Bounded Model Checking of Max-Plus Linear Systems via Predicate Abstractions
Muhammad Syifa'ul Mufid, Dieky Adzkiya, Alessandro Abate

TL;DR
This paper presents a new predicate abstraction approach for max-plus linear systems, enabling efficient bounded model checking of time-difference specifications and providing explicit bounds on verification completeness.
Contribution
It introduces an automatic predicate abstraction method for MPL systems and enhances BMC with explicit completeness bounds based on system properties.
Findings
Predicate abstractions improve verification efficiency.
Explicit bounds on completeness threshold are derived.
Experimental results show superiority over existing algorithms.
Abstract
This paper introduces the abstraction of max-plus linear (MPL) systems via predicates. Predicates are automatically selected from system matrix, as well as from the specifications under consideration. We focus on verifying time-difference specifications, which encompass the relation between successive events in MPL systems. We implement a bounded model checking (BMC) procedure over a predicate abstraction of the given MPL system, to verify the satisfaction of time-difference specifications. Our predicate abstractions are experimentally shown to improve on existing MPL abstractions algorithms. Furthermore, with focus on the BMC algorithm, we can provide an explicit upper bound on the completeness threshold by means of the transient and the cyclicity of the underlying MPL system.
| Tropical Abstractions from [29] | Predicate Abstractions (this work) | |
|---|---|---|
| 3 | ||
| 4 | ||
| 5 | ||
| 6 | ||
| 7 | ||
| 8 | ||
| 9 | ||
| 10 | ||
| 11 | ||
| 12 | ||
| 13 | ||
| 14 | ||
| 15 |
| 3 | 1 | 13 | ||
| 4 | 0 | 14 | ||
| 5 | 0 | 14 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: †Department of Computer Science, University of Oxford,United Kingdom
{muhammad.syifaul.mufid,alessandro.abate}@cs.ox.ac.uk
‡Department of Mathematics, Institut Teknologi Sepuluh Nopember
Surabaya, Indonesia
Bounded Model Checking of Max-Plus Linear Systems via Predicate Abstractions
Muhammad Syifa’ul Mufid†
Dieky Adzkiya‡
Alessandro Abate†
Abstract
This paper introduces the abstraction of max-plus linear (MPL) systems via predicates. Predicates are automatically selected from system matrix, as well as from the specifications under consideration. We focus on verifying time-difference specifications, which encompass the relation between successive events in MPL systems. We implement a bounded model checking (BMC) procedure over a predicate abstraction of the given MPL system, to verify the satisfaction of time-difference specifications. Our predicate abstractions are experimentally shown to improve on existing MPL abstractions algorithms. Furthermore, with focus on the BMC algorithm, we can provide an explicit upper bound on the completeness threshold by means of the transient and the cyclicity of the underlying MPL system.
1 Introduction
Max-Plus-Linear (MPL) systems are a class of discrete-event systems, with dynamics based on two binary operations (maximisation and addition) over a max-plus semiring. MPL systems are used to model synchronisation phenomena without concurrency. These systems have been used in many areas, such as manufacturing [27], transportation [24], and biological systems [10, 18].
Classical analysis of MPL systems is conducted using algebraic approaches [4, 24]. Recently, an alternative take based on formal abstractions has been developed to verify MPL systems against quantitative specifications [1] that are general and expressive. The performance and scalability of the abstraction approach has been later improved by employing tropical operations [29] that are native to the max-plus semiring.
This work pushes the envelop on scalability of formal abstractions of MPL systems. We newly apply predicate abstractions (PA) and bounded model checking (BMC) for the verification of MPL systems over time-difference specifications. Predicate abstractions are an abstraction approach that leverage a set of predicates, and have been classically used for software and hardware verification [21, 16], for the abstraction of programs [15, 6], and for reachability analysis of hybrid systems [3].
BMC is a symbolic model checking approach that leverages SAT solvers. The basic idea is to attempt finding counterexamples with a length bounded by some integer. If no counterexamples are found, the length is greedily increased. The approach is sound (counterexamples are correct), and complete (no counterexamples are admitted) whenever a completeness threshold (CT) for the length is reached [8, 9]. Whilst there exist results on correct upper-bounds on the CT, in practice BMC is run until the underlying problem becomes intractable.
