Difference bound matrix

In model checking, a field of computer science, a difference bound matrix (DBM) is a data structure used to represent some convex polytopes called zones. This structure can be used to efficiently implement some geometrical operations over zones, such as testing emptyness, inclusion, equality, and computing the intersection and the sum of two zones. It is, for example, used in the Uppaal model checker; where it is also distributed as an independent library.^[1]

More precisely, there is a notion of canonical DBM; there is a one-to-one relation between canonical DBMs and zones and from each DBM a canonical equivalent DBM can be efficiently computed. Thus, equality of zone can be tested by checking for equality of canonical DBMs.

Zone edit

A difference bound matrix is used to represents some kind of convex polytopes. Those polytopes are called zone. They are now defined. Formally, a zone is defined by equations of the form $x\leq c$ , $x\geq c$ , $x_{1}\leq x_{2}+c$ and $x_{1}\geq x_{2}+c$ , with $x_{1}$ and $x_{2}$ some variables, and $c$ a constant.

Zones have originally be called region,^[2] but nowadays this name usually denote region, a special kind of zone. Intuitively, a region can be considered as a minimal non-empty zones, in which the constants used in constraint are bounded.

Given $n$ variables, there are exactly $n(n+1)$ different non-redundant constraints possible, $n$ constraints which use a single variable and an upper bound, $n$ constraints which uses a single variable and a lower bound, and for each of the $n^{2}$ ordered pairs of variable $(x,y)$ , an upper bound on $x-y$ . However, an arbitrary convex polytope in $\mathbb {R} ^{n}$ may require an arbitrarily great number of constraints. Even when $n=2$ , there can be an arbitrary great number of non-redundant constraints $(x<iy+c_{i})_{i\in \mathbb {N} }$ , for $c_{i}$ some constants. This is the reason why DBMs can not be extended from zones to convex polytopes.

Example edit

As stated in the introduction, we consider a zone defined by a set of statements of the form $x_{1}\leq c$ , $x_{1}\geq c$ , $x_{1}\leq x_{2}+c$ and $x_{1}\geq x_{2}+c$ , with $x_{1}$ and $x_{2}$ some variables, and $c$ a constant. However some of those constraints are either contradictory or redundant. We now give such examples.

the constraints $x_{1}\leq 3$ and $x_{1}\geq 4$ are contradictory. Hence, when two such constraints are found, the zone defined is empty.

Figure in ${\textstyle \mathbb {R} ^{2}}$ showing ${\textstyle x_{1}\leq 3}$ , ${\textstyle x_{1}\geq 4}$ which are disjoint
the constraints $x_{1}\leq 3$ and $x_{1}\leq 4$ are redundant. The second constraint being implied by the first one. Hence, when two such constraints are found in the definition of the zone, the second constraint may be removed.

Figure in ${\textstyle \mathbb {R} ^{2}}$ showing ${\textstyle x_{1}\leq 3}$ and ${\textstyle x_{1}\leq 4}$ which contains the first figure

We also give example showing how to generate new constraints from existing constraints. For each pair of clocks $x_{1}$ and $x_{2}$ , the DBM has a constraint of the form $x_{1}\prec x_{2}+c$ , where $\prec$ is either < or ≤. If no such constraint can be found, the constraint $x_{1}\prec x_{2}+\infty$ can be added to the zone definition without loss of generality. But in some case, a more precise constraint can be found. Such an example is now going to be given.

the constraints $x_{1}\leq 3$ , $x_{2}\geq -3$ implies that $x_{1}\leq x_{2}+6$ . Thus, assuming that no other constraint such as $x_{1}\leq x_{2}+5$ or $x_{1}<x_{2}+6$ belongs to the definition, the constraint $x_{1}\leq x_{2}+6$ is added to the zone definition.

Figure in ${\textstyle \mathbb {R} ^{2}}$ showing ${\textstyle x_{1}\leq 3}$ , ${\textstyle x_{2}\geq -3}$ and their intersections
the constraints $x_{2}\leq 3$ , $x_{1}\leq x_{2}+3$ implies that $x_{1}\leq 6$ . Thus, assuming that no other constraint such as $x_{1}\leq 5$ or $x_{1}<6$ belongs to the definition, the constraint $x_{1}\leq 6$ is added to the zone definition.

