Formal Modeling and Analysis of Timed Systems, 7th International Conference, FORMATS 2009, Budapest, Hungary, September 14-16, 2009, Proceedings

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany

5813

Joël Ouaknine Frits W. Vaandrager (Eds.)

Formal Modeling and Analysis of Timed Systems 7th International Conference, FORMATS 2009 Budapest, Hungary, September 14-16, 2009 Proceedings

13

Volume Editors Joël Ouaknine Oxford University Computing Laboratory Wolfson Building, Parks Road Oxford OX1 3QD, UK E-mail: [email protected] Frits W. Vaandrager Radboud University Nijmegen Institute for Computing and Information Sciences P.O. Box 9010, 6500 GL, Nijmegen, The Netherlands E-mail: [email protected]

Library of Congress Control Number: 2009934015 CR Subject Classification (1998): D.2.4, D.3.1, F.4.3, D.2, D.3, F.4, I.6 LNCS Sublibrary: SL 1 – Theoretical Computer Science and General Issues ISSN ISBN-10 ISBN-13

0302-9743 3-642-04367-4 Springer Berlin Heidelberg New York 978-3-642-04367-3 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12757145 06/3180 543210

Preface

This volume contains the papers presented at the 7th International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS 2009), held during 14–16 September in Budapest, Hungary. Timing aspects of systems from a variety of computer science domains have been treated independently by different communities. Researchers interested in semantics, verification and performance analysis study models such as timed automata and timed Petri nets, the digital design community focuses on propagation and switching delays, while designers of embedded controllers have to take account of the time taken by controllers to compute their responses after sampling the environment. Timing-related questions in these separate disciplines do have their particularities. However, there is a growing awareness that there are basic problems that are common to all of them. In particular, all these subdisciplines treat systems whose behavior depends on combinations of logical and temporal constraints; namely, constraints on the temporal distances between occurrences of events. The aim of FORMATS is to promote the study of fundamental and practical aspects of timed systems, and to bring together researchers from different disciplines that share interests in the modelling and analysis of timed systems. Typical topics include (but are not limited to): – Foundations and Semantics. Theoretical foundations of timed systems and languages; comparison between different models (timed automata, timed Petri nets, hybrid automata, timed process algebra, max-plus algebra, probabilistic models). – Methods and Tools. Techniques, algorithms, data structures, and software tools for analyzing timed systems and resolving temporal constraints (scheduling, worst-case execution time analysis, optimization, model checking, testing, constraint solving, etc.). – Applications. Adaptation and specialization of timing technology in application domains in which timing plays an important role (real-time software, hardware circuits, and problems of scheduling in manufacturing and telecommunication). As was the case last year, FORMATS was co-located with the International Conference on Quantitative Evaluation of SysTems (QEST), and the two conferences shared invited speakers and some social events. Whereas FORMATS focuses on fundamental and practical aspects of timed systems, QEST focuses on evaluation and verification of computer systems and networks, through stochastic models and measurements. In the design of computing-based systems one often has to deal with both timing and stochastic features. Theoretically the combination of these aspects is challenging and we are happy to see three papers in this volume that tackle this issue. We wish to thank the QEST organizers, in

VI

Preface

particular Mikl´ os Telek, Michael Huth and David Nicol, for the pleasant cooperation. This year FORMATS received 40 full submissions by authors coming from 21 countries. Each submission was reviewed by at least three Programme Committee members. The committee selected 18 submissions for publication and presentation at the conference. In addition, the conference included invited talks by: – Jan Beutel, ETH Zurich, Switzerland Research Challenges in Wireless Sensor Networks – Nikolaj Bjørner, Microsoft Research, USA Tapas: Theory Combinations and Practical Applications ´ – St´ephane Gaubert, INRIA Saclay – ˆIle-de-France and CMAP, Ecole Polytechnique, France Max-plus Algebraic Tools for Discrete Event Systems, Static Analysis, and Zero-Sum Games – George Pappas, University of Pennsylvania, USA Approximations of Discrete, Continuous, and Hybrid Systems We thank the invited speakers for accepting our invitation and for providing extended abstracts of their talks for inclusion in this proceedings volume. We wish to thank the Programme Committee members and the other reviewers for their competent and timely reviews of the submissions. During the selection process and while preparing this volume, we used the EasyChair conference management system, which provided excellent support and allowed us to concentrate fully on the scientific content. Finally, we gratefully acknowledge financial support by the EU IST project Quantitative System Properties in Model-Driven-Design of Embedded Systems (QUASIMODO). July 2009

Jo¨el Ouaknine Frits Vaandrager

Conference Organization

Programme Chairs Jo¨el Ouaknine Frits Vaandrager

Oxford University, UK Radboud University Nijmegen, The Netherlands

Programme Committee Rajeev Alur Franck Cassez Ansgar Fehnker Olivier Finkel Martin Fr¨ anzle Claude Jard Joost-Pieter Katoen Insup Lee Oded Maler Richard Mayr Paritosh Pandya Paul Pettersson Alexander Rabinovich Sanjit Seshia Jiri Srba Stavros Tripakis Walter Vogler Farn Wang

University of Pennsylvania, USA CNRS, France & National ICT Australia, Australia National ICT Australia, Australia CNRS & Universit´e Paris 7, France Carl von Ossietzky Universit¨at Oldenburg, Germany ENS Cachan Bretagne, France RWTH Aachen, Germany University of Pennsylvania, USA Verimag, France University of Edinburgh, UK Tata Institute of Fundamental Research, India M¨alardalen University, Sweden Tel Aviv University, Israel University of California, Berkeley, USA Aalborg University, Denmark Verimag, France University of Augsburg, Germany National Taiwan University, Taiwan

Steering Committee Rajeev Alur Eugene Asarin Flavio Corradini Kim Guldstranf Larsen Oded Maler Walter Vogler Wang Yi

University of Pennsylvania, USA Universit´e Paris 7, France University of Camerino, Italy Aalborg University, Denmark Verimag, France University of Augsburg, Germany Uppsala University, Sweden

VIII

Organization

Local Organization Levente Bodrog

Technical University of Budapest, Hungary

External Reviewers Erika Abraham Henrik Bohnenkamp Timothy Bourke Patricia Bouyer Marius Bozga V´eronique Bruy`ere Lin-Zan Cai Jan Carlson Aida Causevic Jia-Fu Chen Taolue Chen Lorenzo Clemente Alexandre David Aldric Degorre Henning Dierks Catalin Dima Laurent Doyen Deepak D’Souza Bruno Dutertre Goran Frehse Arjan van Gemund Manoj Gopalakrishnan Stefan Haar Tingting Han Christian Herde Hsi-Min Ho Chung-Hao Huang Susmit Jha Line Juhl Jean-Francois Kempf Maneesh Khattri

Daniel Klink Rom Langerak Julien Legriel Wenchao Li Nicolas Markey Marius Mikuˇcionis Dejan Nickovic Gethin Norman Miroslav Pajic Mikkel Larsen Pedersen Linh Thi Xuan Phan Claudine Picaronny Vinayak Prabhu Stefan Ratschan Jean-Francois Raskin Pierre-Alain Reynier Cristina Seceleanu Jens-Wolfhard Schicke Jeremy Sproston Jagadish Suryadevara Mani Swaminathan Tino Teige Anthony To Aneta Vulgarakis Shaohui Wang Anton Wijs James Worrell Hong-Hsin Wu Rong-Hsuan Wu Hsun-Ching Yang Qi Zhu

Table of Contents

Tapas: T heory Combinations and P ractical Applications (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nikolaj Bjørner and Leonardo de Moura

1

Max-plus Algebraic Tools for Discrete Event Systems, Static Analysis, and Zero-Sum Games (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . St´ephane Gaubert

7

Approximations of Discrete, Continuous, and Hybrid Systems (Invited Talk) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . George J. Pappas

12

Volume and Entropy of Regular Timed Languages: Analytic Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Eugene Asarin and Aldric Degorre

13

Synthesis of Non-Interferent Timed Systems . . . . . . . . . . . . . . . . . . . . . . . . Gilles Benattar, Franck Cassez, Didier Lime, and Olivier H. Roux Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Anne Bouillard, Stefan Haar, and Sidney Rosario Speeding Up Model Checking of Timed-Models by Combining Scenario Specialization and Live Component Analysis . . . . . . . . . . . . . . . . . . . . . . . . V´ıctor Braberman, Diego Garbervestky, Nicol´ as Kicillof, Daniel Monteverde, and Alfredo Olivero Efficient On-the-Fly Algorithm for Checking Alternating Timed Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peter Bulychev, Thomas Chatain, Alexandre David, and Kim G. Larsen Model Checking Logic WCTL with Multi Constrained Modalities on One Clock Priced Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ashish Chiplunkar, Shankara Narayanan Krishna, and Chinmay Jain

28

43

58

73

88

Safe Runtime Verification of Real-Time Properties . . . . . . . . . . . . . . . . . . . Christian Colombo, Gordon J. Pace, and Gerardo Schneider

103

Removing All Silent Transitions from Timed Automata . . . . . . . . . . . . . . . C˘ at˘ alin Dima and Ruggero Lanotte

118

X

Table of Contents

Realizability of Real-Time Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Laurent Doyen, Gilles Geeraerts, Jean-Francois Raskin, and Julien Reichert Revisiting Decidability and Optimum Reachability for Multi-Priced Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Fr¨ anzle and Mani Swaminathan Analyzing Real-Time Event-Driven Programs . . . . . . . . . . . . . . . . . . . . . . . . Pierre Ganty and Rupak Majumdar A Compositional Translation of Timed Automata with Deadlines to Uppaal Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rodolfo G´ omez

133

149 164

179

Compositional Abstraction for Stochastic Systems . . . . . . . . . . . . . . . . . . Joost-Pieter Katoen, Daniel Klink, and Martin R. Neuh¨ außer

195

Stochastic Games for Verification of Probabilistic Timed Automata . . . . Marta Kwiatkowska, Gethin Norman, and David Parker

212

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions . . . Guangyuan Li

228

On the Supports of Recognizable Timed Series . . . . . . . . . . . . . . . . . . . . . . . Karin Quaas

243

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shinya Umeno

258

Exploiting Timed Automata for Conformance Testing of Power Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Matthias Woehrle, Kai Lampka, and Lothar Thiele

275

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

291

Tapas: T heory Combinations and Practical Applications Nikolaj Bjørner and Leonardo de Moura Microsoft Research, One Microsoft Way, Redmond, WA, 98074, USA {nbjorner,leonardo}@microsoft.com Abstract. Satisfiability Modulo Theories is about checking the satisfiability of logical formulas over one or more theories. We provide an appetizer of SMT solving, illustrate an application for test-case generation based on dynamic symbolic execution and summarize an array of existing applications, enabling features, challenges and future directions.

1

Introduction

The Satisfiability Modulo Theories (SMT) problem draws on a combination of some of the most fundamental areas in computer science. It combines the problem of Boolean satisfiability with domains, such as, those studied in convex optimization and term-manipulating symbolic systems. It also draws on the most prolific problems in the past century of symbolic logic: the decision problem, completeness and incompleteness of logical theories, and finally complexity theory. The problem of modularly combining special purpose algorithms for each domain is as deep and intriguing as finding new algorithms that work particularly well in the context of a combination. SMT also enjoys a very useful role in software engineering. Modern software, hardware analysis and model-based tools are increasingly complex and multi-faceted software systems. However, at their core is invariably a component using symbolic logic for describing states and transformations between them. SMT solvers are gaining a distinguished role in this context since they offer support for most domains encountered in programs. A well tuned SMT solver that takes into account the state-of-the-art breakthroughs usually scales orders of magnitude beyond custom ad-hoc solvers. The SMT solver Z3 [9], developed at Microsoft Research; is part of changing this landscape. Tools can use the SMT solver with advantage to solve logicrelated problems at a relatively high-level of abstraction while attaining scalability and features that custom solvers would have to duplicate. We give a brief introduction to the theory combination problem by example and summarize one example application, dynamic symbolic execution. We also list nine other applications, enabling factors, research challenges and aspiring directions.

