difference bound matrix

In model checking, a field of computer science, a difference bound matrix (DBM) is a data structure used to represent some convex polytopes called zones. This structure can be used to efficiently implement some geometrical operations over zones, such as testing emptyness, inclusion, equality, and computing the intersection and the sum of two zones. It is, for example, used in the Uppaal model checker; where it is also distributed as an independent library.{{Cite web|url=https://github.com/UPPAALModelChecker/UDBM|title=UPPAAL DBM Library|website=GitHub |date=16 July 2021}}

More precisely, there is a notion of canonical DBM; there is a one-to-one relation between canonical DBMs and zones and from each DBM a canonical equivalent DBM can be efficiently computed. Thus, equality of zone can be tested by checking for equality of canonical DBMs.

Zone

A difference bound matrix is used to represents some kind of convex polytopes. Those polytopes are called zone. They are now defined. Formally, a zone is defined by equations of the form $x\le c$ , $x\ge c$ , $x_1\le x_2+c$ and $x_1\ge x_2+c$ , with $x_1$ and $x_2$ some variables, and $c$ a constant.

Zones have originally be called region,{{cite book |last1=Dill |first1=David L|title=Automatic Verification Methods for Finite State Systems |chapter=Timing assumptions and verification of finite-state concurrent systems |series=Lecture Notes in Computer Science |date=1990|volume=407 |pages=197–212|isbn=978-3-540-52148-8| doi=10.1007/3-540-52148-8_17|doi-access=free}} but nowadays this name usually denote region, a special kind of zone. Intuitively, a region can be considered as a minimal non-empty zones, in which the constants used in constraint are bounded.

Given $n$ variables, there are exactly $n(n+1)$ different non-redundant constraints possible, $n$ constraints which use a single variable and an upper bound, $n$ constraints which uses a single variable and a lower bound, and for each of the $n^2$ ordered pairs of variable $(x,y)$ , an upper bound on $x-y$ . However, an arbitrary convex polytope in $\mathbb R^n$ may require an arbitrarily great number of constraints. Even when $n=2$ , there can be an arbitrary great number of non-redundant constraints $(x, for c_i some constants. This is the reason why DBMs can not be extended from zones to convex polytopes.$

Example

As stated in the introduction, we consider a zone defined by a set of statements of the form $x_1\le c$ , $x_1\ge c$ , $x_1\le x_2+c$ and $x_1\ge x_2+c$ , with $x_1$ and $x_2$ some variables, and $c$ a constant. However some of those constraints are either contradictory or redundant. We now give such examples.

the constraints $x_1\le3$ and $x_1\ge4$ are contradictory. Hence, when two such constraints are found, the zone defined is empty. File:X incompatible.png
the constraints $x_1\le3$ and $x_1\le 4$ are redundant. The second constraint being implied by the first one. Hence, when two such constraints are found in the definition of the zone, the second constraint may be removed. File:Showing x 1 less than 3 and 4.png

We also give example showing how to generate new constraints from existing constraints. For each pair of clocks $x_1$ and $x_2$ , the DBM has a constraint of the form $x_1\prec x_2+c$ , where $\prec$ is either < or ≤. If no such constraint can be found, the constraint $x_1\prec x_2+\infty$ can be added to the zone definition without loss of generality. But in some case, a more precise constraint can be found. Such an example is now going to be given.

the constraints $x_1\le 3$ , $x_2\ge-3$ implies that $x_1\le x_2+6$ . Thus, assuming that no other constraint such as $x_1\le x_2+5$ or $x_1 belongs to the definition, the constraint x_1\le x_2+6 is added to the zone definition. File:X(3 y)-3.png$
the constraints $x_2\le 3$ , $x_1\le x_2+3$ implies that $x_1\le 6$ . Thus, assuming that no other constraint such as $x_1\le 5$ or $x_1<6$ belongs to the definition, the constraint $x_1\le 6$ is added to the zone definition. File:X less than 3, x less than y+3.png
the constraints $x_1\le x_2+3$ , $x_2\le x_3+3$ implies that $x_1\le x_3+6$ . Thus, assuming that no other constraint such as $x_1\le x_3+5$ or $x_1< x_3+6$ belongs to the definition, the constraint $x_1\le x_3+6$ is added to the zone definition.

Actually, the two first cases above are particular cases of the third cases. Indeed, $x_1\le3$ and $x_2\ge-3$ can be rewritten as $x_1\le 0+3$ and $0\le x_2+3$ respectively. And thus, the constraint $x_1\le x_2+6$ added in the first example is similar to the constraint added in the third example.