This paper has two specific contributions. The first contribution is related to the abstraction approach. Moving beyond [1, 29], where the abstraction procedures are based on the translation of MPL systems into piecewise affine (PWA) systems, in this work we newly employ PA. Namely, we determine a set of predicates such that the dynamics within each partitioning region is affine. In other words, there is no need to compute PWA systems anymore.
The second contribution is related to the model-checking approach. [1] employs standard model checking to verify the abstract transition system. In this paper, we leverage BMC: notice that PA naturally yield Boolean encodings that can be relevant for the SAT-based BMC procedure. We focus on time-difference specifications. Since we are working on abstractions, counterexample generated by the BMC procedure needs to be checked for spuriousness (cf. Algorithm 5 and Algorithm 6). Whenever a counterexample is spurious, we refine the abstract transition using the procedure in [2], combined with lazy abstraction [26]. Finally, for the considered time-difference specifications, we show that the CT can be upper-bounded by means of the transient and cyclicity of the concrete MPL system - such bounds are in general tighter than those obtained working on the abstract transition system. As a side result, we provide a few instance of “direct verification”, where the model checking of MPL models can be performed straightforwardly for time-difference specifications.
The paper is organised as follows. Section 2 describes the basics of models, abstraction techniques and temporal logic formulae used in this work. It also contains the notion of time-difference over MPL systems. The contributions of this paper are contained in Sections 3 and 4. The comparison of abstraction procedures is presented in Section 5, with PA implemented in C++ and model checking run over NuSMV [11]. We also compare the completeness threshold w.r.t. transient and cyclicity of MPL systems with those that are computed by NuSMV. The paper is concluded in Section 6.
2 Model and Preliminaries
2.1 Max-Plus Linear Systems
By max-plus semiring we understand an algebraic structure where and The set of matrices over max-plus semiring is denoted as . Two binary operations of a max-plus semiring can be extended to matrices as follows
[TABLE]
where . Given , the max-plus algebraic power of is denoted by and corresponds to ( times).
A Max-Plus Linear (MPL) system is defined as
[TABLE]
where is the system matrix and is the state variables [4]. In particular, for , . In applications, x represents the time stamps of the discrete events, while corresponds to the event counter. Therefore, it is more convenient to take (instead of ) as the state space.
Definition 1 (Precedence Graph [4]).
The precedence graph of , denoted by , is a weighted directed graph with nodes and an edge from to with weight if .
Definition 2 (Regular Matrix [24]).
A matrix is called regular if there is at least one finite element in each row.
Definition 3 (Irreducible Matrix [4]).
A matrix is called irreducible if the corresponding precedence graph is strongly connected.
Recall that a directed graph is strongly connected if for two different nodes of the graph, there exists a path from to [4, 20]. The weight of a path is equal to the total weight of the corresponding edges i.e. . A circuit, namely a path that begins and ends at the same node, is called critical if it has maximum average weight, which is the weight divided by the length of path [4].
Every irreducible matrix admits a unique max-plus eigenvalue , which corresponds to the weight of critical circuit in . Furthermore, by 1 next, satisfies the so-called transient condition:
Proposition 1 (Transient Condition[4]).
For an irreducible matrix and its corresponding max-plus eigenvalue , there exist such that for all . The smallest such and are called the transient and the cyclicity of , respectively.
Example 1.
Consider a MPL system that represents a simple railway network [24]:
[TABLE]
Its max-plus eigenvalue is , whereas the transient and cyclity for the matrix are .
Any given MPL system can be translated into a Piece-Wise Affine (PWA) system [23]. A PWA system comprises of spatial regions with corresponding PWA dynamics. The regions are generated from all possible coefficients , which satisfies for . As shown in [1], the region corresponding to g is
[TABLE]
One could check that for each non-empty and , the MPL system (1) can be rewritten as the following affine dynamics:
[TABLE]
Notice that (4) can be expressed as , where is a region matrix [29] for the coefficient g.
