Design of a Distributed Reachability Algorithm for Analysis of Linear
  Hybrid Automata by Jha, Sumit Kumar
ar
X
iv
:0
71
0.
37
64
v1
  [
cs
.L
O]
  1
9 O
ct 
20
07
Design of a Distributed Reachability Algorithm
for Analysis of Linear Hybrid Automata
Sumit Kumar Jha
Computer Science Department, Carnegie Mellon University, Pittsburgh PA 15213
Abstract. This paper presents the design of a novel distributed algo-
rithm d-IRA for the reachability analysis of linear hybrid automata. Re-
cent work on iterative relaxation abstraction (IRA) is leveraged to dis-
tribute the computational problem among multiple computational nodes
in a non-redundant manner by performing careful infeasibility analysis of
linear programs corresponding to spurious counterexamples. The d-IRA
algorithm is resistant to failure of multiple computational nodes. The ex-
perimental results provide promising evidence for the possible successful
application of this technique.
1 Introduction
The verification of hybrid systems is a computationally expensive proce-
dure and often does not succeed except for systems with a few continu-
ous variables. Linear hybrid automata are an important class of hybrid
systems which can approximate nonlinear hybrid systems in an asymp-
totically complete fashion [2]. We extend earlier work [3] on applying
counterexample guided abstraction refinement (CEGAR) algorithms to
the analysis of linear hybrid automata and present a distributed algo-
rithm for their reachability analysis.
We believe that a distributed analysis engine for hybrid automata will
be an important achievement in the area of analyzing hybrid systems.
There are two important developments that motivate our research in this
direction:
– While the computational power on a single core processor had tradi-
tionally been growing exponentially, recent trends cite [intel, amd]
by microprocessor manufacturers have clearly indicated that this
exponential growth is no longer feasible. This requires that compu-
tational systems adapt to the hardware systems that are going to be
available in the future. While efficient compiler and hardware tech-
niques were successful at finding parallelism in programs running on
a single core processor, the advent of multiple processors on a single
chip puts the burden of finding parallelism more on the designer of
the algorithm and the architect of the software system. In particular,
software systems and the algorithms they implement must explicitly
provide opportunities for multiple cores to be in use simultaneously.
– Borrowing techniques from the domain of linear programming and
ideas from the realm of practically applied software verification, we
have recently proposed an iterative relaxation abstraction technique
which exploits the structure of a linear hybrid automata while try-
ing to solve its reachability analysis problem. The IRA algorithm
is based on solving several smaller sub-problems one after another
instead of solving the original problem at once. Further reflection
shows that several subproblems being constructed can be built and
solved in a distributed manner, with a relatively small amount of
book keeping and further algorithmic analysis.
This paper makes several novel contributions to the development of prac-
tical algorithms for the analysis of linear hybrid automata:
1. We present the first distributed algorithm for the analysis of linear
hybrid automata. Our algorithm is tolerant of multiple failures in the
distributed computational nodes.
2. We present new theoretical results establishing a partial-order among
counterexamples and relaxations of linear hybrid automata. Using these
results, we find several counterexamples not related by the partial order
and build relaxations to refute each of them in a distributed manner.
3. We show that the distributed system has a small global state which
needs to be preserved in case of failure of the distributed system; we also
identify the potential to backup this global state without slowing down
the distributed computation.
2 Related Work
The reachability analysis algorithms for linear hybrid automata have
been studied in [2]. . These algorithms continue to be the driving horse
for PHAVer [1], IRA [3] and our current techniques too. We have built
upon these core algorithms and did not intend to replace them.
Our current work is inspired by our development and analysis of several
LHA examples using the IRA algorithm, which is now re-implemented
within PHAVer. The IRA algorithm is essentially a CEGAR based tech-
nique for analyzing Linear Hybrid Automata (LHA). IRA introduces
the idea of constructing multiple relaxations of an LHA and proves the
reachability property over the original LHA using these relaxations. Each
relaxation of the LHA is an over-approximate abstraction for the LHA
but the relaxed LHA often involves relatively fewer number of contin-
uous variables and is, hence, more amenable to analysis. First, IRA [3]
constructs a relaxation Hi of the LHA H . It then queries the underlying
LHA reachability engine like PHAVer [1] and builds an over-approximate
discrete abstraction ( a regular language FSM ) Ai for the relaxed hybrid
automata Hi. If the language of the over-approximate discrete abstrac-
tion contains no counterexamples, the bad state is not reachable in the
original LHA either and the algorithm terminates. Otherwise, IRA picks
up a counterexample from the discrete abstraction and constructs a linear
program to check for its validity in the high dimensional original linear
hybrid automata. If the linear program is satisfiable, the counterexam-
ple is valid [4] and hence, the IRA algorithm reports that the bad sate is
reachable and stops. Otherwise the linear program is infeasible, a small
subset of variables is identified using infeasibility analysis and a new re-
laxed hybrid automata Hi+1 is constructed using these variables. This
standard algorithm is discussed in [3].