Definition

We now fix a monoid $(M,0,+)$ which is a subset of the real line. This monoid is traditionally the set of integers, rationals, reals, or their subset of non-negative numbers.

= Constraints =

In order to define the data structure difference bound matrix, it is first required to give a data structure to encode atomic constraints. Furthermore, we introduce an algebra for atomic constraints. This algebra is similar to the tropical semiring, with two modifications:

An arbitrary ordered monoid may be used instead of $\mathbb{R}$ .
In order to distinguish between " $< m$ " and " $\le m$ ", the set of elements of the algebra must contain information stating whether the order is strict or not.

== Definition of constraints ==

The set of satisfiable constraints is defined as the set of pairs of the form:

$(\le,m)$ , with $m\in M$ , which represents a constraint of the form $\le m$ ,
$(<,m)$ , with $m\in M$ , where $m$ is not a minimal element of $M$ , which represents a constraint of the form $< m$ ,
$(<,\infty)$ , which represents the absence of constraint.

The set of constraint contains all satisfiable constraints and contains also the following unsatisfiable constraint:

$(<,-\infty)$ .

The subset $\{q\in\mathbb Q\mid q\le\sqrt2\}$ can not be defined using this kind of constraints. More generally, some convex polytopes can not be defined when the ordered monoid does not have the least-upper-bound property, even if each of the constraints in its definition uses at most two variables.

== Operation on constraints ==

In order to generate a single constraint from a pair of constraints applied to the same (pair of) variable, we formalize the notion of intersection of constraints and of order over constraints. Similarly, in order to define a new constraints from existing constraints, a notion of sum of constraint must also be defined.

=== Order on constraints ===

We now define an order relation over constraints. This order symbolize the inclusion relation.

First, the set $\{<,\le\}$ is considered as an ordered set, with < being inferior to ≤. Intuitively, this order is chosen because the set defined by $x< c$ is strictly included in the set defined by $x\le c$ . We then state that the constraint $(\prec_1,m_1)$ is smaller than $(\prec_2,m_2)$ if either $m_1< m_2$ or ( $m_1=m_2$ and $\prec_1$ is less than $\prec_2$ ). That is, the order on constraints is the lexicographical order applied from right to left. Note that this order is a total order. If $M$ has the least-upper-bound property (or greatest-lower-bound property) then the set of constraints also have it.

=== Intersection of constraints ===

The intersection of two constraints, denoted as $(\prec_1,m_1)\sqcap(\prec_2,m_2)$ , is then simply defined as the minimum of those two constraints. If $M$ has the greatest-lower bound property then the intersection of an infinite number of constraints is also defined.

=== Sum of constraints ===

Given two variables $x_1$ and $x_2$ to which are applied constraints $(\prec_1,m_1)$ and $(\prec_2,m_2)$ , we now explain how to generate the constraint satisfied by $x_1+x_2$ . This constraint is called the sum of the two above-mentioned constraint, is denoted as $(\prec_1,m_1)+(\prec_2,m_2)$ and is defined as $(\min(\prec_1,\prec_2),m_1+m_2)$ .

== Constraints as an algebra ==

Here is a list of algebraic properties satisfied by the set of constraints.

Both operations are associative and commutative,
Sum is distributive over intersection, that is, for any three constraints, $((\prec_1,m_1)\sqcap(\prec_2,m_2))+(\prec_3,m_3)$ equals $((\prec_1,m_1)+(\prec_3,m_3))\sqcap((\prec_2,m_2)+(\prec_3,m_3))$ ,
The intersection operation is idempotent,
The constraint $(<,\infty)$ is an identity for the intersection operation,
The constraint $(\le,0)$ is an identity for the sum operation,

Furthermore, the following algebraic properties holds over satisfiable constraints:

The constraint $(<,\infty)$ is a zero for the sum operation,
It follows that the set of satisfiable constraints is an idempotent semiring, with $(<,\infty)$ as zero and $(\le,0)$ as unity.
If 0 is the minimum element of $M$ , then $(\le,0)$ is a zero for the intersection constraints over satisfiable constraints.

Over non-satisfiable constraints both operations have the same zero, which is $(<,-\infty)$ . Thus, the set of constraints does not even form a semiring, because the identity of the intersection is distinct from the zero of the sum.