2.2 Time Differences in MPL Systems
We consider delays occurring between events governed by (1). Delays can describe the difference of two events corresponding to the same event counter but at different variable indices (i.e. ), or the difference of two consecutive events for the same index (i.e. ). This paper focuses on the later case although, in general, the results of this paper can be applied to the former case.
We write the time difference for the component as . One can see that
[TABLE]
where is the set containing the indices of finite elements of .111For the sake of simplicity, we write the elements of in a strictly increasing order.
2.3 Transition Systems and Linear Temporal Logic
Definition 4 (Transition System [5]).
A transition system is formulated by a tuple , where
is a set of states,
is a transition relation,
is a set of initial states,
is a set of atomic propositions, and
is a labelling function.
A path of is defined as a sequence of states , where and for all . We denote as the state of . Furthermore, represents the number of transitions in .
Linear temporal logic (LTL) is one of the predominant logics that are used for specifying properties over the set of atomic propositions [5]. LTL formulae are recursively defined as follows.
Definition 5 (Syntax of LTL [5]).
LTL formulae over the set of atomic propositions are constructed according to the following grammar:
[TABLE]
where .
The symbol (next) and (until) are called temporal operators. Two additional operators, (eventually) and (always), are generated via the until operators: . We refer to [5] for the semantics of LTL formulae including the satisfaction relation over transition systems.
2.4 Abstractions and Predicate Abstractions
Abstractions are techniques to generate a finite and smaller model from a large or even infinite-space (i.e., a continuous-space model, e.g., an MPL system) model. Abstractions can reduce the verification of a temporal property over the original model (a concrete model with state space ), to checking a related property on a simpler abstract model (over ) [5]. The mapping from to is called abstraction function.
From a (concrete) transition system and an abstraction function , the (abstract) transition system is generated from as follows: i) , ii) , if , and iii) , for all .
The important relation between and is that the former is simulated by the latter (which is denoted by . In detail, all behaviour on concrete transition system occur on the abstract one. The formal definition of simulation relation can be found in [5, Definition 7.47]. Furthermore, given an LTL formula , implies [5, 13].
Predicate abstractions [22, 17, 13, 19] denote abstraction methods that use a set of predicates to characterise the abstract states. Predicates are identified from the concrete model, and possibly from the specification(s) under consideration. Each predicate corresponds to a Boolean variable and each abstract state corresponds to a Boolean assignment of these Boolean variables [13]. Therefore, we obtain that . An abstract state will be labelled with predicate if the corresponding is true in that state. For this reason, predicates also serve as atomic propositions [13].
The predicates are also used to define an abstraction function between the concrete and abstract state spaces. A concrete state will be related to an abstract state iff the truth value of on equals the value of on . The abstraction function for predicate abstractions is defined as , where if is satisfied in , otherwise .
3 Predicate Abstractions of MPL Systems
3.1 Related Work
The notion of abstractions of an MPL system has been first introduced in [1]: there, it leverages translation of an MPL system into the corresponding PWA system. The resulting abstract states are expressed as Difference-Bound Matrices (DBM). A more efficient procedure for MPL abstractions via max-plus algebraic operations is later discussed in [29].
3.2 Generation of the Predicates
Considering an abstraction via a set of predicates, the first issue is to find appropriate predicates. Recall that related abstraction techniques [1, 29] explore the connection between MPL and PWA systems and use DBMs to represent the abstract states. Similarly, predicates here are chosen such that the dynamics in the resulting abstract states are affine as in (3) and can be expressed as DBMs. Following these considerations, the predicates are defined as an inequality where 222In this paper, we always use as a predicate.. For simplicity, we may write a predicate as a tuple where if , otherwise . The negation of then can be written as .
From the PWA region in (3), can be chosen from the difference of two finite elements of the state matrix at the same row. In detail, if and with and , then we get a predicate .
Algorithm 1 shows a procedure to generate the predicates from an MPL system. For each , is a set of predicates generated from . If there are exactly finite elements at each row of then and in general : indeed, it is possible to get the same predicate from two different rows when for .