Figure in ${\textstyle \mathbb {R} ^{2}}$ showing ${\textstyle x_{1}\leq 3}$ , ${\textstyle x_{1}\leq x_{2}+3}$ and their intersections
the constraints $x_{1}\leq x_{2}+3$ , $x_{2}\leq x_{3}+3$ implies that $x_{1}\leq x_{3}+6$ . Thus, assuming that no other constraint such as $x_{1}\leq x_{3}+5$ or $x_{1}<x_{3}+6$ belongs to the definition, the constraint $x_{1}\leq x_{3}+6$ is added to the zone definition.

Actually, the two first cases above are particular cases of the third cases. Indeed, $x_{1}\leq 3$ and $x_{2}\geq -3$ can be rewritten as $x_{1}\leq 0+3$ and $0\leq x_{2}+3$ respectively. And thus, the constraint $x_{1}\leq x_{2}+6$ added in the first example is similar to the constraint added in the third example.

Definition edit

We now fix a monoid $(M,0,+)$ which is a subset of the real line. This monoid is traditionally the set of integers, rationals, reals, or their subset of non-negative numbers.

Constraints edit

In order to define the data structure difference bound matrix, it is first required to give a data structure to encode atomic constraints. Furthermore, we introduce an algebra for atomic constraints. This algebra is similar to the tropical semiring, with two modifications:

An arbitrary ordered monoid may be used instead of $\mathbb {R}$ .
In order to distinguish between " $<m$ " and " $\leq m$ ", the set of elements of the algebra must contain information stating whether the order is strict or not.

Definition of constraints edit

The set of satisfiable constraints is defined as the set of pairs of the form:

$(\leq ,m)$ , with $m\in M$ , which represents a constraint of the form $\leq m$ ,
$(<,m)$ , with $m\in M$ , where $m$ is not a minimal element of $M$ , which represents a constraint of the form $<m$ ,
$(<,\infty )$ , which represents the absence of constraint.

The set of constraint contains all satisfiable constraints and contains also the following unsatisfiable constraint:

$(<,-\infty )$ .

The subset $\{q\in \mathbb {Q} \mid q\leq {\sqrt {2}}\}$ can not be defined using this kind of constraints. More generally, some convex polytopes can not be defined when the ordered monoid does not have the least-upper-bound property, even if each of the constraints in its definition uses at most two variables.

Operation on constraints edit

In order to generate a single constraint from a pair of constraints applied to the same (pair of) variable, we formalize the notion of intersection of constraints and of order over constraints. Similarly, in order to define a new constraints from existing constraints, a notion of sum of constraint must also be defined.

Order on constraints edit

We now define an order relation over constraints. This order symbolize the inclusion relation.

First, the set $\{<,\leq \}$ is considered as an ordered set, with < being inferior to ≤. Intuitively, this order is chosen because the set defined by $x<c$ is strictly included in the set defined by $x\leq c$ . We then state that the constraint $(\prec _{1},m_{1})$ is smaller than $(\prec _{2},m_{2})$ if either $m_{1}<m_{2}$ or ( $m_{1}=m_{2}$ and $\prec _{1}$ is less than $\prec _{2}$ ). That is, the order on constraints is the lexicographical order applied from right to left. Note that this order is a total order. If $M$ has the least-upper-bound property (or greatest-lower-bound property) then the set of constraints also have it.

Intersection of constraints edit

The intersection of two constraints, denoted as $(\prec _{1},m_{1})\sqcap (\prec _{2},m_{2})$ , is then simply defined as the minimum of those two constraints. If $M$ has the greatest-lower bound property then the intersection of an infinite number of constraints is also defined.