=== DBMs ===

Given a set of $n$ variables, $x_1,\dots,x_n$ , a DBM is a matrix with column and rows indexed by $0,x_1,\dots,x_n$ and the entries are constraints. Intuitively, for a column $C$ and a row $R$ , the value $m$ at position $(C,R)$ represents $C\prec R+m$ . Thus, the zone defined by a matrix $D((\prec_{C,R},m_{C,R}))_{C,R\in\{0,x_1,\dots,x_n}\}$ , denoted by $\mathcal R(D)$ , is $\{(x_1,\dots,x_n)\in\mathbb R\mid \bigwedge_{C,R\in\{0,x_1,\dots,x_n\}}C\prec_{C,R}R+m_{C,R}\}$ .

Note that $C\prec R+m$ is equivalent to $C-R\prec m$ , thus the entry $(\prec,m)$ is still essentially an upper bound. Note however that, since we consider a monoid $M$ , for some values of $C$ and $R$ the real $C-R$ does not actually belong to the monoid.

Before introducing the definition of a canonical DBM, we need to define and discuss an order relation on those matrices.

== Order on those matrices ==

A matrix $D$ is considered to be smaller than a matrix $D'$ if each of its entries are smaller. Note that this order is not total. Given two DBMs $D$ and $D'$ , if $D$ is smaller than or equal to $D'$ , then $\mathcal R(D)\subseteq\mathcal R(D')$ .

The greatest-lower-bound of two matrices $D$ and $D'$ , denoted by $D\sqcap D'$ , has as its $(a,b)$ entry the value $(\prec_{a,b},m_{a,b})\sqcap(\prec'_{a,b},m'_{a,b})$ . Note that since $\sqcap$ is the «sum» operation of the semiring of constraints, the operation $\sqcap$ is the «sum» of two DBMs where the set of DBMs is considered as a module.

Similarly to the case of constraints, considered in section "Operation on constraints" above, the greatest-lower-bound of an infinite number of matrices is correctly defined as soon as $M$ satisfies the greatest-lower-bound property.

The intersection of matrices/zones is defined. The union operation is not defined, and indeed, a union of zone is not a zone in general.

For an arbitrary set $\mathcal D$ of matrices which all defines the same zone $Z$ , $\sqcap_{D\in\mathcal D}D$ also defines $Z$ . It thus follow that, as long as $M$ has the greatest-lower-bound property, each zone which is defined by at least a matrix has a unique minimal matrix defining it. This matrix is called the canonical DBM of $Z$ .

== First definition of canonical DBM ==

We restate the definition of a canonical difference bound matrix. It is a DBM such that no smaller matrix defines the same set. It is explained below how to check whether a matrix is a DBM, and otherwise how to compute a DBM from an arbitrary matrix such that both matrices represents the same set. But first, we give some examples.

== Examples of matrices ==

We first consider the case where there is a single clock $x_1$ .

=== The real line ===

We first give the canonical DBM for $\mathbb R$ . We then introduce another DBM which encode the set $\mathbb R$ . This allow to find constraints which must be satisfied by any DBM.

The canonical DBM of the set of real is $\left(\begin{array}{ll}(\le,0)&(<,\infty)\\(<,\infty)&(\le,0)\end{array}\right)$ . It represents the constraints $0\le 0+0$ , $x_1\le 0+\infty$ , $0\le x_1+\infty$ and $0\le0+0$ . All of those constraints are satisfied independently of the value assigned to $x_1$ . In the remaining of the discussion, we will not explicitly describe constraints due to entries of the form $(<,\infty)$ , since those constraints are systematically satisfied.

The DBM $\left(\begin{array}{ll}(<,\infty)&(<,\infty)\\(<,\infty)&(<,\infty)\end{array}\right)$ also encodes the set of real. It contains the constraints $0<0+\infty$ and $x_1< x_1+\infty$ which are satisfied independently on the value of $x_1$ . This show that in a canonical DBM $D$ , a diagonal entry is never greater than $(\le,0)$ , because the matrix obtained from $D$ by replacing the diagonal entry by $(\le,0)$ defines the same set and is smaller than $D$ .

=== The empty set ===

We now consider many matrices which all encodes the empty set. We first give the canonical DBM for the empty set. We then explain why each of the DBM encodes the empty set. This allow to find constraints which must be satisfied by any DBM.

The canonical DBM of the empty set, over one variable, is $\left(\begin{array}{ll}(<,-\infty)&(<,-\infty)\\(<,-\infty)&(<,-\infty)\end{array}\right)$ . Indeed, it represents the set satisfying the constraint $0<0-\infty$ , $0< x_1-\infty$ , $x_1< 0-\infty$ and $x_1< x_1-\infty$ . Those constraints are unsatisfiable.