As mentioned before, predicates can also be associated to given specifications. In this paper, we focus on time-difference specifications that are generated from a set of time-difference propositions. For , we define a time-difference proposition ‘’ to reason the condition that . We remove the counter event for the sake of simplicity.
One can rewrite (5) as . Therefore, from for we have . The number of predicates corresponding to ‘’ is bounded by . For each we get a predicate . However, in case of , or in other words , is not a predicate. Algorithm 2 shows how to generate the predicates w.r.t. a time-difference proposition.
3.3 Generation of Abstract States
This section starts by describing the procedure to generate abstract states via a set of predicates. We denote as the set of predicates generated by Algorithm 1 and Algorithm 2, i.e. . Let be a set of abstract states defined over Boolean variables , where the truth value of depends on that of . For each Boolean variable , we define the corresponding DBM as follows: and . One can show that .
Algorithm 3 shows the steps to generate the abstract states of an MPL system given a set of predicates . For each , we manipulate DBMs: the complexity of Algorithm 3 depends on emptiness checking of DBM (line 11), which runs in , where is the dimension of the state matrix [1]. Therefore, the worst-case complexity of Algorithm 3 is .
3.4 Generation of Abstract Transitions
Having obtained the abstract states, one needs to generate the abstract transitions, which can be obtained via one-step reachability, as described in [1]. Namely, there is a transition from to if , where . The computation of corresponds to the image of w.r.t. the affine dynamics of which has complexity [29].
However, unlike [29, Algorithm 2], Algorithm 3 does not produce the affine dynamics for each abstract state. For each , we need to find g as in (4). One can generate the affine dynamics for from the value (either true or false) of on . Given a predicate , we call and as the left and right index of (as ) and denoted them by and , respectively.
If is true in , we have , otherwise . Hence, the left index of predicates can be used to determine the affine dynamics. Algorithm 4 provides the procedure to find the affine dynamic associated to .
For each , is computed. Initially, the elements of are in strictly increasing order. Then, for each predicate , we swap the location of and whenever is false on . Suppose is the first element of after swapping. One could show that for all .
3.5 Model Checking MPL Systems over Time-Difference Specifications: Direct Verification
This section discusses the verification of MPL systems over time-difference specifications. First, we define a (concrete) transition system w.r.t. a given MPL system.
Definition 6 (Transition system associated with MPL system).
A transition system for an MPL system in (1) is a tuple where
the set of states is ,
if ,
is a set of initial conditions,
is a set of time-difference propositions,
the labelling function is defined as follows: a state is labeled by ‘’ if , where .
We express the time-difference specifications as LTL formulae over a set of time-difference propositions.333Notice that, in 6 we consider as a set of time-difference propositions. For instance, represents ‘the next time difference for the component is ’ while corresponds to ‘after some finite executions, the time difference for the component is always ’. To check the satisfaction of these specifications, we generate the abstract version of MPL system.
The abstract transition system for an MPL system is generated via predicate abstraction where and is the set of predicates generated by Algorithm 1 and Algorithm 2, respectively. The (abstract) labelling function is defined over predicates : for , iff is true in . We show the relation between predicates in and a time-difference proposition in .
Proposition 2.
Suppose is a set of predicates corresponding to a time-difference proposition ‘’ and an abstract state .
- i.
For . A (concrete) state is labeled by ‘’ iff at least one predicate in is true in .
- ii.
For . A (concrete) state is labeled by ‘’ iff all predicates in are true in .
Proof. We only need to show the proof for and .
- i.
Notice that is equivalent to This inequality is satisfied iff at least one of for is true. It is indeed equivalent to a predicate .
- ii.
Now for we have . This inequality is satisfied iff all inequality are true. Hence, the corresponding predicates are all true.
Example 2.
Suppose we have an MPL system (2) and . We consider two time-difference specifications and and a set of initial conditions . By Algorithm 1 and Algorithm 2, we have and . Thus, where and .