2

Empanadas: SMT Empanadas are large or small turnovers filled with meats and vegetables [1]. Extensible SMT solvers integrate disjoint opaque theory solvers.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 1–6, 2009. c Springer-Verlag Berlin Heidelberg 2009 

2

N. Bjørner and L. de Moura

We will introduce three theories used in SMT solvers using the following example: b + 2 = c ∧ f (read(write(a, b, 3), c − 2))  = f (c − b + 1). The formula uses the theory of arrays. It was introduced by McCarthy in [15] as part of forming a broader agenda for a calculus of computation. In the theory of arrays, there are two functions read and write. The term read (a, i) produces the value of array a at index i, while the term write(a, i, v) produces an array, which is equal to a except for possibly index i which maps to v. These properties can be summarized using the equations: read (write(a, i, v), i) = v read (write(a, i, v), j) = read (a, j) for i  = j. They state that the result of reading write(a, i, v) at index j is v for i = j. Reading the array at any other index produces the same value as read (a, j). The formula also uses the function f , therefore for all t and s, if t = s, then f (t) = f (s) (congruence rule). In other words, the only assumption about function f is that it always produce the same result when applied to the same arguments. The congruence rule implies that formulas remain equivalent when replacing equal terms. The example formula is unsatisfiable. That is, there is no assignment to the integers b and c and the array a such that the first equality b + 2 = c holds and at the same time the second disequality also is satisfied. One way of establishing the unsatisfiability is by replacing c by b + 2 in the disequality, to obtain the equivalent b + 2 = c ∧ f (read (write(a, b, 3), b + 2 − 2))  = f (b + 2 − b + 1), which after reduction using facts about arithmetic becomes b + 2 = c ∧ f (read (write(a, b, 3), b))  = f (3). The theory of arrays implies that the nested array read/write functions reduce to 3 and the formula becomes: b + 2 = c ∧ f (3)  = f (3). The congruence property of f entails that the disequality is false. As the example indicates, a main challenge in SMT solvers is to efficiently integrate a collection of theory solvers. The solvers cooperate checking satisfiability of formulas that can mix several theories. The integration with these solvers in the context of a formula containing conjunctions, disjunctions, and negation plays an important role for the choice and design of theory solvers. In a backtracking framework, the solvers should be amenable to incremental addition and revocation of constraints. The example also illustrated how equalities derived in the context of one theory were used for other theories, thus the efficient

Tapas: T heory Combinations and P ractical Applications

3

derivation and exchange of derived equalities has also been the subject of longrunning attention.

3

Boquerones: Dynamic Symbolic Execution – An Application White anchovies served in vinegar (boquerones en vinagre) or deep fried. The Program EXploratoin system Pex can be used to fish for bugs.

Dynamic symbolic execution [12] has recently gained attention in the context of test-case generation and smart white-box file fuzzing. It extends static symbolic execution [13] by using concrete execution traces to obtain symbolic constraints. In order to explore a different execution path it suffices modifying one of the extracted symbolic traces by selecting and negating a branch condition. The modified path condition is checked for satisfiability. It is a logical constraint that uses theories typically supported in SMT solvers. A satisfying assignment to the modified path condition is a new input that can be used for steering execution into new paths. To illustrate the basic idea of dynamic symbolic execution i n t GCD( i n t x , i n t y ) { consider the greatest common while ( true ) { divisor program 3.1. It takes the int m = x % y ; inputs x and y and produces i f (m == 0 ) return y ; the greatest common divisor of x = y; x and y. y = m; Program 3.2 represents the } static single assignment unfold} ing corresponding to the case where the loop is exited in the Program 3.1. GCD Program second iteration. The sequence of instructions is equivalently represented as a formula where i n t GCD( i n t x0 , i n t y0 ) { i n t m 0 = x 0 % y0 ; i f ( m0 == 0 ) return y0 ; x 1 = y0 ; y1 = m 0 ; i n t m 1 = x 1 % y1 ; i f ( m1 == 0 ) return y1 ; }

(m0 = x0 % y0 ) ¬(m0 = 0) (x1 = y0 ) (y1 = m0 ) (m1 = x1 % y1 ) (m1 = 0)

Program 3.2. GCD Path Formula

∧ ∧ ∧ ∧ ∧

4

N. Bjørner and L. de Moura

the assignment statements have been turned into equations. The resulting path formula is satisfiable. One satisfying assignment is of the form: x0 = 2, y0 = 4, m0 = 2, x1 = 4, y1 = 2, m1 = 0 Thus, the call GCD(2,4) causes the loop to be entered twice. Dynamic symbolic test-case generation is of course not limited to branch conditions that occur explicitly in the program. It can also be used for creating inputs that cause the program to enter an error state. For instance, it can be used to create inputs that cause remainder to be called with 0. Also, if we add a post-condition to say that the result be non-negative we would discover that this implementation does not satisfy this property. There are today several tools based on dynamic symbolic execution. Some of the earliest such tools include CUTE [17], DART, and Exe [4]. Microsoft has developed several related tools including SAGE, Pex, and Yogi [12], and Vigilante [5]. SAGE, for instance, is used with significant scale and success as part of the security testing efforts for Microsoft parsers for media formats. Pex integrates directly into Microsoft’s Visual Studio development environment. It allows programmers to use parameterized unit testing directly during development. Common to the tools is a reliance on a solver that can represent each program instruction as a, preferably equivalent, logical formula. Thus, the main requirements these tools impose are for a solver to provide (1) a way to encode machine arithmetic, (2) arrays and heaps and (3) generate finite models for driving execution. The frontiers for dynamic symbolic execution include using information from static analysis for pruning the search space of the dynamic execution traces. The purpose it to prune exploration of redundant traces. Another frontier is combining dynamic symbolic execution with model-based techniques: library routines can be replaced by higher-level models, such that the solver can work on highly succinct representations of the actual execution traces that are encountered. For example, string library routines [3], can be modeled at the level of the theory of strings.

4

Chopitos: 9 Other Applications, Enabling Features, Challenges and Directions Battered and fried tiny squid. SMT solvers reach far and wide in program analysis applications.

Dynamic Symbolic Execution is one very good application of Z3, but it is far from the only one. Figure 1 summarizes 10 current applications, 10 main technological enabling factors in Z3, 10 challenging problem areas, and 10 aspiring directions for future applications. The table also contains references to enabling features that are specific to Z3.

Tapas: T heory Combinations and P ractical Applications Applications

Enablers

Challenges

1. Dynamic Symbolic Finite model generation Execution

Infinite model generation

2. Static Program Analysis

Truth maintenance

3. Program Model Checking 4. Extended Static Checking 5. Program Verification 6. Model-based Testing Combinatorial 7. Test-input generation 8. Model-program analysis 9. Model-based Development 10. Quantitative Termination

Succeed/fail fast Cooperating satisfiability and simplification Back-jumping, learning strong lemmas [2] Scaling quantifier instantiation with triggers [6] Using relevancy, avoiding irrelevancy [8] Model-based theory combination [7] A portfolio of decidable, succinct logics [10] [16] Free and absolutely free functions Quantifier reasoning [11] [14][18]

Directions Model-guided Dynamic Symbolic Execution Static Analysis using Symbolic Execution

Proofs and interpolants

Game Programming

Optimal lemma learning

Non-linear constraints for non-linear Systems

Harnessing and understanding triggers Predicting and diagnosing search behavior

5

Real-time systems verification Program synthesis

Harnessing parallelism

Non-convex optimization

a larger portfolio of succinct logics

Models for security and authentication

Free functions in non-disjoint combinations

Biological Systems

Quantifier elimination

Qualitative Termination

Fig. 1. Ten Applications, Enablers, Challenges and Directions

5

Conclusion

We have given an appetizer for the scope of Satisfiability Modulo Theories solvers and we hinted at an example application of SMT solvers. There are several other areas where SMT solvers are applied, especially in program analysis and design tools. The future in terms of both scientific challenges and applications of SMT solvers is pretty bright: Even with a simplistic set of exposed functionality, SMT solvers enable a broad set of applications; and new applications inspire interesting and relevant challenges for efficient theory solvers and their combination.

References 1. Spanish tapas, http://en.wikipedia.org/wiki/Tapas 2. Bjørner, N., Dutertre, B., de Moura, L.: Accelerating DPLL(T) using Joins DPLL(). In: LPAR 2008 (2008)

6

N. Bjørner and L. de Moura

3. Bjørner, N., Tillmann, N., Voronkov, A.: Path feasibility analysis for stringmanipulating programs. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 307–321. Springer, Heidelberg (2009) 4. Cadar, C., Ganesh, V., Pawlowski, P.M., Dill, D.L., Engler, D.R.: Exe: automatically generating inputs of death. In: CCS, pp. 322–335. ACM Press, New York (2006) 5. Castro, M., Costa, M., Martin, J.-P.: Better bug reporting with better privacy. In: ASPLOS XIII: Proceedings of the 13th international conference on Architectural support for programming languages and operating systems, pp. 319–328. ACM, New York (2008) 6. de Moura, L., Bjørner, N.S.: Efficient E-matching for SMT solvers. In: Pfenning, F. (ed.) CADE 2007. LNCS (LNAI), vol. 4603, pp. 183–198. Springer, Heidelberg (2007) 7. de Moura, L., Bjørner, N.: Model-based Theory Combination. In: SMT 2007 (2007) 8. de Moura, L., Bjørner, N.: Relevancy Propagation. Technical Report MSR-TR2007-140, Microsoft Research (2007) 9. de Moura, L., Bjørner, N.S.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008) 10. de Moura, L., Bjørner, N.S.: Deciding Effectively Propositional Logic Using DPLL and Substitution Sets. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 410–425. Springer, Heidelberg (2008) 11. de Moura, L., Bjørner, N.S.: Engineering DPLL(T) + saturation. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 475–490. Springer, Heidelberg (2008) 12. Godefroid, P., de Halleux, J., Nori, A.V., Rajamani, S.K., Schulte, W., Tillmann, N., Levin, M.Y.: Automating Software Testing Using Program Analysis. IEEE Software 25(5), 30–37 (2008) 13. King, J.C.: Symbolic execution and program testing. Commun. ACM 19(7), 385– 394 (1976) 14. Bonacina, M.P., Lynch, C., de Moura, L.: On deciding satisfiability by DPLL(Γ +T ) and unsound theorem proving. In: CADE (2009) 15. McCarthy, J.: Towards a mathematical science of computation. In: IFIP Congress, pp. 21–28 (1962) 16. Bjørner, N., Hendrix, J.: Linear Functional Fixed-points. In: CAV (2009) 17. Sen, K., Agha, G.A.: CUTE and jCUTE: Concolic unit testing and explicit path model-checking tools. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 419–423. Springer, Heidelberg (2006) 18. Ge, Y., de Moura, L.: Complete instantiation for quantified SMT formulas. In: CAV (2009)

Max-plus Algebraic Tools for Discrete Event Systems, Static Analysis, and Zero-Sum Games St´ephane Gaubert ´ INRIA Saclay – ˆIle-de-France and CMAP, Ecole Polytechnique, France [email protected]

Abstract. The max-plus algebraic approach of timed discrete event systems emerged in the eighties, after the discovery that synchronization phenomena can be modeled in a linear way in the max-plus setting. This led to a number of results, like the determination of long term characteristics (throughput, stationary regime) by spectral theory methods or the representation of the input-output behavior by rational series. Since these early developments, the max-plus scene has considerably evolved. Many analytical results appeared to carry over to a larger class of dynamical systems, involving monotone or nonexpansiveness operators. For instance, discrete dynamics in which the operations of maximum, minimum, positive linear combinations or log-exp type combinations simultaneously appear fall into this class. Such generalizations are based on the study of non-linear fixed point problems by methods of Perron-Frobenius theory. They keep, however, a combinatorial flavor reminiscent of the max-plus case. Then, the same monotone fixed point problems were seen to arise in other fields, including zero-sum games and static analysis by abstract interpretation, leading to the design of algorithms inspired by control and game theory (policy iteration) in static analysis. Finally, the recent flourishing of tropical geometry, in which maxplus objects are thought of as projections of classical objects by some valuations, has motivated new theoretical works, in particular on maxplus polyhedra. The latter were initially used to represent some invariant spaces (like the reachable sets of discrete event systems), they have arisen more recently in relation with game or static analysis problems. They now appear to be mathematical objects of an intrinsic interest, to which the arsenal of algorithms from computational geometry can be adapted. This survey will give a unified perspective on these developments, shedding light on recent results concerning zero-sum games, static analysis, non-linear Perron-Frobenius theory, and polyhedra.