The DBM $\left(\begin{array}{ll}(<,\infty)&(<,-\infty)\\(<,\infty)&(<,\infty)\end{array}\right)$ also encodes the empty set. Indeed, it contains the constraint $x_1< 0-\infty$ which is unsatisfiable. More generally, this show that no entry can be $(<,-\infty)$ unless all entries are $(<,-\infty)$ .

The DBM $\left(\begin{array}{ll}(<,\infty)&(<,\infty)\\(<,\infty)&(<,-1)\end{array}\right)$ also encodes the empty set. Indeed, it contains the constraint $x_1< x_1-1$ which is unsatisfiable. More generally, this show that the entry in the diagonal line can not be smaller than $(\le,0)$ unless it is $(<,-\infty)$ .

The DBM $\left(\begin{array}{ll}(<,\infty)&(<,1)\\(\le,-1)&(<,\infty)\end{array}\right)$ also encodes the empty set. Indeed, it contains the constraints $0< x_1+1$ and $x_1\le -1$ which are contradictory. More generally, this show that, for each $C,R\in\{0,x_1,\dots,x_n\}$ , if $m_{C,R}=-m_{R,C}$ , then $\prec_{R,C}$ and $\prec_{C,R}$ are both equal to ≤.

The DBM $\left(\begin{array}{ll}(<,\infty)&(\le,1)\\(\le,-2)&(<,\infty)\end{array}\right)$ also encodes the empty set. Indeed, it contains the constraints $0\le x_1+1$ and $x_1\le -2$ which are contradictory. More generally, this show that for each $C,R\in\{0,x_1,\dots,x_n\}$ , $-m_{C,R}\le m_{R,C}$ , unless $m_{C,R}$ is $-\infty$ .

=== Strict constraints ===

The examples given in this section are similar to the examples given in the Example section above. This time, they are given as DBM.

The DBM $\left(\begin{array}{lll}(\le,0)&(<,\infty)&(<,\infty)\\(<,\infty)&(\le,0)&(\le,3)\\(\le,3)&(<,\infty)&(\le,0)\end{array}\right)$ represents the set satisfying the constraints $x_2\le 3$ and $x_1\le x_2+3$ . As mentioned in the Example section, both of those constraints implies that $x_1\le 6$ . It means that the DBM $\left(\begin{array}{lll}(\le,0)&(\le,6)&(<,\infty)\\(<,\infty)&(\le,0)&(\le,3)\\(\le,3)&(<,\infty)&(\le,0)\end{array}\right)$ encodes the same zone. Actually, it is the DBM of this zone. This shows that in any DBM $((\prec_{C,R},m_{C,R}))_{c,r\in\{0,x_1,\dots,x_n\}}$ , for each $1\le i,j\le n$ , the constraint $(\prec_{x_i,0},m_{x_i,0})$ is smaller than the constraint $(\prec_{x_j,0},m_{x_j,0})+(\prec_{x_i,x_j},m_{x_i,x_j})$ .

As explained in the Example section, the constant 0 can be considered as any variable, which leads to the more general rule: in any DBM $((\prec_{C,R},m_{C,R}))_{c,r\in\{0,x_1,\dots,x_n\}}$ , for each $a,b,c\in\{0,x_1,\dots,x_n\}$ , the constraint $(\prec_{a,b},m_{a,b})$ is smaller than the constraint $(\prec_{c,b},m_{c,b})+(\prec_{a,c},m_{a,c})$ .

= Three definition of canonical DBM =

As explained in the introduction of the section Difference Bound Matrix, a canonical DBM is a DBM whose rows and columns are indexed by $(0,x_1,\dots,x_n)$ , whose entries are constraints. Furthermore, it follows one of the following equivalent properties.

there are no smaller DBM defining the same zone,
for each $a,b,c\in\{0,x_1,\dots,x_n\}$ , the constraint $(\prec_{a,b},m_{a,b})$ is smaller than the constraint $(\prec_{c,b},m_{c,b})+(\prec_{a,c},m_{a,c})$
given the directed graph $G$ with edges $\{0,x_1,\dots,x_n\}$ and arrows $(a,b)$ labelled by $(\prec_{a,b},m_{a,b})$ , the shortest path from any edge $a$ to any edge $b$ is the arrow $(a,b)$ . This graph is called the potential graph of the DBM.