The resulting abstract transition is depicted in Figure 1. All abstract states are initial. The corresponding LTL formulae for the time-difference specifications are and .
It is clear that . Therefore, the underlying MPL system satisfies . However, and we can not conclude whether is false. We will show how to deal with this problem in Section 4.
3.5.1 Direct Verification
In some cases, it is possible to check the satisfaction of time-difference specifications directly, namely without generating the abstraction of the MPL system. We call a time-difference proposition is a contradiction if there is no such that . One the other hand, is a tautology if all satisfy .
Proposition 3.
Given an MPL (1) with .
- i.
For , is a tautology if .
- ii.
For , is a contradiction if .
Proof. One could show that the time difference for the element is never smaller than the corresponding diagonal element. In other words, for all we have . Hence, is indeed a tautology.
- i.
The condition implies is also a tautology.
- ii.
Because is a tautology then its negation is a contradiction. It is clear that in case of , is also a contradiction.
The consequence of 3 is that any time-difference specification defined from a tautology (resp., contradiction) time-difference proposition, is guaranteed to be true (resp., false). For instance, from 2, the specification is satisfied, while is not. As a second instance of direct verification, in the case of irreducible MPL systems, the dissatisfaction of specifications in the form of is related to the eigenvalue of the corresponding MPL matrix.
Proposition 4.
Consider an MPL system characterised by an irreducible matrix and a time-difference specification . Suppose is the max-plus eigenvalue of . The following holds:
- i.
For , if then is false.
- ii.
For , if then is false.
Proof.
- i.
We proof by contradiction. Let assume is true. Thus, there is an such that On the other hand, by 1, there exists such that for all . For all we have
[TABLE]
One could find that the LHS is equal to . Hence, we have which contradicts . From the fact that is false, it is clear that the strict version of the formula is also false.
- ii.
Similar proof of part (i).
4 Bounded Model Checking of MPL Systems
In this section, we implement bounded model checking (BMC) algorithm to check the satisfaction of time-difference specifications over MPL system. The basic idea of BMC is to find a bounded counterexample of a given length . If no such counterexample is found, then one increases by one until a pre-known completeness threshold is reached, or until the problem becomes intractable. The readers are referred to [8, 9, 7] for a more detailed description of BMC.
We use NuSMV 2.6.0 [11] via command check_ltlspec_bmc_onepb to apply BMC. It performs non-incremental BMC to find a counterexample with length . If no such bug is present then the command is reapplied for length , otherwise we apply spurious checking (cf. Section 4.1). In case of non-spurious witness, one can conclude that the time-difference specification is false. Otherwise, we refine the transition system (cf. Section 4.2) such that the counterexample is removed and then reapply BMC command for length . This procedure is repeated until we reach a completeness threshold (cf. Section 4.3).
4.1 Checking Spuriousness of Counterexamples
There are two types of -length bounded abstract counterexamples in BMC: either no-loop or lasso-shaped paths. The former one can be used to express the violation of invariant properties . A lasso-shaped path is such that there exists where [8, 9]. Although it is finite, it can represent an infinite path where for . It can be used to represent the counterexample of LTL formulae with eventuality, such as and .
From now, we write a lasso-shaped path as , where and . To avoid ambiguity, we consider that the length of a lasso-shaped path is equal to .444Notice a loop-back transition from to in . Furthermore, any no-loop path cannot be expressed as a lasso-shaped one. That is, if is a no-loop path then the states in are all different.
The spuriousness of no-loop paths can be checked via forward-reachability analysis. In detail, is not spurious iff the sequence of DBMs where and for , are not empty. Simply put, there exists such that for . Algorithm 5 summarises the procedure of spuriousness checking for no-loop paths.
The spuriousness checking for lasso-shaped paths is computed via Algorithm 6. We use periodicity checking to deal with the infinite suffix . In lines 14-22, we check the spuriousness of where is repeated times. If it is not spurious then we check the periodicity of the DBM (line 25). We can conclude that is not spurious if the periodicity is found. In case of an irreducible MPL system, by 1, the periodicity is no greater than its cyclicity. On the other hand, after 1000 iterations, if the periodicity cannot be found then the algorithm is stopped with an ‘undecided’ result.