Our experience with the development and analysis of examples using our
tool IRA showed that several expensive computations performed by the
IRA reachability engine can be performed independently in a distributed
manner.
3 The Distributed Algorithm (d-IRA)
In this paper, we present a distributed version of the IRA algorithm. The
flow of the algorithm is sketched in Fig. 1. The distributed algorithm
assumes one master computation node and (N-1) other computational
(slave) nodes. Initially, the master node initialises a counter i to zero,
chooses the empty set as an initial set of variables I0 and learns the
deterministic finite automata corresponding to Σ∗ as the initial discrete
over-approximate global abstraction of the language of the LHA H .
1. During the ith iteration, the jth computational node constructs its own
relaxation Hji of the linear hybrid automata H using the set of variables
I
j
i . It should be noted that the process of constructing relaxations may
also be computationally very intensive and may involve invoking the
Fourier-Motzkin elimination routine.
2. Each computational node then constructs a discrete abstraction Tempj
corresponding to the relaxed linear hybrid automata Hji . This step in-
volves making calls to the underlying reachability engine like PHAVer [1].
Both the above steps are identical to the corresponding steps in the IRA
algorithm [3] and are not discussed here for brevity.
3. Each computational node sends the discrete abstraction Tempj which
it learned from the relaxed linear hybrid automata Hji to the master com-
putational node. This is the only step at which there is communication
from the slave nodes to the master node during the d-IRA algorithm.
4. The master node updates the discrete global abstraction Ai+1CE by taking
the intersection of the previous discrete global abstraction AiCE with all
the newly learned discrete abstractions Tempj.
5. Then, the master picks a set CE of N non-redundant counterexam-
ples from the newly built discrete global abstraction Ai+1CE . This is an
algorithmically interesting step and is detailed in Section 4.
6. The master node checks if the set of counterexamples CE is empty.
If Ai+1CE has no counterexamples, then no bad states are reachable in the
system [3] and hence, it is declared to be safe.
7. The master computational node forms a set of linear programs C,
where each linear program corresponds to one of the counterexamples
in CEi+1. This step is similar to the corresponding step in the IRA
algorithm [3] and is discussed in depth in [4].
8. The master node checks if any of the linear programs in C is feasible.
In any of them, say C, is feasible, we stop and report that the bad state
.  
Temp0 := LˆCE{H
0
i
} ∩ (Σ∗ − ce0
i
)
CEi+1 := Select CE(A
i+1
CE
)
Bad states NOT reachable
i := 0
A0
CE
:= Σ∗
I0 := φ, ce0 := ǫ
H0
i
⊒
I0
i
H H1
i
⊒
I1
i
H H
N−1
i
⊒
I
N−1
i
H HN
i
⊒
IN
i
H
TempN := LˆCE{H
N
i
} ∩ (Σ∗ − ceN
i
)
A
i+1
CE
:= Ai
CE
∩
TN
j=0 Temp
j
YES
YES
Is CEi+1 = φ ?
C:= LP(H,CEi+1)
NO
Is any C ∈ C feasible ?
Bad state is reachable.
Report Counterexample C
7
8
NO
3
S := Small IIS (C)
Ii+1 := SV support (S)
For each j, I
j
i+1
in Ii+1[j]
i := i + 1
1 1
2
2
11
9
10
6
5
4
Fig. 1. The d-IRA procedure: Distributed Iterative Relaxation Abstraction.
Note that the expensive calls to the underlying hybrid automata reachability
engine occurs in parallel.
is reachable [4]. We also report the counterexample corresponding to the
linear program C.
9. If none of the linear program are feasible, the master node finds the
irreducible infeasible subsets for each of the linear programs.
10. The master node uses the basis of the IIS as the choice for the next
set of variables Ii+1 which will be used to construct the relaxations. The
master node communicates the set Iji+1 to the j
th client. This is the only
step in the d-IRA algorithm during which the master sends messages to
the client nodes.
10. The master then increment the counter i and goes back to the dis-
tributed computation at Step 2.