Sum of constraints edit

Given two variables $x_{1}$ and $x_{2}$ to which are applied constraints $(\prec _{1},m_{1})$ and $(\prec _{2},m_{2})$ , we now explain how to generate the constraint satisfied by $x_{1}+x_{2}$ . This constraint is called the sum of the two above-mentioned constraint, is denoted as $(\prec _{1},m_{1})+(\prec _{2},m_{2})$ and is defined as $(\min(\prec _{1},\prec _{2}),m_{1}+m_{2})$ .

Constraints as an algebra edit

Here is a list of algebraic properties satisfied by the set of constraints.

Both operations are associative and commutative,
Sum is distributive over intersection, that is, for any three constraints, $((\prec _{1},m_{1})\sqcap (\prec _{2},m_{2}))+(\prec _{3},m_{3})$ equals $((\prec _{1},m_{1})+(\prec _{3},m_{3}))\sqcap ((\prec _{2},m_{2})+(\prec _{3},m_{3}))$ ,
The intersection operation is idempotent,
The constraint $(<,\infty )$ is an identity for the intersection operation,
The constraint $(\leq ,0)$ is an identity for the sum operation,

Furthermore, the following algebraic properties holds over satisfiable constraints:

The constraint $(<,\infty )$ is a zero for the sum operation,
It follows that the set of satisfiable constraints is an idempotent semiring, with $(<,\infty )$ as zero and $(\leq ,0)$ as unity.
If 0 is the minimum element of $M$ , then $(\leq ,0)$ is a zero for the intersection constraints over satisfiable constraints.

Over non-satisfiable constraints both operations have the same zero, which is $(<,-\infty )$ . Thus, the set of constraints does not even form a semiring, because the identity of the intersection is distinct from the zero of the sum.

DBMs edit

Given a set of $n$ variables, $x_{1},\dots ,x_{n}$ , a DBM is a matrix with column and rows indexed by $0,x_{1},\dots ,x_{n}$ and the entries are constraints. Intuitively, for a column $C$ and a row $R$ , the value $m$ at position $(C,R)$ represents $C\prec R+m$ . Thus, the zone defined by a matrix $D((\prec _{C,R},m_{C,R}))_{C,R\in \{0,x_{1},\dots ,x_{n}}\}$ , denoted by ${\mathcal {R}}(D)$ , is $\{(x_{1},\dots ,x_{n})\in \mathbb {R} \mid \bigwedge _{C,R\in \{0,x_{1},\dots ,x_{n}\}}C\prec _{C,R}R+m_{C,R}\}$ .

Note that $C\prec R+m$ is equivalent to $C-R\prec m$ , thus the entry $(\prec ,m)$ is still essentially an upper bound. Note however that, since we consider a monoid $M$ , for some values of $C$ and $R$ the real $C-R$ does not actually belong to the monoid.

Before introducing the definition of a canonical DBM, we need to define and discuss an order relation on those matrices.

Order on those matrices edit

A matrix $D$ is considered to be smaller than a matrix $D'$ if each of its entries are smaller. Note that this order is not total. Given two DBMs $D$ and $D'$ , if $D$ is smaller than or equal to $D'$ , then ${\mathcal {R}}(D)\subseteq {\mathcal {R}}(D')$ .

The greatest-lower-bound of two matrices $D$ and $D'$ , denoted by $D\sqcap D'$ , has as its $(a,b)$ entry the value $(\prec _{a,b},m_{a,b})\sqcap (\prec '_{a,b},m'_{a,b})$ . Note that since $\sqcap$ is the «sum» operation of the semiring of constraints, the operation $\sqcap$ is the «sum» of two DBMs where the set of DBMs is considered as a module.

Similarly to the case of constraints, considered in section "Operation on constraints" above, the greatest-lower-bound of an infinite number of matrices is correctly defined as soon as $M$ satisfies the greatest-lower-bound property.

The intersection of matrices/zones is defined. The union operation is not defined, and indeed, a union of zone is not a zone in general.

For an arbitrary set ${\mathcal {D}}$ of matrices which all defines the same zone $Z$ , $\sqcap _{D\in {\mathcal {D}}}D$ also defines $Z$ . It thus follow that, as long as $M$ has the greatest-lower-bound property, each zone which is defined by at least a matrix has a unique minimal matrix defining it. This matrix is called the canonical DBM of $Z$ .

