW
estphal,B.(2016).The
modelchecking
problemin
networks
with
quasi-equalclocks.InD
yreson,C.E.,H
ansen,M.R
.,andH
unsberger,L.,editors,TIM
E,pages21–30
.IEEEC
omputerSociety.
Herrera,C
.,Westphal,B.,and
Podelski,A.(20
14).Quasi-equalclock
reduction:More
networks,m
orequeries.In
Ábrahám
,E.andH
avelund,K.,editors,TAC
AS,volum
e8
413of
LNC
S,pages295–30
9.Springer.
Olderog,E.-R
.andD
ierks,H.(20
08).
Rea
l-Tim
eS
ystems
-Fo
rma
lSp
ecificatio
na
nd
Auto
ma
ticV
erificatio
n.C
ambridge
University
Press.