Bibliographical indications An account of the basic developments of the max-plus algebraic approach of discrete event systems can be found in [1], see also [2,3]. Non-linear extensions, in which the maximum and addition operators are combined either with positive linear combinations [4] or with the minimum operator, leading to the definition of “min-max functions” [5,6], were subsequently developed. These extensions J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 7–11, 2009. c Springer-Verlag Berlin Heidelberg 2009 

8

S. Gaubert

were motivated in particular by the analysis of fluid approximations of timed Petri nets and by the analysis of asynchronous digital circuits. They were further treated in the setting of non-linear Perron-Frobenius theory [7,8,9,10,11,12]. An advanced presentation of some underlying methods is included in [13]. A similar operator approach was developed in the study of zero-sum game problems [14,15,16,17,18]. The idea of policy iteration for zero-sum games is an old one [19], but the degenerate cases arising in deterministic games were handled only more recently [20,21,22,23,24]. The complexity of policy iteration is a subject of current interest, see [25] and the references therein, and [26] for a recent progress. The application of game techniques to static analysis was developed in [27,28,29,30]. Max-plus or tropical convexity is a subject of great current vitality, see [31,32], [33,34,35,36] for initial references and [37,38,39,40,41,42,43,44,45,46] for recent developments. Some algorithmic and complexity aspects concerning tropical polyhedra are dealt with in the recent works [47,38]. Max-plus or tropical convex sets have been applied in [48,49] to compute invariant spaces and solve feedback synthesis or observation problems for some classes of discrete event systems. They have been used in [50] to develop a new domain in static analysis, adapted to the representation of disjunctive constraints. The correspondence between tropical polyhedra and zero-sum game problems gradually emerged from special cases [23,51]. Some satisfiability problems related to the non-emptyness of tropical polyhedra have been studied under the name of “max-atoms” [52]. Finally, some introductions to tropical geometry can be found in [53,54].

Fig. 1. As an illustration, we include a picture of a max-plus polyhedron (the analogue of the cyclic polytope [55,38]). Such polyhedra can represent the reachable spaces of discrete event system [2] as well as more sophisticated invariant spaces [48,49] or invariants sets in static analysis expressing disjunctive constraints [50]. They can be effectively manipulated [56,47,44]. The present picture was produced by Polymake [57].

References 1. Baccelli, F., Cohen, G., Olsder, G., Quadrat, J.: Synchronization and Linearity. Wiley, Chichester (1992) 2. Cohen, G., Gaubert, S., Quadrat, J.: Max-plus algebra and system theory: where we are and where to go now. Annual Reviews in Control 23, 207–219 (1999)

Max-plus Algebraic Tools for Discrete Event Systems

9

3. Heidergott, B., Olsder, G.J., van der Woude, J.: Max Plus at Work: Modeling and Analysis of Synchronized Systems, A Course on Max-Plus Algebra and Its Applications. Princeton University Press, Princeton (2005) 4. Cohen, G., Gaubert, S., Quadrat, J.: Asymptotic throughput of continuous timed petri nets. In: Proceedings of the 34th Conference on Decision and Control, New Orleans (December 1995) 5. Olsder, G.: Eigenvalues of dynamic min-max systems. J. of Discrete Event Dynamic Systems 1, 177–207 (1991) 6. Gunawardena, J.: Min-max functions. Discrete Event Dynamic Systems 4, 377–406 (1994) 7. Gaubert, S., Gunawardena, J.: A non-linear hierarchy for discrete event dynamical systems. In: Proc. of the Fourth Workshop on Discrete Event Systems (WODES 1998), Cagliari, Italy, IEE (1998) 8. Gunawardena, J.: From max-plus algebra to nonexpansive maps: a nonlinear theory for discrete event systems. Theoretical Computer Science 293, 141–167 (2003) 9. Gaubert, S., Gunawardena, J.: The Perron-Frobenius theorem for homogeneous, monotone functions. Trans. of AMS 356(12), 4931–4950 (2004) 10. Gaubert, S.: Nonlinear Perron-Frobenius theory and discrete event systems. JESA 39, 175–190 (2005) 11. Bousch, T., Mairesse, J.: Finite-range topical functions and uniformly topical functions. Dyn. Syst. 21(1), 73–114 (2006) 12. Akian, M., Gaubert, S., Lemmens, B., Nussbaum, R.: Iteration of order preserving subhomogeneous maps on a cone. Math. Proc. Cambridge Philos. Soc. 140(1), 157–176 (2006) 13. Nussbaum, R.D.: Hilbert’s projective metric and iterated nonlinear maps. Memoirs of the AMS 75(391) (1988) 14. Bewley, T., Kohlberg, E.: The asymptotic solution of a recursion equation occurring in stochastic games. Math. Oper. Res. 1(4), 321–336 (1976) 15. Kohlberg, E.: Invariant half-lines of nonexpansive piecewise-linear transformations. Math. Oper. Res. 5(3), 366–372 (1980) 16. Neyman, A.: Stochastic games and nonexpansive maps. In: Stochastic games and applications (Stony Brook, NY, 1999). NATO Sci. Ser. C Math. Phys. Sci., vol. 570, pp. 397–415. Kluwer Acad. Publ., Dordrecht (2003) 17. Rosenberg, D., Sorin, S.: An operator approach to zero-sum repeated games. Israel J. Math. 121, 221–246 (2001) 18. Vigeral, G.: Evolution equations in discrete and continuous time for nonexpansive operators in Banach spaces. In: ESAIM:COCV (to appear, 2009) 19. Hoffman, A.J., Karp, R.M.: On nonterminating stochastic games. Management sciences 12(5), 359–370 (1966) 20. Cochet-Terrasson, J., Gaubert, S., Gunawardena, J.: A constructive fixed point theorem for min-max functions. Dynamics and Stability of Systems 14(4), 407–433 (1999) 21. Gaubert, S., Gunawardena, J.: The duality theorem for min-max functions. C.R. Acad. Sci. 326, 43–48 (1998) 22. V¨ oge, J., Jurdzi´ nski, M.: A discrete strategy improvement algorithm for solving parity games. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855. Springer, Heidelberg (2000) 23. Dhingra, V., Gaubert, S.: How to solve large scale deterministic games with mean payoff by policy iteration. In: Valuetools 2006: Proceedings of the 1st international conference on Performance evaluation methodologies and tools, p. 12. ACM Press, New York (2006)

10

S. Gaubert

24. Cochet-Terrasson, J., Gaubert, S.: A policy iteration algorithm for zero-sum stochastic games with mean payoff. C. R. Math. Acad. Sci. Paris 343(5), 377–382 (2006) 25. Jurdzi´ nski, M., Paterson, M., Zwick, U.: A deterministic subexponential algorithm for solving parity games. SIAM J. Comput. 38(4), 1519–1532 (2008) 26. Friedmann, O.: An exponential lower bound for the parity game strategy improvement algorithm as we know it. Accepted for publication in the proceedings of LICS, also arXiv:0901.2731 (2009) ´ Martel, M., Putot, S.: A policy iteration 27. Costan, A., Gaubert, S., Goubault, E., algorithm for computing fixed points in static analysis of programs. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 462–475. Springer, Heidelberg (2005) ´ Taly, A., Zennou, S.: Static analysis by policy iteration 28. Gaubert, S., Goubault, E., on relational domains. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 237–252. Springer, Heidelberg (2007) 29. Gawlitza, T., Seidl, H.: Precise fixpoint computation through strategy iteration. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 300–315. Springer, Heidelberg (2007) 30. Adje, A., Gaubert, S., Goubault, E.: Computing the smallest fixed point of nonexpansive mappings arising in game theory and static analysis of programs. In: Proceedings of the Eighteenth International Symposium on Mathematical Theory of Networks and Systems (MTNS 2008), Blacksburg, Virginia (July 2008) arXiv:0806.1160 31. Zimmermann, K.: A general separation theorem in extremal algebras. Ekonom.Mat. Obzor 13(2), 179–201 (1977) 32. Litvinov, G., Maslov, V., Shpiz, G.: Idempotent functional analysis: an algebraic approach. Math. Notes 69(5), 696–729 (2001) 33. Cohen, G., Gaubert, S., Quadrat, J.: Hahn-Banach separation theorem for maxplus semimodules. In: Menaldi, J., Rofman, E., Sulem, A. (eds.) Optimal Control and Partial Differential Equations, pp. 325–334. IOS Press, Amsterdam (2001) 34. Cohen, G., Gaubert, S., Quadrat, J.P.: Duality and separation theorem in idempotent semimodules. Linear Algebra and Appl. 379, 395–422 (2004) 35. Cohen, G., Gaubert, S., Quadrat, J.P., Singer, I.: Max-plus convex sets and functions. In: Litvinov, G.L., Maslov, V.P. (eds.) Idempotent Mathematics and Mathematical Physics. Contemporary Mathematics. Contemporary Mathematics, pp. 105–129. American Mathematical Society (2005) 36. Develin, M., Sturmfels, B.: Tropical convexity. Doc. Math. 9, 1–27 (2004) (electronic) 37. Joswig, M.: Tropical halfspaces. In: Combinatorial and computational geometry. Math. Sci. Res. Inst. Publ., vol. 52, pp. 409–431. Cambridge Univ. Press, Cambridge (2005) 38. Allamigeon, X., Gaubert, S., Katz, R.D.: The number of extreme points of tropical polyhedra. Eprint arXiv:math/0906.3492 (submitted, 2009) 39. Butkoviˇc, P., Schneider, H., Sergeev, S.: Generators, extremals and bases of max cones. Linear Algebra Appl. 421(2-3), 394–406 (2007) 40. Gaubert, S., Katz, R.: Max-plus convex geometry. In: Schmidt, R.A. (ed.) RelMiCS/AKA 2006. LNCS, vol. 4136, pp. 192–206. Springer, Heidelberg (2006) 41. Gaubert, S., Katz, R.: The Minkowski theorem for max-plus convex sets. Linear Algebra and Appl. 421, 356–369 (2007) 42. Nitica, V., Singer, I.: Max-plus convex sets and max-plus semispaces. I. Optimization 56(1-2), 171–205 (2007)