First definition of canonical DBM edit

We restate the definition of a canonical difference bound matrix. It is a DBM such that no smaller matrix defines the same set. It is explained below how to check whether a matrix is a DBM, and otherwise how to compute a DBM from an arbitrary matrix such that both matrices represents the same set. But first, we give some examples.

Examples of matrices edit

We first consider the case where there is a single clock $x_{1}$ .

The real line edit

We first give the canonical DBM for $\mathbb {R}$ . We then introduce another DBM which encode the set $\mathbb {R}$ . This allow to find constraints which must be satisfied by any DBM.

The canonical DBM of the set of real is $\left({\begin{array}{ll}(\leq ,0)&(<,\infty )\\(<,\infty )&(\leq ,0)\end{array}}\right)$ . It represents the constraints $0\leq 0+0$ , $x_{1}\leq 0+\infty$ , $0\leq x_{1}+\infty$ and $0\leq 0+0$ . All of those constraints are satisfied independently of the value assigned to $x_{1}$ . In the remaining of the discussion, we will not explicitly describe constraints due to entries of the form $(<,\infty )$ , since those constraints are systematically satisfied.

The DBM $\left({\begin{array}{ll}(<,\infty )&(<,\infty )\\(<,\infty )&(<,\infty )\end{array}}\right)$ also encodes the set of real. It contains the constraints $0<0+\infty$ and $x_{1}<x_{1}+\infty$ which are satisfied independently on the value of $x_{1}$ . This show that in a canonical DBM $D$ , a diagonal entry is never greater than $(\leq ,0)$ , because the matrix obtained from $D$ by replacing the diagonal entry by $(\leq ,0)$ defines the same set and is smaller than $D$ .

The empty set edit

We now consider many matrices which all encodes the empty set. We first give the canonical DBM for the empty set. We then explain why each of the DBM encodes the empty set. This allow to find constraints which must be satisfied by any DBM.

The canonical DBM of the empty set, over one variable, is $\left({\begin{array}{ll}(<,-\infty )&(<,-\infty )\\(<,-\infty )&(<,-\infty )\end{array}}\right)$ . Indeed, it represents the set satisfying the constraint $0<0-\infty$ , $0<x_{1}-\infty$ , $x_{1}<0-\infty$ and $x_{1}<x_{1}-\infty$ . Those constraints are unsatisfiable.

The DBM $\left({\begin{array}{ll}(<,\infty )&(<,-\infty )\\(<,\infty )&(<,\infty )\end{array}}\right)$ also encodes the empty set. Indeed, it contains the constraint $x_{1}<0-\infty$ which is unsatisfiable. More generally, this show that no entry can be $(<,-\infty )$ unless all entries are $(<,-\infty )$ .

The DBM $\left({\begin{array}{ll}(<,\infty )&(<,\infty )\\(<,\infty )&(<,-1)\end{array}}\right)$ also encodes the empty set. Indeed, it contains the constraint $x_{1}<x_{1}-1$ which is unsatisfiable. More generally, this show that the entry in the diagonal line can not be smaller than $(\leq ,0)$ unless it is $(<,-\infty )$ .

The DBM $\left({\begin{array}{ll}(<,\infty )&(<,1)\\(\leq ,-1)&(<,\infty )\end{array}}\right)$ also encodes the empty set. Indeed, it contains the constraints $0<x_{1}+1$ and $x_{1}\leq -1$ which are contradictory. More generally, this show that, for each $C,R\in \{0,x_{1},\dots ,x_{n}\}$ , if $m_{C,R}=-m_{R,C}$ , then $\prec _{R,C}$ and $\prec _{C,R}$ are both equal to ≤.

The DBM $\left({\begin{array}{ll}(<,\infty )&(\leq ,1)\\(\leq ,-2)&(<,\infty )\end{array}}\right)$ also encodes the empty set. Indeed, it contains the constraints $0\leq x_{1}+1$ and $x_{1}\leq -2$ which are contradictory. More generally, this show that for each $C,R\in \{0,x_{1},\dots ,x_{n}\}$ , $-m_{C,R}\leq m_{R,C}$ , unless $m_{C,R}$ is $-\infty$ .