4 A Partial Order for Counterexamples and
Relaxations
In order to make the distributed computation effective, it is essential that
the various computational nodes do not solve equivalent reachability sub-
problems. In particular, we want to make sure that the relaxed linear
hybrid automata for the ith iteration Hji and H
k
i are different
1. We
achieve this goal by making a suitable choice of counterexamples from
the global abstraction Ai+1CE . Before we present our algorithmic methods,
we define some related notions. Our definitions of linear hybrid automata,
relaxations and counterexamples are identical to those in literature [2,3]
and we do not repeat them here for sake of brevity. Given a path ρ in
a linear hybrid automata H , we can derive a set of corresponding linear
constraints Constraints(H,ρ) which is feasible if and only if the path is
feasible. This construction[4,3] is omitted here.
Definition 1. Minimal Explanation for Infeasible Counterexamples :
Given a counterexample path ρ which is infeasible in a linear hybrid au-
tomata H but feasible in a relaxation H ′ of H, (i.e. H ′ ⊑ H), a set of
linear constraints IIS(ρ) is said to be an IIS for ρ if and only if:
– IIS(ρ) ⊆ Constraints(H,ρ)
– IIS(ρ) is not feasible.
– for any set S s.t. S ⊂ IIS(ρ), S is feasible.
The special basis V ar of the IIS of ρ is called a minimal explanation for
the infeasible counterexample and we write it as V ar(ρ, IIS(ρ)).
In the following, we assume that there exists a function IIS which maps
each counterexample to a unique IIS.
Definition 2. Dominance of Counterexamples : A counterexample ce is
said to dominate a counterexample ce′ if and only if V ar(ce,IIS(ce)) ⊆
V ar(ce′, IIS(ce′)). We write cece′.
We now define the notion of equivalent counterexamples and show that
dominance relation among counterexamples forms a partial order.
1 We note that the property of IRA that no two relaxations across the iterations are
identical still holds and with the same proof
Definition 3. Two counterexamples ce and ce′ are said to be equivalent
if and only if V ar(ce, IIS(ce)) = V ar(ce′, IIS(ce′)). Then, we say ce ≈
ce′.
Theorem 1. The dominance relation  among counterexamples is a
partial order relation.
Proof. We prove that  is reflexive, antisymmetric and transitive:
Reflexivity : For every counterexample, V ar(ce, IIS(ce))⊆ V ar(ce,IIS(ce));
hence, ce  ce.
Antisymmetry : Suppose ce  ce′ and ce′  ce. Then, V ar(ce,IIS(ce))
⊆ V ar(ce′, IIS(ce′)), and also, V ar(ce′, IIS(ce′)) ⊆ V ar(ce,IIS(ce)).
Thus, V ar(ce,IIS(ce)) = V ar(ce′, IIS(ce′)).Hence, ce ≈ ce′.
Transitivity : Suppose ce  ce′ and ce′  ce′′, then V ar(ce, IIS(ce)) ⊆
V ar(ce′, IIS(ce′)) and V ar(ce′, IIS(ce′)) ⊆ V ar(ce′′, IIS(ce′′)). Thus,
V ar(ce, IIS(ce)) ⊆ V ar(ce′′, IIS(ce′′)). Hence, ce  ce′′.
Theorem 2. The relaxations {Hi} of H form a partial order.
Proof. We prove that the relaxation relation ⊑ among Hi is a partial
order. Reflexivity : For every relaxed hybrid automata, Hi ⊑ Hi. Anti-
symmetry : SupposeHi ⊑ Hj and Hj ⊑ Hi. Then, Hi = Hj . Transitivity :
Suppose Hi ⊑ Hj and Hj ⊑ Hk, then Hi ⊑ Hk.
Theorem 3. Let Hce be the relaxation of H w.r.t. V ar(ce,IIS(ce)) and
Hce′ be the relaxation of H w.r.t. V ar(ce
′, IIS(ce′)). If the counterex-
ample ce dominates the counterexample ce′ i.e. ce  ce′, then Hce is a
relaxation of Hce′ i.e. Hce ⊑ Hce′ .
Proof. Since ce  ce′, V ar(ce,IIS(ce)) ⊆ V ar(ce′, IIS(ce′)). Thus,
Hce ⊑V ar(ce,IIS(ce))\V ar(ce′,IIS(ce′)) Hce′ ⊑V ar(ce′,IIS(ce′)) H .
The algorithm for selecting N counterexamples is based on the above
results.
Algorithm Select CE
Input: Global Abstraction Automata AiCE, LHA H , a timer TIME-
OUT.