Max-plus Algebraic Tools for Discrete Event Systems

11

43. Joswig, M., Sturmfels, B., Yu, J.: Affine buildings and tropical convexity. Albanian J. Math. 1(4), 187–211 (2007) 44. Joswig, M.: Tropical convex hull computations, Eprint arXiv:0809.4694. to appear in Contemporary Mathematics (November 2008) 45. Gaubert, S., Katz, R.: The tropical analogue of polar cones. Linear Algebra and Appl. 431, 608–625 (2009) 46. Gaubert, S., Meunier, F.: Carath´eodory, Helly and the others in the max-plus world. Discrete Computational Geometry, Published online, also arXiv:0804.1361v1 (2009) 47. Allamigeon, X., Gaubert, S., Goubault, E.: Computing the extreme points of tropical polyhedra. Eprint arXiv:0904.3436 (2009) 48. Katz, R.D.: Max-plus (A, B)-invariant spaces and control of timed discrete event systems. IEEE Trans. Aut. Control 52(2), 229–241 (2007) 49. Di Loreto, M., Gaubert, S., Katz, R.D., Loiseau, J.J.: Duality between invariant spaces for max-plus linear discrete event systems. Eprint arXiv:0901.2915 (2009) ´ Inferring min and max invariants using 50. Allamigeon, X., Gaubert, S., Goubault, E.: max-plus polyhedra. In: Alpuente, M., Vidal, G. (eds.) SAS 2008. LNCS, vol. 5079, pp. 189–204. Springer, Heidelberg (2008) 51. Gaubert, S., Sergeev, S.N.: Cyclic projectors and separation theorems in idempotent convex geometry. Journal of Mathematical Sciences 155(6), 815–829 (2008); Russian version published. Fundamentalnaya i prikladnaya matematika 13(4), pp. 33–52 (2007) 52. Bezem, M., Nieuwenhuis, R., Rodr´ıguez-Carbonell, E.: The max-atom problem and its relevance. In: Cervesato, I., Veith, H., Voronkov, A. (eds.) LPAR 2008. LNCS (LNAI), vol. 5330, pp. 47–61. Springer, Heidelberg (2008) 53. Itenberg, I., Mikhalkin, G., Shustin, E.: Tropical algebraic geometry. Oberwolfach seminars. Birkh¨ auser, Basel (2007) 54. Richter-Gebert, J., Sturmfels, B., Theobald, T.: First steps in tropical geometry. In: Idempotent mathematics and mathematical physics. Contemp. Math., vol. 377, pp. 289–317. Amer. Math. Soc., Providence (2005) 55. Block, F., Yu, J.: Tropical convexity via cellular resolutions. J. Algebraic Combin. 24(1), 103–114 (2006) 56. Cohen, G., Gaubert, S., McGettrick, M., Quadrat, J.P.: Maxplus toolbox of scilab, http://minimal.inria.fr/gaubert/maxplustoolbox/, now integrated in ScicosLab, http://www.scicoslab.org 57. Gawrilow, E., Joswig, M.: Polymake, http://www.math.tu-berlin.de/polymake/

Approximations of Discrete, Continuous, and Hybrid Systems George J. Pappas School of Engineering and Applied Science University of Pennsylvania Philadelphia, U.S.A http://www.seas.upenn.edu/~ pappasg/

Abstract. Concurrency theory and formal verification of discrete systems have resulted in a wealth of system relationships, including the notions of language inclusion, simulation and bisimulation relations. These notions have had great impact in not only reducing the analysis complexity of discrete systems, but also in reducing problems for continuous and hybrid systems to purely discrete problems. Such relationships for discrete systems require system observations to be identical. When interacting with the physical world, modeled by continuous or hybrid systems, exact relationships are restrictive and not robust. In this talk, we will present a framework of system approximation that applies to discrete, continuous, and hybrid systems by developing notions of approximate language inclusion, approximate simulation, and approximate bisimulation relations. We define a hierarchy of approximation pseudo-metrics between two systems that quantify the quality of the approximation, and capture the established exact relationships as zero sections. Algorithms are developed for computing the proposed pseudo-metrics, both exactly and approximately. The exact algorithms require the generalization of the fixed point algorithms for computing simulation and bisimulation relations, or dually, the solution of a static game whose cost is the so-called branching distance between the systems. Approximations for the pseudo-metrics can be obtained by considering Lyapunov-like functions called simulation and bisimulation functions. We will present algorithms for computing the proposed pseudo-metrics for a variety of classes of continuous, hybrid systems, and stochastic hybrid systems, as well as in approximating continuous systems by purely discrete ones.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, p. 12, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Volume and Entropy of Regular Timed Languages: Analytic Approach Eugene Asarin1 and Aldric Degorre2 1

LIAFA, Universit´e Paris Diderot / CNRS case 7014, 75205 Paris Cedex 13, France [email protected] 2 VERIMAG, Centre Equation, 2 av. de Vignate, 38610 Gi`eres, France [email protected]

Abstract. We have recently defined size measures for timed languages: volume for languages with words having a fixed finite number of events, and entropy (growth rate) as asymptotic measure for an unbounded number of events. These measures can be used for quantitative comparison of languages, and the entropy can be viewed as the information contents of a timed language. For languages accepted by deterministic timed automata, using methods of functional analysis, we characterize the entropy as the logarithm of the leading eigenvalue (spectral radius) of a positive integral operator. We devise two procedures to compute the entropy: a symbolic one for so-called “1 12 -clock” automata, using differential equations; and a numerical one based on iterations of an integral operator.

1

Introduction

Since early 90s, timed automata and timed languages are extensively used for modelling and verification of real-time systems, and thoroughly explored from a theoretical standpoint. However, two important, and closely related, aspects have never been addressed: quantitative analysis of the size of these languages and of the information content of timed words. In a recent paper [1], we have formalized these problems, and here we solve them for a large subclass of timed languages. Recall that a timed word describes a behaviour of a system, taking into account delays between events. A timed language, which is just a set of timed words, may represent all such potential behaviours. Our aim is to measure the size of such a language. For a fixed number n of events, we can consider the language as a subset of Σ n × IRn (that is of several copies of the space IRn ). A natural measure in this case is just the Euclidean volume Vn of this subset. When the number of events is not fixed, we can still consider for each n all the timed words with n events belonging to the language and their volume Vn . It turns out that in most cases Vn asymptotically behaves as 2nH for some constant H that we call the entropy of the language. 

Support from French ANR project AMAES is gratefully acknowledged.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 13–27, 2009. c Springer-Verlag Berlin Heidelberg 2009 

14

E. Asarin and A. Degorre

The information-theoretic meaning of H can be stated as follows: for a small ε, if the delays are measured with a finite precision ε, then using the words of a language L with entropy H, one can transmit H + log(1/ε) bits of information per event (a formalization in terms of Kolmogorov complexity has been stated in [1]). There can be several potential applications of these notions: – The most direct one is capacity estimation for an information transmission channel or for a time-based information flow. – When a timed language L1 is overapproximated by a simpler timed language L2 (e.g. using some abstractions as in [2]), it is important to assess the quality of the approximation. Comparing entropies of L1 and L2 provides such an assessment. – In model-checking of timed systems, it is often interesting to know the size of the set of all behaviours violating a property or of a subset of those presented as a counter-example by a verification tool. In this paper, we explore, and partly solve the following problem: given a prefix-closed timed language accepted by a deterministic timed automaton, find the entropy H of the language. Two Papers. In fact, we have developed two different and complementary approaches (discretization based and analytical) to the computation of volumes and entropy of timed languages. In the preceding submission [1], we have presented for the first time the main definitions, given a formula for volumes, and described the discretization approach. In this paper, we propose methods of computation of volumes and entropy based on functional analysis of positive integral operators. Our preprint [3] available on the Web presents both approaches with more detailed proofs. Related Work. Our problems and techniques are inspired by works concerning the entropy of finite-state languages (cf. [4]). There the cardinality of the set Ln of all elements of length n of a prefix-closed regular language also behaves as 2nH for some entropy H. This entropy can be found as logarithm of the spectral radius of the adjacency matrix of the accepting deterministic automaton. The main technical tool used to compute the entropy of finite automata is the PerronFrobenius theory for positive matrices, and we will use its extensions to infinitedimensional operators [5]. In [6,7] probabilities of some timed languages and densities in the clock space are computed. Our formulae for fixed-length volumes can be seen as specialization of these results to uniform measures. As for unbounded languages, they use stringent condition of full simultaneous reset of all the clocks at most every k steps, and under such a condition, they provide a finite stochastic class graph that allows computing various interesting probabilities. We use a much weaker hypothesis (every clock to be reset at most every D steps, but these resets need not be simultaneous), and we obtain only the entropy. In [8] probabilities of LTL properties of one-clock timed automata (over infinite timed words) are computed using Markov chains techniques. It would be interesting to try to adapt our methods to this kind of problems.

Volume and Entropy of Regular Timed Languages: Analytic Approach

15

Paper Organization. This paper is organized as follows. In Sect. 2, following [1] we define volumes of fixed-length timed languages and entropy of unboundedlength timed languages. We identify a subclass of deterministic timed automata, whose volumes and entropy are considered in the rest of the paper, and define a normal form for such automata. Finally, we give a variant of the algorithm from [1] for computing the volumes of languages of such automata. In Sect. 3 we associate a functional space with a timed automaton and define a positive operator on this space. We rephrase the formulas for the volume in terms of this operator. Next, we state the main result of the paper: a characterization of the entropy as the logarithm of the spectral radius of this operator. Such a characterization may seem too abstract but later on, in Sect. 4 we give two practical procedures for approximate computing this spectral radius. First, we show how to solve the eigenvector equation symbolically for timed automata with 1 21 clocks defined below. Next, for general timed automata we apply a “standard” iterative procedure from [5] and thus obtain an upper and a lower bound for the spectral radius/entropy. These bounds become tighter as we make more iterations. We conclude the paper by some final remarks in Sect. 5.

2

Problem Statement

2.1

Geometry, Volume and Entropy of Timed Languages

A timed word of length n over an alphabet Σ is a sequence w = t1 a1 t2 . . . tn an , where ai ∈ Σ, ti ∈ IR and 0 ≤ ti . Here ti represents the delay between the events ai−1 and ai . With such a timed word w of length n we associate its untiming η(w) = a1 . . . an ∈ Σ n (which is just a word), and its timing which is a point θ(w) = (t1 , . . . , tn ) in IRn . A timed language L is a set of timed words. For a fixed n, we define the n-volume of L as follows:  Vn (L) = Vol{θ(w) | w ∈ L, η(w) = v}, v∈Σ n

where Vol stands for the standard Euclidean volume in IRn . In other words, we sum up over all the possible untimings v of length n the volumes of the corresponding sets of delays in IRn . In case of regular timed languages, these sets are polyhedral, and hence their volumes (finite or infinite) are well-defined. We have associated with every timed language a sequence of n-volumes Vn . We will show in Sect. 2.5 that, for a large subclass of timed regular languages, Vn is a computable sequence of rational numbers. However, we would like to find a unique real number characterizing the asymptotic behaviour of Vn as n → ∞. Typically, as we will see in Sect. 3, Vn depends approximately exponentially on n. We define the entropy of the language L(A) as the rate of this dependence. Formally, for a timed language L we define its entropy as follows1 (all logarithms in the paper are base 2): 1

In fact, due to Assumption A2 below, the languages we consider in the paper are prefix-closed, and lim sup is in fact a lim. This will be stated formally in Cor. 1.