The last definition can be directly used to compute the canonical DBM associated to a DBM. It suffices to apply the Floyd–Warshall algorithm to the graph and associates to each entry $(a,b)$ the shortest path from $a$ to $b$ in the graph. If this algorithm detects a cycle of negative length, this means that the constraints are not satisfiable, and thus that the zone is empty.

Operations on zones

As stated in the introduction, the main interest of DBMs is that they allow to easily and efficiently implements operations on zones.

We first recall operations which were considered above:

testing for the inclusion of a zone $Z_1$ in a zone $Z_2$ is done by testing whether the canonical DBM of $Z_1$ is smaller than or equal to the DBM of $Z_2$ ,
A DBM for the intersection of a set of zones is the greatest-lower-bound of the DBM of those zones,
testing for zone emptiness consists in checking whether the canonical DBM of the zone consists only of $(<,-\infty)$ ,
testing whether a zone is the entire space consists in checking whether the DBM of the zone consists only of $(<,\infty)$ .

We now describe operations which were not considered above. The first operations described below have clear geometrical meaning. The last ones become corresponds to operations which are more natural for clock valuations.

= Sum of zones =

The Minkowski sum of two zones, defined by two DBMs $D$ and $D'$ , is defined by the DBM $D+D'$ whose $(a,b)$ entry is $D_{a,b}+D'_{a,b}$ . Note that since $+$ is the «product» operation of the semiring of constraints, the operation $+$ over DBMs is not actually an operation of the module of DBM.

In particular, it follows that, in order to translate a zone $Z$ by a direction $v$ , it suffices to add the DBM of $\{v\}$ to the DBM of $Z$ .

= Projection of a component to a fixed value =

Let $d\in M$ a constant.

Given a vector $\vec x=(x_1,\dots,x_n)$ , and an index $1\le i\le n$ , the projection of the $i$ -th component of $\vec x$ to $d$ is the vector $(x_1,\dots,x_{i-1},d,x_{i+1},\dots,x_n)$ . In the language of clock, for $d=0$ , this corresponds to resetting the $i$ -th clock.

Projecting the $i$ -th component of a zone $Z$ to $d$ consists simply in the set of vectors of $Z$ with their $i$ -th component to $d$ . This is implemented on DBM by setting the components $(x_{i},a)$ to $(\le,d)+D(0,a)$ and the components $(a,x_{i})$ to $(\le,-d)+D(0,a)$

= Future and past of a zone =

Let us call the future the zone $F=\{(t,\dots,t)\mid t\in\mathbb R_{\ge0}\}$ and the past the zone $P=\{(-t,\dots,-t)\mid t\in\mathbb R_{\ge0}\}$ . Given a point $\vec x=(x_1,\dots,x_n)\in\mathbb R^n$ , the future of $\vec x$ is defined as $\{(x_1+t,\dots,x_n+t)\mid t\in\mathbb R_{\ge0}\}=F+\{\vec x\}$ , and the past of $\vec x$ is defined as $P+\{\vec x\}$ .

The names future and past comes from the notion of clock. If a set of $n$ clocks are assigned to the values $x_1$ , $x_2$ , etc. then in their future, the set of assignment they'll have is the future of $\vec x$ .

Given a zone $Z$ , the future of $Z$ are the union of the future of each points of the zone. The definition of the past of a zone is similar. The future of a zone can thus be defined as $F+Z$ , and hence can easily be implemented as a sum of DBMs. However, there is even a simpler algorithm to apply to DBM. It suffices to change every entries $(x_i,0)$ to $(<,\infty)$ . Similarly, the past of a zone can be computed by setting every entries $(0,x_i)$ to $(<,\infty)$ .

References

[https://moves.rwth-aachen.de/wp-content/uploads/WS1617/amc/amc16_lec20_reduced.pdf Difference Bound Matrices Lecture #20 of Advanced Model Checking Joost-Pieter Katoen]
{{cite book |last1=Péron |first1=Mathias|last2=Halbwachs|first2=Nicolas|title=Verification, Model Checking, and Abstract Interpretation |chapter=An Abstract Domain Extending Difference-Bound Matrices with Disequality Constraints |series=Lecture Notes in Computer Science |date=2008|volume=4349 |pages=268–282|isbn=978-3-540-69735-0| doi=10.1007/978-3-540-69738-1_20|chapter-url=http://hal.archives-ouvertes.fr/docs/00/26/24/22/PDF/PeronHalbwachsVMCAI07.pdf|doi-access=free}}

Category:Polytopes

Polytope

Category:Geometric data structures