Output: N counterexamples: CE = {ce1, . . . ceN}
1. Initialize CE to be the empty set.
2. Pick a set of m (> N) distinct counterexamples C = {ce1, ce2 . . . cem}
from AiCE.
3. Build a set of linear programs {lp1, lp2 . . . lpm} corresponding to each
of {ce1, ce2 . . . cem}
4. For each (infeasible) linear program lpi, obtain an IIS and remember
it as IIS(lpi)
5. For each counterexample cei ∈ C,
a. Check whether there exists a counterexample cej ∈ C such that
cej  cei (i 6= j).
b. If no such counterexample cej exists, add cei to CE.
c. Remove cei from C.
6. If ( |CE| < N and !TIMEOUT ) , m = m× 2 ; goto step 2.
7. Assert (|CE| ≥ N or TIMEOUT ); RETURN the first N members
of CE as a set.
5 Properties and Extensions of d-IRA
Theorem 4. The d-IRA algorithm is resistant to failures and restarts
of all slave nodes.
Proof. If the ith slave node fails during the jth iteration, then the d-IRA
algorithm can still proceed by making the assumption that L(Tempi) =
Σ∗. When the ith node has recovered, it can continue to participate from
the next iteration.
The resistance to failures of slave computational nodes is possible be-
cause the slave nodes do not store any global state information during
the distributed computation and the overall distributed reachability com-
putation itself does not depend critically on one or more slave nodes. It
is also to be noted that the communication bandwidth is bounded by
the sum of the sizes of the discrete abstractions and the variable sets at
each stage.
Tolerance to Failure of Master Computation Node The d-
IRA algorithm depends critically on the master computational node and
its failure would prematurely end the distributed computation. While
master nodes could be chosen to be very reliable, the algorithm can also
be adapted to handle unreliable master nodes.
It is to be observed that the d-IRA algorithm spends most of its time
performing relaxations and reachability computations during which the
communication infrastructure would remain idle. Further, the current
state of the distributed computation is really captured completely by
the global abstraction AiCE after the i
th iteration. It is hence desirable to
communicate the global abstraction to either a group of shadow masters
or to the slave machines themselves during periods of low communication
activity. In such a scenario, the failure of the master node would only
require that an old copy of the global abstraction AiCE be obtained from
one of the shadow masters or the slave machines. Then, the distributed
computation would restart without wasting the computations already
completed in the first i iterations.
Theorem 5. The modified d−IRA algorithm is resistant to failures and
restarts of the master node.
6 Experimental Results and Conclusion
We implemented a version of our distributed algorithm using the IRA
infrastructure. We ran our experiments on a four processor 64-bit AMD
Opteron(tm) 844 SMP machine running Red Hat Linux version 2.6.19.1-
001-K8. We only implemented a parallel version of the relaxation step
to test the validity of these ideas. We found up to a 3.41-X increase in
performance on our four processor machine with this implementation on
a set of parameterized adaptive cruise control examples [3].
Table 1. Distributed IRA vs IRA
Example ♯-Variables Time for d-IRA [s] Time for IRA [s]
ACC-4 4 11 15
ACC-8 8 100 192
ACC-16 16 1057 3839
ACC-19 19 2438 9752
A case for the architecture of a distributed hybrid systems model checker
has been made in this paper which uses the partial order relation among
multiple counterexamples obtained during the Iterative Relaxation Ab-
straction procedure for the generation of non-redundant distributed sub-
problems.
References
1. G. Frehse. PHAVer: Algorithmic Verification of Hybrid Systems Past
HyTech. In M. Morari and L. Thiele, editors, HSCC, volume 3414 of
Lecture Notes in Computer Science, pages 258–273. Springer, 2005.
2. P-H Ho. Automatic Analysis of Hybrid Systems, Ph.D. thesis, tech-
nical report CSD-TR95-1536, Cornell University, August 1995, 188
pages, 1995.
3. Sumit Kumar Jha, Bruce H. Krogh, James E. Weimer, and Ed-
mund M. Clarke. Reachability for linear hybrid automata using it-
erative relaxation abstraction. In Alberto Bemporad, Antonio Bic-
chi, and Giorgio C. Buttazzo, editors, HSCC, volume 4416 of Lecture
Notes in Computer Science, pages 287–300. Springer, 2007.
4. X. Li, S. K. Jha, and L. Bu. Towards an Efficient Path-Oriented
Tool for Bounded Reachability analysis of Linear Hybrid Systems
using Linear Programming., 2006.