16

E. Asarin and A. Degorre

H(L) = lim sup n→∞

log Vn . n

Remark 1. Many authors consider a slightly different kind of timed words: sequences w = (a1 , d1 ), . . . , (an , dn ), where ai ∈ Σ, di ∈ IR and 0 ≤ d1 ≤ · · · ≤ dn , with di representing the date of the event ai . This definition is in fact isomorphic to ours by a change of variables: t1 = d1 and ti = di − di−1 for i = 2..n. It is important for us that this change of variables preserves the n-volume, since it is linear and its matrix has determinant 1. Therefore, choosing date (di ) or delay (ti ) representation has no influence on language volumes (and entropy). Due to the authors’ preferences (justified in [9]), delays will be used in the sequel. 2.2

Three Examples

To illustrate the problem of determining volume and entropy consider the languages recognized by three timed automata of Fig. 1. Two of them can be analysed directly, using definitions and common sense. The third one resists naive analysis, it will be used to illustrate more advanced methods throughout the paper. A1

A2

a, x ∈ [2; 4]/x := 0

a, x ∈ [0; 4] p

p

A3 a, x ∈ [0; 1]/x := 0 q

b, x ∈ [2; 4]/x := 0

p

q b, y ∈ [0; 1]/y := 0

b, x ∈ [3; 10]/x := 0 Fig. 1. Three simple timed automata A1 , A2 , A3

Rectangles. Consider the timed language defined by the expression L1 = ([2; 4]a + [3; 10]b)∗, recognized by A1 of Fig. 1. For a given untiming w ∈ {a, b}n containing k letters a and n − k letters b, the set of possible timings is a rectangle in IRn of a volume 2k 7n−k (notice that there are Cnk such untimings). Summing up all the volumes, we obtain Vn (L1 ) =

n 

Cnk 2k 7n−k = (2 + 7)n = 9n ,

k=0

and the entropy H(L1 ) = log 9 ≈ 3.17.

Volume and Entropy of Regular Timed Languages: Analytic Approach

17

A Product of Trapezia. Consider the language defined by the automaton A2 on Fig. 1, that is containing words of the form t1 as1 bt2 as2 b . . . tk ask b such that 2 ≤ ti +si ≤ 4. Since we want prefix-closed languages, the last sk b can be omitted. For an even n = 2k the only possible unt 4 timing is (ab)k . The set of timings in IR2k is a Cartesian product of k trapezia 2 ≤ ti + si ≤ 4. The surface of each trapezium equals S = 2 42 /2 − 22 /2 = 6, and the volume V2k (L2 ) = 6k . For an odd n = 2k + 1 the same product of trapezia is combined with an interval 0 ≤ 2 4 s tk+1 ≤ 4, hence the volume is V2k+1 (L2 ) = 6k · 4. Thus the entropy H(L2 ) = log 6/2 ≈ Fig. 2. Timings (ti , si ) for A2 1.29. Our Favourite Example. The language recognized by the automaton A3 of Fig. 1 contains the words of the form t1 at2 bt3 at4 b . . . with ti + ti+1 ∈ [0; 1]. Notice that the automaton has two clocks that are never reset together. The geometric form of possible untimings in IRn is defined by overlapping constraints ti + ti+1 ∈ [0; 1]. It is not so evident how to compute the volume of this polyhedron. The simplest solution would be to integrate 1 over the polyhedron, and to rewrite this multiple integral as an iterated one. The resulting formula for the volume is  1  1−t1  1−t2  1−tn−1 Vn (L3 ) = dt1 dt2 dt3 . . . dtn . 0

0

0

0

A systematic method to obtain this kind of formulae, introduced in [1], is briefly described below in Sect. 2.5. In the sequel we will also compute the entropy of L3 using both methods presented in this paper. 2.3

A Subclass of Timed Automata

In the rest of the paper, we compute volumes and entropy for regular timed languages recognized by a subclass of timed automata (TA). We assume that the reader is acquainted with timed automata, otherwise we refer her or him to [10] for details. Here we only fix notations for the components of timed automata and state several requirements that they should satisfy. Thus a TA is a tuple A = (Q, Σ, C, Δ, q0 ). Its elements are respectively the set of locations, the alphabet, the set of clocks, the transition relation, and the initial location (we do not need to specify accepting states due to A2 below). A generic state of A is a pair (q, x) of a control location and a vector of clock values. A generic element of Δ is written as δ = (q, a, g, r, q  ), a transition from q to q  with label a, guard g and reset r. We spare the reader the definitions of a run of A and of its accepted language.

18

E. Asarin and A. Degorre

We call a TA A nice if it satisfies the following assumptions: A1. A2. A3. A4.

The automaton A is deterministic2 . All its states are accepting. Guards are rectangular. Every guard upper bounds at least one clock. There exists a D ∈ IN such that on every run segment of D transitions, every clock is reset at least once.

Below we motivate and justify these choices: A1: Most of known techniques to compute entropy of regular languages work on deterministic automata. Indeed, these techniques count paths in the automaton, and only in the deterministic case their number coincides with the number of accepted words. The same is true for volumes in timed automata. R. Lanotte pointed out to the authors that any TA satisfying A4 can be determinized. A2: Prefix-closed languages are natural in the entropy context, and somewhat easier to study. These languages constitute the natural model for the set of behaviours of a causal system. A3: If a guard of a feasible transition is infinite, the volume becomes infinite. We conclude that A3 is unavoidable and almost not restrictive. A4: We use this rather strong non-Zenoness condition several times in our proofs and constructions. As the automaton of Fig. 3 shows, if we omit this assumption some anomalies can occur. The language of this automaton is a, x ∈ [0; 1]

L = {t1 a . . . tn a | 0 ≤



ti ≤ 1},

and Vn is the volume of an n-dimensional  simplex defined by the constraints 0 ≤ ti ≤ 1, and 0 ≤ ti . Hence Vn = 1/n! which decreases faster than any exponent, which is too fine to be distinguished by our methods. Assumption A4 rules out such anomalies. This assumption is also the most difficult to check. A possible way would be to explore all simple cycles in the region graph (see [10]) and to check that all of those reset every clock. Fig. 3. An automaton without resets

2.4

Preprocessing Timed Automata

In order to compute volumes Vn and entropy H of the language of a nice TA, we first transform this automaton into a normal form, which can be considered as a (timed) variant of the region graph, the quotient of the TA by the region equivalence relation defined in [10]. We say that a TA A = (Q, Σ, C, δ, q0 ) is in a region-split form if A1, A2, A4 and the following properties hold: 2

That is any two transitions with the same source and the same label have their guards disjoint.

Volume and Entropy of Regular Timed Languages: Analytic Approach

19

B1. Each location and each transition of A is visited by some run starting at (q0 , 0). B2. For every location q ∈ Q a unique clock region rq (called its entry region) exists, such that the set of clock values with which q is entered is exactly rq . For the initial location q0 , its entry region is the singleton {0}. B3. The guard g of every transition δ = (q, a, g, r, q  ) ∈ Δ is just one clock region. Notice, that B2 and B3 imply that r(g) = rq for every δ. Proposition 1. Given a nice TA A, a region-split TA A accepting the same language can be constructed3 . Proof (sketch). Let A = (Q, Σ, C, Δ, q0 ) be a nice TA and let Reg be the set of its regions. The region-split automaton A = (Q , Σ, C, Δ , q0 ) can be constructed as follows: 1. Split every state q into substates corresponding to all possible entry regions. Formally, just take Q = Q × Reg. 2. Split every transition from q to q  according to two clock regions: one for the clock values when q is entered, another for clock values when q is left. Formally, for every δ = (q, a, g, r, q  ) of A, and every two clock regions r and r such that r is reachable from r by time progress, and r ⊂ g, we define a new transition of A     δrr  = ((q, r), a, x ∈ r , r, (q , r(r ))) .

3. Take as initial state q0 = (q0 , {0}). 4. Remove all the states and transitions not reachable from the initial state.  We could work with the region-split automaton, but it has too many useless (degenerate) states and transitions, which do not contribute to the volume and the entropy of the language. This justifies the following definition: we say that a region-split TA is fleshy if the following holds: B4. For every transition δ its guard g has no constraints of the form x = c in its definition. Proposition 2. Given a region-split TA A accepting a language L, a fleshy region-split TA A accepting a language L ⊂ L with Vn (L ) = Vn (L) and H(L ) = H(L) can be constructed. Proof (sketch). The construction is straightforward: 1. Remove all non-fleshy transitions. 2. Remove all the states and transitions that became unreachable. 3

Notice that due to A3 all the guards of original automaton are bounded w.r.t. some clock. Hence, the same holds for smaller (one-region) guards of A , that is the infinite region [M ; ∞)|C| never occurs as a guard.

20

E. Asarin and A. Degorre

Inclusion L ⊂ L is immediate. Every path in A (of length n) involving a non-fleshy (punctual) transition corresponds to the set of timings in IRn which is degenerate (its dimension is smaller than n), hence it does not contribute to Vn .  From now on, we suppose w.l.o.g. that the automaton A is in a fleshy region-split form (see Fig. 4). a, x ∈ (3; 4) (2; 3)

a, x ∈ (0; 1)/x := 0

(1; 2) p x=0

(0; 1)

q q q q x ∈ (0; 1) x ∈ (1; 2) x ∈ (2; 3) x ∈ (3; 4)

p x ∈ (0; 1) y=0

q x=0 y ∈ (0; 1)

b, y ∈ (0; 1)/y := 0 p x=0 y=0 b, x ∈ (3; 4)/x := 0

a, x ∈ (0; 1)/x := 0

b, x ∈ (2; 3)/x := 0

Fig. 4. Fleshy region-split forms of automata A2 and A3 from Fig. 1. An entry region is drawn at each location.

2.5

Computing Volumes

Given a fleshy region-split TA A, we want to compute n-volumes Vn of its language. In order to obtain recurrent equations on these volumes, we need to take into account all possible initial locations and clock configurations in entry regions of these locations. For every state (q, x), where x ∈ rq , let L(q, x) be the set of all the timed words corresponding to the runs of the automaton starting at this state, let Ln (q, x) be its sublanguage consisting of its words of length n, and vn (q, x) the volume of this sublanguage. Hence, the quantity we are interested in, is the value of vn in the initial state: Vn = vn (q0 , 0). By definition of runs of a TA, we obtain the following language equations: L0 (q, x) = ε; Lk+1 (q, x) =





τ aLk (q  , r(x + τ )).

(q,a,g,r,q )∈Δ τ :x+τ ∈g

Since the automaton is deterministic, the union over transitions (the first the formula) is disjoint. Hence, it is easy to pass to volumes: v0 (q, x) = 1; vk+1 (q, x) =



(q,a,g,r,q )∈Δ

 τ :x+τ ∈g



in

(1) vk (q  , r(x + τ )) dτ.

(2)

Volume and Entropy of Regular Timed Languages: Analytic Approach

21

Observe that for a fixed location q, and x ∈ rq , since  u the guard is just a region, the integration over τ : x + τ ∈ g is nothing but l with bounds l and u either constants or of the form c − xi with c an integer and xi a clock variable. These formulas lead to the following structural description of vn (q, x), which can be proved by a straightforward induction. Proposition 3. The function vn (q, x) restricted to a location q can be expressed by a polynomial of degree n with rational coefficients in variables x. Thus, in order to compute the volume Vn , one should find by symbolic integration polynomial functions vk (q, x) for k = 0..n, and finally compute vn (q0 , 0). Theorem 1 ([1]). For a (nice) TA A the volume Vn is a rational number, computable from A and n using the procedure described above.