One can see that the spuriousness checking for no-loop paths (Algorithm 5) is guaranteed to be complete. However, this is not the case for Algorithm 6. In the case of irreducible MPL systems, it is complete due to the fact that the periodicity is related to 1. However for reducible MPL systems, it is incomplete as it may provide undecided results.
1 relates the spuriousness of an abstract path, either no-loop or lasso-shaped path, with the value of transient and cyclicity of an irreducible matrix.
Lemma 1.
Consider an irreducible with transient and cyclicity and the resulting abstract transition system . Suppose that is a path over . Then,
- i.
If is a no-loop path with , then it is spurious.
- ii.
If with , then it is spurious.
Proof.
- i.
Let assume is not spurious. Thus, there exists such that for . By 1, we have which implies . One could show that and belong to the same DBM.555Given a non-empty DBM and , if then so is . Consequently and then . This contradicts the fact that the states in must be all different.
- ii.
Likewise, we assume where and is not spurious. Consequently, there exists such that for . Again by 1, we have for . This implies, for , . Thus can be rewritten as . Therefore, the maximum length for and is and , respectively. This contradicts .
4.2 Refinement Procedure
Provided that the counterexample is spurious, one needs to refine the abstract transition. Instead of adding new predicates as in CEGAR [12], we are inspired by the refinement procedure described in [2, Sec. 3.3]: for each abstract state with more than one outgoing transitions, it partitions according to its successors.
Our approach for the refinement procedure is slightly different. We refine the abstract transition based on a spurious counterexample using the concept of lazy abstraction [26]. This starts by finding a pivot state, namely a state in which the spuriousness starts. Then, it splits the pivot state using the procedure in [2].
Notice that, from Algorithm 5, the pivot state can be found from the number of DBMs we have in . One could find that is a pivot state. On the other hand, from Algorithm 6, a pivot state is where , if (the spuriousness is found in ), otherwise .
With regards to the refined abstract transitions, the labels and affine dynamics for the new abstract states are equal to those of the pivot state. Furthermore, the outgoing (resp. ingoing) transitions from (resp. to) new abstract states are determined similarly using one-step reachability.
Example 3.
We use abstract transition in Figure 1 with specification . The NuSMV model checker reports a counterexample of length 2: . By Algorithm 6, it is spurious and the pivot state is . The resulting post-refinement abstract transition is depicted in Figure 2.
4.3 Upper-Bound on the Completeness Threshold
Given a transition system and a specification , a completeness threshold is a bound such that, if no counterexample of with length or less can be found in , then is satisfied by [8, 9].
We recall from above that for specific formulae, the completeness threshold is related to the structure of the underlying transition system. For instance, the CT for safety properties of the form is equal to the diameter of transition system: the length of longest shortest distance between two states [7]. Likewise, the CT for liveness specifications in the form of is given by the recurrent diameter (the length of loop-free path) [14]. Computing the completeness threshold for general LTL formulae is still an open problem [14].
We show that the CT for (abstract) transition system that generated from an irreducible MPL system is related to the transient and cyclicity of the corresponding matrix.
Lemma 2.
Consider an irreducible with transient and cyclicity and the resulting abstract transition system . The CT for and for any LTL formula over is bounded by .
Proof. By 1, any counterexample of with length greater than (if any) is guaranteed to be spurious.
2 ensures that the CT is not greater than the sum of the transient and cyclicity of the MPL systems. Looking back to the transition system in Figure 1, the completeness threshold for is 2. In comparison, the transient and cyclicity of matrix in (2) are .
By 2, one could say that the BMC algorithm for irreducible MPL systems is complete for any LTL formula. However, this is not the case for reducible MPL systems, due to the incompleteness of Algorithm 6.