Strict constraints edit

The examples given in this section are similar to the examples given in the Example section above. This time, they are given as DBM.

The DBM $\left({\begin{array}{lll}(\leq ,0)&(<,\infty )&(<,\infty )\\(<,\infty )&(\leq ,0)&(\leq ,3)\\(\leq ,3)&(<,\infty )&(\leq ,0)\end{array}}\right)$ represents the set satisfying the constraints $x_{2}\leq 3$ and $x_{1}\leq x_{2}+3$ . As mentioned in the Example section, both of those constraints implies that $x_{1}\leq 6$ . It means that the DBM $\left({\begin{array}{lll}(\leq ,0)&(\leq ,6)&(<,\infty )\\(<,\infty )&(\leq ,0)&(\leq ,3)\\(\leq ,3)&(<,\infty )&(\leq ,0)\end{array}}\right)$ encodes the same zone. Actually, it is the DBM of this zone. This shows that in any DBM $((\prec _{C,R},m_{C,R}))_{c,r\in \{0,x_{1},\dots ,x_{n}\}}$ , for each $1\leq i,j\leq n$ , the constraint $(\prec _{x_{i},0},m_{x_{i},0})$ is smaller than the constraint $(\prec _{x_{j},0},m_{x_{j},0})+(\prec _{x_{i},x_{j}},m_{x_{i},x_{j}})$ .

As explained in the Example section, the constant 0 can be considered as any variable, which leads to the more general rule: in any DBM $((\prec _{C,R},m_{C,R}))_{c,r\in \{0,x_{1},\dots ,x_{n}\}}$ , for each $a,b,c\in \{0,x_{1},\dots ,x_{n}\}$ , the constraint $(\prec _{a,b},m_{a,b})$ is smaller than the constraint $(\prec _{c,b},m_{c,b})+(\prec _{a,c},m_{a,c})$ .

Three definition of canonical DBM edit

As explained in the introduction of the section Difference Bound Matrix, a canonical DBM is a DBM whose rows and columns are indexed by $(0,x_{1},\dots ,x_{n})$ , whose entries are constraints. Furthermore, it follows one of the following equivalent properties.

there are no smaller DBM defining the same zone,
for each $a,b,c\in \{0,x_{1},\dots ,x_{n}\}$ , the constraint $(\prec _{a,b},m_{a,b})$ is smaller than the constraint $(\prec _{c,b},m_{c,b})+(\prec _{a,c},m_{a,c})$
given the directed graph $G$ with edges $\{0,x_{1},\dots ,x_{n}\}$ and arrows $(a,b)$ labelled by $(\prec _{a,b},m_{a,b})$ , the shortest path from any edge $a$ to any edge $b$ is the arrow $(a,b)$ . This graph is called the potential graph of the DBM.

The last definition can be directly used to compute the canonical DBM associated to a DBM. It suffices to apply the Floyd–Warshall algorithm to the graph and associates to each entry $(a,b)$ the shortest path from $a$ to $b$ in the graph. If this algorithm detects a cycle of negative length, this means that the constraints are not satisfiable, and thus that the zone is empty.

Operations on zones edit

As stated in the introduction, the main interest of DBMs is that they allow to easily and efficiently implements operations on zones.

We first recall operations which were considered above:

testing for the inclusion of a zone $Z_{1}$ in a zone $Z_{2}$ is done by testing whether the canonical DBM of $Z_{1}$ is smaller than or equal to the DBM of $Z_{2}$ ,
A DBM for the intersection of a set of zones is the greatest-lower-bound of the DBM of those zones,
testing for zone emptiness consists in checking whether the canonical DBM of the zone consists only of $(<,-\infty )$ ,
testing whether a zone is the entire space consists in checking whether the DBM of the zone consists only of $(<,\infty )$ .

We now describe operations which were not considered above. The first operations described below have clear geometrical meaning. The last ones become corresponds to operations which are more natural for clock valuations.