3

Operator Approach

In this central section of the paper, we develop an approach to volumes and entropy of languages of nice timed automata based on functional analysis. We start in 3.1 by identifying a functional space F containing the volume functions vn . Next, we show that these volume functions can be seen as iterates of some positive integral operator Ψ on this space applied to the unit function (Sect. 3.2). We explore some elementary properties of this operator in 3.3. This makes it possible to apply in 3.4 the theory of positive operators to Ψ and to deduce the main theorem of this paper stating that the entropy equals the logarithm of the spectral radius of Ψ . 3.1

The Functional Space of a TA

In order to use the operator approach we first identify the appropriate functional space F containing volume functions vn . We define S as the disjoint union of all the entry regions of all the states of A. Formally, S = {(q, x) | x ∈ rq }. The elements of the space F are bounded continuous functions from S to IR. The uniform norm u = supξ∈S |u(ξ)| can be defined on F , yielding a Banach space structure. We can compare two functions in F pointwise, thus we write u ≤ v if ∀ξ ∈ S : u(ξ) ≤ v(ξ). For a function f ∈ F we sometimes denote f (p, x) by fp (x). Thus, any function f ∈ F can be seen as a finite collection of functions fp defined on entry regions rp of locations of A. The volume functions vn (restricted to S) can be considered as elements of F . 3.2

Volumes Revisited

Let us consider again the recurrent formula (2). It has the form vk+1 = Ψ vk , where Ψ is the positive linear operator on F defined by the equation:   Ψ f (q, x) = f (q  , r(x + τ )) dτ. (3) (q,a,g,r,q )∈Δ

x+τ ∈g

22

E. Asarin and A. Degorre

We have also v0 = 1. Hence vn = Ψ n 1, and the problem of computing volumes and entropy is now phrased as studying iterations of a positive bounded linear operator Ψ on the functional space F . The theory of positive operators guarantees, that under some hypotheses, vn is close in direction to a positive eigenvector v ∗ of Ψ , corresponding to its leading eigenvalue ρ. Moreover, values of vn will grow/decay exponentially like ρn . In the sequel we refer to the book [5] when a result concerning positive operators is needed. 3.3

Exploring the Operator Ψ

Let us first state some elementary properties of this operator4, starting by rewriting (3) as an operator on F and separating all its summands.  (Ψ f )q (x) = (ψδ fq )(x). (4) δ=(q,...,q )∈Δ

For δ = (q, a, g, r, q  ) the operator ψδ acts from the space C(rq ) of bounded continuous functions on the target region to the space C(rq ) of functions on the source region. It is defined by the integral:  ψδ f (x) = f (r(x + τ )) dτ. (5) x+τ ∈g

Iterating (4) we obtain a formula for powers of operator Ψ  (Ψ k f )p (x) = (ψδ1 . . . ψδk fp )(x). δ1 ...δk from p to p

(6)

Some useful properties of ψδ and Ψ k are stated in [3], in particular the estimate of partial derivatives of Ψ D f (here D is the constant from A4; E is another constant computable from the automaton):    ∂ D   ∀i :  Ψ f (7)  ≤ E f . ∂xi Now we are ready to prove the following important property of Ψ : Theorem 2. The operator Ψ D is compact on F . Proof. Consider B – the unit ball of F . Let us prove that Ψ D B is a compact set. This set is clearly bounded. It follows from (7), that the whole set Ψ D B is Lipschitz continuous with constant E#C, where #C is the dimension of the clock space. Hence it is equicontinuous, and, by Arzela-Ascoli theorem, compact.  Next two lemmata will be used in the proof of the Main Theorem. Denote by ρ the spectral radius of Ψ . 4

Missing proofs can be found in the technical report [3].

Volume and Entropy of Regular Timed Languages: Analytic Approach

23

Lemma 1. If ρ > 0, then it is an eigenvalue of Ψ with an eigenvector v ∗ ≥ 0. Proof. According to Thm. 9.4 of [5] the statement holds for every positive linear operator with a compact power. Thus, the result follows immediately from Thm. 2.  Lemma 2. If ρ > 0 then the eigenvector v ∗ satisfies v ∗ (q0 , 0) > 0. 3.4

Main Theorem

The main result of this paper can now be stated. Theorem 3. For any nice TA A the entropy H of its language coincides with logarithm of the spectral radius of the Ψ operator defined on F . Proof. Notice that Vn = vn (q0 ; 0) ≤ vn = Ψ n 1 ≤ Ψ n . Taking logarithm and dividing by n, we obtain log Vn /n ≤ log Ψ n /n. The limit of the right-hand side is log ρ due to Gelfand’s formula for spectral radius: ρ = limn→∞ Ψ n 1/n . Thus, we obtain the required upper bound for the entropy: H = lim sup log Vn /n ≤ log ρ. n→∞

In the case when ρ > 0 we also have to prove the lower bound. In this case Lemma 1 applies and an eigenvector v ∗ ≥ 0 with norm 1 exists. This yields the inequality v ∗ ≤ 1, to which, for any natural n, we can apply the positive operator Ψ n . Using the fact that v ∗ is an eigenvector and the formula for vn we obtain ρn v ∗ ≤ vn . Then, taking the values of the functions in the initial state we get ρn v ∗ (q0 ; 0) ≤ Vn . Hence, by Lemma 2, denoting the positive number v ∗ (q0 ; 0) by δ: ρn δ ≤ Vn . Taking logarithm, dividing by n, and taking the limit we obtain: log ρ ≤ lim inf log Vn /n = H. n→∞



The following result is immediate from the proof of the Theorem. Corollary 1. For any nice TA A the lim sup in the definition of the entropy is in fact a limit, that is H = limn→∞ log Vn /n.

4

Computing the Entropy

The characterization of H in Theorem 3 solves the main problem explored in this paper, but its concrete application requires computing the spectral radius of an integral operator Ψ , and this is not straightforward. In 4.1 we solve this problem for a subclass of automata by reduction to differential equations. As for the general situation, in 4.2 we give an iterative procedure that approximates the spectral radius and the entropy with a guaranteed precision.

24

E. Asarin and A. Degorre

4.1

Case of “1 21 Clock” Automata

Consider now the subclass of (fleshy region-split) automata with entry regions of all the locations having dimension 0 or 1. In other words, in such automata for every discrete transition there is at most one clock non reset. We call this class 1 21 clock automata. The idea of the symbolic algorithm for computing the entropy of such automata is presented in Table 1. Table 1. The idea of the symbolic algorithm: computing H for 1 12 clocks 1. 2. 3. 4. 5. 6. 7.

Transform A into the fleshy region-split form and check that it has 1 12 clock. Write the integral eigenvalue equation (I) with one variable. Derivate (I) w.r.t. x and get a differential equation (D). Instantiate (I) at 0, and obtain a boundary condition (B). Solve (D) with boundary condition (B). Take ρ = max{λ| a non-0 solution exists}. Return H(L(A)) = log ρ.

The detailed algorithm is given in [3], here we only sketch it. Notice first that the set S = {(q, x) | x ∈ rq } is now a disjoint union of unit length intervals and singleton points. After a change of variables, each of those unit intervals can be represented as x ∈ (0; 1), and a singleton point as x = 0. In both cases x is a scalar variable, equal in the first case to xq −cq , where xq ∈ C is the only clock whose value is positive in rq , and cq ∈ IN a constant. Thus, every f ∈ F can be seen as a finite collection of function fq of one scalar argument. The operator ψδ corresponding to a transition takes now a form  uδ (ψδ f )(x) = f (eδ )dt, lδ

where a careful but straightforward analysis shows that the only possible forms of the integration limits lδ , uδ are −x, 0, 1 − x, 15 , and that the expression eδ (corresponding to the arrival point in a target region) always simplifies to one of the forms 0, t or x + t. This yields six simple normal forms for ψδ . According to Theorem 3, we are interested in the maximal eigenvalue ρ of the operator Ψ . Let us write an equation on its eigenvalues and eigenvectors: λf = Ψ f, with f ∈ F a non-zero function. In a more explicit form, this gives a system of integral equations:  λfq (x) = (ψδ fq )(x), (8) δ

q→q

where, as stated above, all the summands are integrals of six simple forms. To get rid of most of the integrals, we differentiate (8) with respect to x, and obtain 5

Due to the variable change, the integration variable t is not a delay but actually a difference of fractional parts of two clock values. Hence negative values are possible.

Volume and Entropy of Regular Timed Languages: Analytic Approach

25

a system (D) of linear differential equations. These equations have, however, some particularities. Namely, their right-hand sides can  1 contain not only terms of the usual form fq (x), but also fq (1 − x) and even 0 f . On the other hand, we obtain a system of boundary conditions (B) by substituting x = 0 and x = 1 into (8). The system of differential equations (D) with the boundary conditions (B) can be solved explicitly. It has a non-zero solution f iff λ satisfies some transcendental equation (E). Finally, the spectral radius ρ is the maximal real solution of (E), and the entropy is its logarithm. Application to the Running Example. We apply the method just described to compute the entropy of the language of the automaton A3 of Fig. 1 which is a “1 21 clocks” one. Its fleshy region-split form is presented on Fig. 4. By symmetry, the volume of a path of length n ∈ IN is the same function vn in both non-initial states. Thus vn is characterized by: v0 (x) = 1  1−x vn+1 (x) = (Ψ vn )(x)  0 vn (t)dt. According to Thm. 3, the entropy can be found as log ρ(Ψ ), and by Lemma 1 ρ(Ψ ) is the maximal eigenvalue of Ψ . Let us write the eigenvalue equation:  1−x λv(x) = v(t)dt. (9) 0

Differentiating it twice w.r.t x we get: λv  (x) = −v(1 − x) 2 

λ v (x) = −v(x)

(10) (11)

The solutions have the form v(x) = α sin( λx ) + β cos( λx ). Using (9) with x = 1 we find v(1) = 0. We inject this in (10) for x = 0 and deduce α = 0. Thus v(x) = β cos( λx ) and cos( λ1 ) = 0. This implies that the solutions correspond to 2 λ = (2k+1)π with k ∈ ZZ. The highest of those is λ = 2/π, and we can verify 2 that v(x) = cos( xπ 2 ) satisfies π v = Ψ v. Therefore ρ(Ψ ) = 2/π, and the entropy of this automaton is log(2/π). 4.2

General Case

If several clocks are not reset in some transitions, then the entry regions are multi-dimensional, and the volume functions therefore depend on several real variables. Hence, we cannot reduce the integral equation to an ordinary differential equation, which makes it difficult to find the eigenfunction symbolically. Instead, we can use standard iterative procedures for eigenvalue approximation for positive operators. Recall that the volume function satisfies vn = Ψ n 1. The following theorem is close to Thms. 16.1-16.2 from [5], and we provide its proof in the technical report [3].

26

E. Asarin and A. Degorre

Theorem 4. If for some α, β ∈ IR, m ∈ IN the following inequality holds: αvm ≤ vm+1 ≤ βvm , and the volume Vm = vm (q0 , 0) > 0, then log α ≤ H ≤ log β. This theorem yields a procedure6 to estimate H summarized in Table 2. Table 2. Iterative algorithm: bounding H 1. Transform A into the fleshy region-split form. 2. Choose an m and compute symbolically the piecewise polynomial functions vm and vm+1 . 3. Check that vm (q0 , 0) > 0. 4. Compute α = min(vm+1 /vm ) and β = max(vm+1 /vm ). 5. Conclude that H ∈ [log α; log β].