5 Computational Benchmarks
We compare the run-time of the predicate abstractions in this paper with related abstraction procedures in [29], which use max-plus algebraic operations (“tropical abstractions”) and are enhanced versions of the earlier work in [1]. For increasing , we generate matrices with two finite elements in each row, each with values ranging between 1 and 10. Location and value of the finite elements are chosen randomly. The computational benchmark has been implemented on an Intel(R) Xeon(R) CPU E5-1660 v3, 16 cores, 3.0GHz each, and 16GB of RAM.
We run the experiments for both procedures using C++. Over 10 independents experiments for each dimension, Table 1 shows the running time to generate (specification-free) abstractions of MPL systems, where entry represents the average and maximal values. We do not compare the running time for the generation of abstract transitions because both methods apply the same algorithm.
As we can see in Table 1, for large dimensions (beyond 8), the average running time of predicate abstractions is faster than that of tropical abstractions. We recall that the (specification-free) predicate abstractions of MPL systems are computed by Algorithm 1, Algorithm 2, and Algorithm 4. Whereas for tropical abstractions, they are computed by [29, Algorithm 2].
We also provide a comparison over values of CT. NuSMV is able to compute CT via an incremental BMC command . For each bound , in addition to counterexample searching, it generates a SAT (i.e. boolean satisfiability) problem to verify whether the LTL formula can be concluded to hold. This method of computation of completeness check can be found in [25, 28].
Table 2 shows the comparison of the CT values specified by 2 and those computed by NuSMV. For dimension of , we generate 20 random irreducible matrices with two finite elements in each row. We use the same time-difference specification for all experiments.
The column of Table 2 represents the number of experiments whose the specification is satisfied. The last three columns describe the comparison of CT. We use and to respectively denote the CT that computed by NuSMV and 2. As we can see, the CT upper bounds specified by 2 are relatively smaller than those computed by NuSMV.
6 Conclusions
This paper has introduced a new technique to generate the abstractions of MPL systems via a set of predicates. The predicates are chosen automatically from system matrix and the time-difference specifications under consideration. Having obtained the abstract states and transition, this paper has implemented bounded model checking to check the satisfaction of time-difference specifications.
The abstraction performance has been tested on a numerical benchmark, which has displayed an improvement over existing procedures. The comparison for completeness thresholds suggests that the cyclicity and transient of MPL systems can be used as an upper bound. Yet, this bound is relatively smaller than the CT bounds computed by NuSMV.
Acknowledgements
The first author is supported by Indonesia Endowment Fund for Education (LPDP), while the third acknowledges the support of the Alan Turing Institute, London, UK.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Adzkiya, D., De Schutter, B., Abate, A.: Finite abstractions of max-plus-linear systems. IEEE Transactions on Automatic Control 58 (12), 3039–3053 (2013). https://doi.org/10.1109/TAC.2013.2273299
- 2[2] Adzkiya, D., Zhang, Y., Abate, A.: Veri Si MPL 2: An open-source software for the verification of max-plus-linear systems. Discrete Event Dynamic Systems 26 (1), 109–145 (2016). https://doi.org/10.1007/s 10626-015-0218-x
- 3[3] Alur, R., Dang, T., Ivančić, F.: Progress on reachability analysis of hybrid systems using predicate abstraction. In: Proc. International Workshop on Hybrid Systems: Computation and Control. pp. 4–19. Springer (2003). https://doi.org/10.1007/3-540-36580-X_4
- 4[4] Baccelli, F., Cohen, G., Olsder, G.J., Quadrat, J.P.: Synchronization and Linearity: An Algebra for Discrete Event Systems. John Wiley & Sons Ltd (1992)
- 5[5] Baier, C., Katoen, J.P.: Principles of model checking. MIT Press (2008)
- 6[6] Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: In Proc. Programming Language Design and Implementation 2001 (PLDI’01). vol. 36, pp. 203–213. ACM (2001). https://doi.org/10.1145/381694.378846
- 7[7] Biere, A., Cimatti, A., Clarke, E., Zhu, Y.: Symbolic model checking without BD Ds. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems. pp. 193–207. Springer (1999). https://doi.org/10.1007/3-540-49059-0_14
- 8[8] Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y., et al.: Bounded model checking. Advances in Computers 58 (11), 117–148 (2003)