Sum of zones edit

The Minkowski sum of two zones, defined by two DBMs $D$ and $D'$ , is defined by the DBM $D+D'$ whose $(a,b)$ entry is $D_{a,b}+D'_{a,b}$ . Note that since $+$ is the «product» operation of the semiring of constraints, the operation $+$ over DBMs is not actually an operation of the module of DBM.

In particular, it follows that, in order to translate a zone $Z$ by a direction $v$ , it suffices to add the DBM of $\{v\}$ to the DBM of $Z$ .

Projection of a component to a fixed value edit

Let $d\in M$ a constant.

Given a vector ${\vec {x}}=(x_{1},\dots ,x_{n})$ , and an index $1\leq i\leq n$ , the projection of the $i$ -th component of ${\vec {x}}$ to $d$ is the vector $(x_{1},\dots ,x_{i-1},d,x_{i+1},\dots ,x_{n})$ . In the language of clock, for $d=0$ , this corresponds to resetting the $i$ -th clock.

Projecting the $i$ -th component of a zone $Z$ to $d$ consists simply in the set of vectors of $Z$ with their $i$ -th component to $d$ . This is implemented on DBM by setting the components $(x_{i},a)$ to $(\leq ,d)+D(0,a)$ and the components $(a,x_{i})$ to $(\leq ,-d)+D(0,a)$

Future and past of a zone edit

Let us call the future the zone $F=\{(t,\dots ,t)\mid t\in \mathbb {R} _{\geq 0}\}$ and the past the zone $P=\{(-t,\dots ,-t)\mid t\in \mathbb {R} _{\geq 0}\}$ . Given a point ${\vec {x}}=(x_{1},\dots ,x_{n})\in \mathbb {R} ^{n}$ , the future of ${\vec {x}}$ is defined as $\{(x_{1}+t,\dots ,x_{n}+t)\mid t\in \mathbb {R} _{\geq 0}\}=F+\{{\vec {x}}\}$ , and the past of ${\vec {x}}$ is defined as $P+\{{\vec {x}}\}$ .

The names future and past comes from the notion of clock. If a set of $n$ clocks are assigned to the values $x_{1}$ , $x_{2}$ , etc. then in their future, the set of assignment they'll have is the future of ${\vec {x}}$ .

Given a zone $Z$ , the future of $Z$ are the union of the future of each points of the zone. The definition of the past of a zone is similar. The future of a zone can thus be defined as $F+Z$ , and hence can easily be implemented as a sum of DBMs. However, there is even a simpler algorithm to apply to DBM. It suffices to change every entries $(x_{i},0)$ to $(<,\infty )$ . Similarly, the past of a zone can be computed by setting every entries $(0,x_{i})$ to $(<,\infty )$ .

References edit

^ "UPPAAL DBM Library". GitHub. 16 July 2021.
^ Dill, David L (1990). "Timing assumptions and verification of finite-state concurrent systems". Automatic Verification Methods for Finite State Systems. Lecture Notes in Computer Science. Vol. 407. pp. 197–212. doi:10.1007/3-540-52148-8_17. ISBN 978-3-540-52148-8.

Difference Bound Matrices Lecture #20 of Advanced Model Checking Joost-Pieter Katoen
Péron, Mathias; Halbwachs, Nicolas (2008). "An Abstract Domain Extending Difference-Bound Matrices with Disequality Constraints" (PDF). Verification, Model Checking, and Abstract Interpretation. Lecture Notes in Computer Science. Vol. 4349. pp. 268–282. doi:10.1007/978-3-540-69738-1_20. ISBN 978-3-540-69735-0.

[1] "UPPAAL DBM Library". GitHub. 16 July 2021.

[Dill-2] Dill, David L (1990). "Timing assumptions and verification of finite-state concurrent systems". Automatic Verification Methods for Finite State Systems. Lecture Notes in Computer Science. Vol. 407. pp. 197–212. doi:10.1007/3-540-52148-8_17. ISBN 978-3-540-52148-8.

[1]

[2]