Example: Again A3 We apply the iterative procedure above to our running example A3 . As explained in Sect. 4.1, we can just consider the operator on C(0; 1)  1−x Ψ f (x) = f (s) ds. 0

The iteration results are given in Table 3. Table 3. Iterating the operator for A3 (H = log(2/π) ≈ log 0.6366 ≈ −0.6515) m 0 1 2 3 4 5 6 7

5

vm (x) 1 1−x 1 − x − 1/2 (1 − x)2 1/2 (1 − x) − 1/6 (1 − x)3 1/3 (1 − x) + 1/24 (1 − x)4 − 1/6 (1 − x)3 5 3 5 1 24 (1 − x) + 120 (1 − x) − 1/12 (1 − x) 6 5 3 2 1 1 1 15 (1 − x) − 720 (1 − x) + 120 (1 − x) − 18 (1 − x) 7 5 3 61 1 1 5 (1 − x) − (1 − x) + (1 − x) − (1 − x) 720 5040 240 144

α 0 0.5 0.5 0.625 0.625 0.6354 0.6354 0.6364

β 1 1 0.667 0.667 0.641 0.641 0.6371 0.6371

log α

log β

-1 -1 -0.679 -0.679 -0.6543 -0.6543 -0.6518

0 -0.584 -0.584 -0.643 -0.643 -0.6506 -0.6506

Conclusions and Further Work

In this paper, we have explored size characteristics of timed languages: volume and entropy. The entropy has been characterized as logarithm of the leading eigenvalue of a positive operator on the space of continuous functions on a part of the state space. Two procedures have been suggested to compute it. Research in this direction is very recent, and many questions need to be studied. We are planning to explore practical feasibility of the procedures described here and compare them to the discretization method from [1]. We believe that, as usual for timed automata, they should be transposed from regions to zones. We will explore potential applications mentioned in the introduction. 6

One possible optimization is to compute α and β separately on every strongly connected reachable component of the automaton, and take the maximal values.

Volume and Entropy of Regular Timed Languages: Analytic Approach

27

Many theoretical questions still require exploration. Convergence of the algorithm in 4.2 (in the strongly connected case), and computability of the entropy are important issues. Extending results to probabilistic timed automata is another option. Our entropy represents the amount of information per timed event. It would be interesting to find the amount of information per time unit. Another research direction is to associate a dynamical system (a subshift) to a timed language and to explore entropy of this dynamical system. Acknowledgment. The authors are thankful to Oded Maler for motivating discussions and valuable comments on the manuscript.

References 1. Asarin, E., Degorre, A.: Volume and entropy of regular timed languages: Discretization approach. In: Bravetti, M., Zavattaro, G. (eds.) CONCUR 2009. LNCS, vol. 5710, pp. 69–83. Springer, Heidelberg (2009) 2. Ben Salah, R., Bozga, M., Maler, O.: On timed components and their abstraction. In: SAVCBS 2007, pp. 63–71. ACM Press, New York (2007) 3. Asarin, E., Degorre, A.: Volume and entropy of regular timed languages. Preprint (2009), http://hal.archives-ouvertes.fr/hal-00369812/ 4. Lind, D., Marcus, B.: An introduction to symbolic dynamics and coding. Cambridge University Press, Cambridge (1995) 5. Krasnosel’skij, M., Lifshits, E., Sobolev, A.: Positive Linear Systems: The method of positive operators. Heldermann Verlag, Berlin (1989) 6. Bucci, G., Piovosi, R., Sassoli, L., Vicario, E.: Introducing probability within state class analysis of dense-time-dependent systems. In: QEST 2005, pp. 13–22. IEEE Computer Society Press, Los Alamitos (2005) 7. Sassoli, L., Vicario, E.: Close form derivation of state-density functions over dbm domains in the analysis of non-Markovian models. In: QEST 2007, pp. 59–68. IEEE Computer Society Press, Los Alamitos (2007) 8. Bertrand, N., Bouyer, P., Brihaye, T., Markey, N.: Quantitative model-checking of one-clock timed automata under probabilistic semantics. In: QEST 2008, pp. 55–64. IEEE Computer Society Press, Los Alamitos (2008) 9. Asarin, E., Caspi, P., Maler, O.: Timed regular expressions. Journal of the ACM 49, 172–206 (2002) 10. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126, 183–235 (1994)

Synthesis of Non-Interferent Timed Systems Gilles Benattar1 , Franck Cassez2, , Didier Lime1 , and Olivier H. Roux1 2

1 IRCCyN/CNRS, BP 92101, 1 rue de la Noë, 44321 Nantes Cedex 3, France National ICT Australia & CNRS, Univ. of New South Wales, Sydney, Australia

Abstract. In this paper, we focus on the synthesis of secure timed systems which are given by timed automata. The security property that the system must satisfy is a non-interference property. Various notions of non-interference have been defined in the literature, and in this paper we focus on Strong Non-deterministic Non-Interference (SNNI) and we study the two following problems: (1) check whether it is possible to enforce a system to be SNNI; if yes (2) compute a subsystem which is SNNI. Keywords: Non-Interference, Synthesis, Timed Automaton.

1 Introduction Modern computing environments allow the use of programs that are sent or fetched from different sites. Such programs may deal with secret information such as private data (of a user) or as classified data (of an organization). One of the basic concerns in such context is to ensure that the programs do not leak sensitive data to a third party, either maliciously or inadvertently. This is often called secrecy. In an environment with two parties, information flow analysis defines secrecy as: “high-level information never flows into low-level channels”. Such a definition is referred to as a non-interference property, and may capture any causal dependency between high-level and low-level behaviors. We assume that there are two users and the set of actions of the system S is partitioned into Σh (high-level actions) and Σl (low-level actions). The non-interference properties, namely strong non-deterministic non-interference (SNNI), cosimulation-based strong non-deterministic non-interference (CSNNI) and bisimulation-based strong non-deterministic non-interference (BSNNI), are out of the scope of the common safety/liveness classification of system properties [1]. The non-interference verification problem, for a given system S, consists in checking whether S is non-interferent. In recent years, verification of information flow security properties has been a very active domain [1,2] as it can be applied to the analysis of cryptographic protocols where numerous uniform and concise characterizations of information flow security properties (e.g. confidentiality, authentication, non-repudiation or anonymity) in terms of noninterference have been proposed. For example, the Needham-Schroeder protocol can be proved unsecure by defining the security property using SNNI [3].  

Work supported by the French Government under grant ANR-SETI-003. Author supported by a Marie Curie International Outgoing Fellowship within the 7th European Community Framework Programme.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 28–42, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Synthesis of Non-Interferent Timed Systems

29

In this paper, we consider the problem of synthesizing non-interferent timed systems. In contrast to verification, the non-interference synthesis problem assumes the system is open i.e., we can restrict the behaviors of S: some events, in a particular set Σc , of S can be disabled. The non-interference control problem for a system S asks the following: “Is there a controller C s.t. C(S) is non-interferent?” The associated non-interference controller synthesis problem asks to compute a witness mapping C. Related Work. In [4] the authors consider the complexity of many non-interference verification problems but synthesis is not addressed. In [5] an exponential time decision procedure for checking whether a finite state system satisfies a given Basic Security Predicate (BSP) is presented but the synthesis problem is not addressed. There is also a large body of work on the use of static analysis techniques to enforce information flow policies. A general overview can be found in [6]. The non-interference synthesis problem was first considered in [7] for dense-time systems specified by timed automata. The non-interference property considered in [7] is the state non-interference property, which is less demanding than the one we consider here. This paper is a follow-up of our previous work [8] about non-interference control problems for untimed systems. In [8], we assumed that the security domains coincided with the controllable and uncontrollable actions: high-level actions (Σh ) could be disabled (Σc = Σh ) whereas low-level actions (Σl ) could not. We studied the synthesis problems for SNNI and BSNNI and proved they are decidable. In the present paper we extend the previous work in two directions: (1) we release the constraint Σc = Σh and (2) consider the synthesis problem for timed automata. Nevertheless we restrict the class of non-interference properties to SNNI. The motivations for this work are manyfold. Releasing Σc = Σh is interesting in practice because it enables one to specify that an action from Σh cannot be disabled (a service must be given), while some actions of Σl can be disabled. We can view actions of Σl as capabilities of the low-level user (e.g., pressing a button), and it thus makes sense to prevent the user from using the button for instance by disabling/hiding it temporarily. It is also of theoretical interest, because this non-interference synthesis problem is really more difficult than the corresponding verification problem in the sense that we can reduce the SNNI verification problem to a particular instance of the synthesis problem: we just have to take Σc = ∅. This was not the case for the versions of the synthesis problems studied in [8]. We start by studying the SNNI synthesis problem for timed automata because SNNI is a rather simple notion of interference. Still as said earlier, it is expressive enough for example to prove that the Needham-Schroeder protocol is flawed [3]. Controller synthesis enables one to find automatically the patch(es) to apply to make such a protocol secure. The use of dense-time to model the system clearly gives a more accurate and realistic model for the system and a potential attacker that can measure time. Our Contribution. In this paper, we first exhibit a class dTA of timed automata for which the SNNI verification problem is decidable. The other results are: (1) we prove that deciding whether there is controller C for A such that (s.t. in the following) C(A) is SNNI, is decidable for the previous class dTA; (2) we reduce the SNNI synthesis problem to solving a sequence of safety timed games.

30

G. Benattar et al.

Organization of the paper. Section 2 recalls the basics of timed automata, timed languages and some results on safety timed games. Section 3 gives the definition of the non-interference synthesis problem we are interested in. Section 4 contains the main result: we show that there is a largest subsystem which is SNNI and this subsystem is effectively computable. Finally, in Section 5 we conclude and give a list of open problems and future work.

2 Preliminaries Let R+ be the set of non-negative reals and N the set of integers. Let X be a finite set of positive real-valued variables called clocks. A valuation of the variables in X is a function X → R+ , that can be written as a vector of RX + . We let 0X be the valuation s.t. 0X (x) = 0 for each x ∈ X and use 0 when X is clear from the context. Given a valuation v and R ⊆ X, v[R  → 0] is the valuation s.t. v[R  → 0](x) = v(x) if x  ∈ R and 0 otherwise. An atomic constraint (over X) is of the form x ∼ c, with x ∈ X, ∼∈ {<, ≤, =, ≥, >} and c ∈ N. A (convex) formula is a conjunction of atomic constraints. C(X) is the set of convex formulas. Given a valuation v (over X) and a formula γ over X, γ(v) is the truth value, in B = {true, false}, of γ when each symbol x in γ is replaced by v(x). If t ∈ R+ , we let v + t be the valuation s.t. (v + t)(x) = v(x) + t. Let |V | be the cardinality of the set V . Let Σ be a finite set, ε  ∈ Σ and Σ ε = Σ ∪ {ε}. A timed word w over Σ is a sequence w = (δ0 , a0 )(δ1 , a1 ) · · · (δn , an ) s.t. (δi , ai ) ∈ R+ × Σ for 0 ≤ i ≤ n where δi represents the amount of time elapsed1 between ai−1 and ai . T Σ ∗ is the set of timed words over Σ. We denote by uv the concatenation of two timed words u and v. As usual ε is also the empty word s.t. (δ1 , ε)(δ2 , a) = (δ1 + δ2 , a). Given a timed word w ∈ T Σ ∗ and L ⊆ Σ the projection of w over L is denoted by πL (w) and is defined by πL (w) = (δ0 , b0 )(δ1 , b1 ) · · · (δn , bn ) with bi = ai if ai ∈ L and bi = ε otherwise. The untimed projection of w, Untimed(w), is the word a0 a1 · · · an of Σ ∗ . A timed language is a subset of T Σ ∗ . Let L be a timed language, the untimed language of L is Untimed(L) = {v ∈ Σ ∗ | ∃w ∈ L s.t. v = Untimed(w)}. A timed transition system (TTS) is a tuple S = (S, s0 , Σ ε , →) where S is a set of states, s0 is the initial state, Σ a finite alphabet of actions, →⊆ S × Σ ε ∪ R+ × S is e the transition relation. We use the notation s − → s if (s, e, s ) ∈→ and impose that for 0 each s ∈ S, s − → s. e1 e2 en A run ρ of S from s is a finite sequence of transitions ρ = q0 −→ q1 −→ · · · −→ qn s.t. q0 = s0 and (qi , ei , qi+1 ) ∈→ for 0 ≤ i ≤ n − 1. We denote by last(ρ) the last state of the sequence i.e., the state qn . We let Runs(s, S) be the set of runs from ∗ s in S and Runs(S) = Runs(s0 , S). We write q0 −→ qn if there is a run from q0 ∗ to qn . The set of reachable states in Runs(S) is Reach(S) = {s | s0 −→ s}. Each run can be written in a normal form where delay and discrete transitions alternate δ0 e0 δ1 e1 δn en δ  i.e., ρ = q0 −→ −→ q1 −→ −→ · · · −→ −→ qn+1 − → qn+1 . The trace of ρ is trace(ρ) = (δ0 , e0 )(δ1 , e1 ) · · · (δn , en ). 1

For i = 0 this is the amount of time since the system started.

Synthesis of Non-Interferent Timed Systems

31

A timed automaton (TA) is a tuple A = (Q, q0 , X, Σ ε , E, Inv) where: q0 ∈ Q is the initial location; X is a finite set of positive real-valued clocks; Σ ε is a finite set of actions; E ⊆ Q × C(X) × Σ ε × 2X × Q is a finite set of edges. An edge (q, γ, a, R, q  ) goes from q to q  , with the guard γ ∈ C(X), the action a and the reset set R ⊆ X; Inv : Q → C(X) is a function that assigns an invariant to any location; we require that the atomic formulas of an invariant are of the form x ∼ c with ∼∈ {<, ≤}. A finite (or untimed) automaton A = (Q, q0 , Σ ε , E) is a special kind of timed automaton with X = ∅, and consequently all the guards and invariants are vacuously true. A timed automaton A is deterministic if for (q1 , γ, a, R, q2 ), (q1 , γ  , a, R , q2 ) ∈ E, γ ∧ γ   = false ⇒ q2 = q2 and R = R . We recall that timed automata cannot always be determinized (i.e., find a deterministic TA which accepts the same language as a non-deterministic one, see [9]), and moreover, checking whether a timed automaton is determinizable is undecidable [10]. The semantics of a timed automaton A = (Q, q0 , X, ε Σ ε , E, Inv) is the TTS S A = (Q × RX + , (q0 , 0), Σ , →) defined in the usual way. If A s = (q, v) is a state of S , we denote by s+ δ the (only) state reached after δ time units, i.e., s + δ = (q, v + δ). The sets of runs of A is defined as Runs(A) = Runs(S A ) where S A is the semantics of A. A timed word w ∈ T Σ ∗ is generated by A if w = trace(ρ) for some ρ ∈ Runs(A). The timed language generated by A, L(A), is the set of timed words generated by A. Two automata A and B are language equivalent, denoted by A ≈ B, if L(A) = L(B) i.e., they generate the same set of timed words. Let A1 = (Q1 , q01 , X1 , Σ ε , E1 , Inv1 ) and A2 = (Q2 , q02 , X2 , Σ ε , E2 , Inv2 ) be two TA with X1 ∩ X2 = ∅. Let L ⊆ Σ. The synchronized product of A1 and A2 w.r.t. L, is the timed automaton A1 ×L A2 = (Q, q0 , X, Σ ε , E, Inv) defined in the usual way (synchronization occurs only for actions in L). When it is clear from the context we omit the subscript L in ×L . In the sequel we will use two operators on TA: the first one gives an abstracted automaton and simply hides a set of labels L ⊆ Σ. Given a TA A = (Q, q0 , X, Σ ε , E, Inv) and L ⊆ Σ we define the TA A/L = (Q, q0 , X, (Σ\L)ε , EL , Inv) where (q, γ, a, R, q  ) ∈ EL ⇐⇒ (q, γ, a, R, q  ) ∈ E for a ∈ Σ\L and (q, γ, ε, R, q  ) ∈ EL ⇐⇒ (q, γ, a, R, q  ) ∈ E for a ∈ L ∪ {ε}. The restricted automaton cuts transitions labeled by the letters in L ⊆ Σ: Given a TA A = (Q, q0 , X, Σ, E, Inv) and L ⊆ Σ we define the TA A\L = (Q, q0 , X, Σ\L, EL , Inv) where (q, γ, a, R, q  ) ∈ EL ⇐⇒ (q, γ, a, R, q  ) ∈ E for a ∈ Σ\L. We will also use some results on safety control for timed games which have been introduced and solved in [11]. A Timed Game Automaton (TGA) A = (Q, q0 , X, Σ, E, Inv) is a timed automaton with its set of actions Σ partitioned into controllable (Σc ) and uncontrollable (Σu ) actions. Let A be a TGA and Bad ⊆ Q × RX + be the set of bad states to avoid. Bad can be written ∪1≤i≤k (i , Zi ), with each Zi defined as a conjunction of formulas of C(X) and each i ∈ Q . The safety control problem for (A, Bad) is: decide wether there is a controller to constantly avoid Bad. Let λ be a fresh special symbol not in Σ ε denoting the action “do nothing”. A controller C for A is a partial function from Runs(A) to 2Σc ∪{λ} . We require a that ∀ρ ∈ Runs(A), if a ∈ C(ρ) ∩ Σc then last(ρ) −→ (q  , v  ) for some (q  , v  ) and

32

G. Benattar et al. δ

if λ ∈ C(ρ) then last(ρ) −→ (q  , v  ) for some δ > 0. A controller C is state-based or memoryless whenever ∀ρ, ρ ∈ Runs(A), last(ρ) = last(ρ ) implies that C(ρ) = C(ρ ). Remark 1. We assume a controller gives a set of actions that are enabled which differs from standard definitions [11] where a controller only gives one action. Nevertheless for safety timed games, one computes a most permissive controller (if there is one) which gives for each state the largest set of actions which are safe. It follows that any reasonable (e.g., Non-Zeno) sub-controller of this most permissive controller avoids the set of bad states. C(A) defines “A supervised/restricted by C” and is inductively defined by its set of runs: – (q0 , 0) ∈ Runs(C(A)), e e – if ρ ∈ Runs(C(A)) and ρ −→ s ∈ Runs(A), then ρ −→ s ∈ Runs(C(A)) if one of the following three conditions holds: 1. e ∈ Σu , 2. e ∈ Σc ∩ C(ρ), δ δ 3. e ∈ R+ and ∀δ s.t. 0 ≤ δ < e, last(ρ) −→ last(ρ) + δ ∧ λ ∈ C(ρ −→ last(ρ) + δ). C(A) can also be viewed as a TTS where each state is a run of A and the transitions are given by the previous definition. C is a winning controller for (A, Bad) if Reach(C(A)) ∩ Bad = ∅. For safety timed games, the results are the following [11,12]: – it is decidable (EXPTIME-complete) whether there is a winning controller for a safety game (A, Bad); – in case there is one, there is a most permissive controller which is memoryless on the region graph of the TGA A. This most permissive controller can be represented by a TA. This also means that the set of runs of C(A) is itself the semantics of a timed automaton, that can be effectively built from A.

3 Non-Interference Synthesis Problem The strong non-deterministic non-interference (SNNI) property has been first proposed by Focardi [1] as a trace-based generalization of non-interference for concurrent systems. In the sequel, we assume A = (Q, q, X, Σh ∪ Σl , E, Inv) is a timed automaton where Σl (resp. Σh ) is the set of public (resp. private) actions and we let Σ = Σh ∪ Σl . Definition 1 (SNNI). A has the strong non-deterministic non-interference property (in short “A is SNNI”) if A/Σh ≈ A\Σh .  The SNNI verification problem (SNNI-VP) asks to check whether a system A is SNNI. Example 1 (SNNI). Figure 1 gives examples of systems A(k) which are SNNI and not SNNI depending on the value of integer k. The high-level actions are Σh = {h} and the low-level actions are Σl = {l}. (δ, l) with 1 ≤ δ < 2 is a trace of A(1)/Σh but not of A(1)\Σh and so, A(1) is not SNNI. A(2) is SNNI as we can see that A(2)/Σh ≈ A(2)\Σh . Note that A(k) without the clock constraints, then it is SNNI. 

Synthesis of Non-Interferent Timed Systems

33

Remark 2. Let Lh = Σl∗ Σh Σ ∗ . Then L(A\Σh ) = L(A)\Lh . Also L(A/Σh ) = πΣl (L(A)). This shows that SNNI is really a language property as if L(A) = L(B), then A is SNNI iff B is SNNI. We anticipate on the definition of the SNNI control h, x ≥ k 0 2 problem (SNNI-CP): in general, control problems are more difficult than the corresponding verification l, x ≥ 2 problems and this is the case for the SNNI-CP. Thus l we cannot expect to solve the SNNI-CP if the SNNIVP is undecidable. The SNNI-VP for TA consists in 1 3 checking whether a TA is SNNI. It was proved in [7] that the SNNI-VP is undecidable for non determinisFig. 1. Automaton A(k) tic timed automata. We first refine this result and exhibit a class of TA for the SNNI-VP is decidable. Let dTA be the set of TA A s.t. A\Σh is deterministic (membership in dTA can be checked syntactically). Theorem 1. The SNNI-VP is PSPACE-complete for dTA. The proof of PSPACE-hardness consists in reducing the language inclusion problem L(B) ⊆ L(A) with A a deterministic TA, which is PSPACE-complete [9], to the SNNIVP. PSPACE-easiness is proved along the same lines. Proof. L(A\Σh ) ⊆ L(A/Σh ) is always true. Checking whether L(B) ⊆ L(A) with A a deterministic TA is PSPACE-complete [9]. Thus checking if L(A/Σh ) ⊆ L(A\Σh ) can be done in PSPACE for dTA and the SNNI-VP is thus in PSPACE. For PSPACE-hardness, we reduce the language inclusion problem L(B) ⊆ L(A) with A a deter• iB B ministic TA, to the SNNI-VP. Let A be a determinish tic timed automaton (initial location iA ) defined over Σl and B a timed automaton (initial location iB ) de• fined over Σl . We let D be the timed automaton over A iA Σl ∪ Σh , with Σh = {h} and h  ∈ Σl , defined as in Figure 2. It follows that L(B) ⊆ L(A) ⇐⇒ D is SNNI. =⇒ holds because if L(B) ⊆ L(A) then Fig. 2. Timed Automaton D L(D/Σh ) = L(B) ∪ L(A) = L(A) = L(D\Σh ). For the converse ⇐=, if D is SNNI L(A) ∪ L(B) = L(D/Σh ), and as L(D/Σh ) = L(D\Σh ) = L(A) we get L(B) ⊆ L(A).  This reduction of language inclusion to the SNNI-VP also holds for finite automata. For finite non-deterministic automata, checking language inclusion is in PSPACE [13]. It follows that the SNNI-VP is in PSPACE for non-deterministic A\Σh and in PTIME for deterministic A\Σh . Table 1 summarizes the results for the SNNI-VP. The previous non-interference verification problem (SNNI-VP), consists in checking whether an automaton A has the non-interference property. If the answer is “no”, one has to investigate why the non-interference property is not true, modify A and check the property again. In contrast to the verification problem, the synthesis problem indicates

34

G. Benattar et al. Table 1. Results for the SNNI-VP A\Σh Deterministic A\Σh Non-Deterministic

Finite Automata Timed Automata PTIME PSPACE-Complete PSPACE-Complete Undecidable [7]

whether there is a way of restricting the behavior of users to ensure a given property. Thus we consider that only some actions in the set Σc , with Σc ⊆ Σh ∪ Σl , are controllable and can be disabled. We let Σu = Σ \Σc denote the actions that are uncontrollable and thus cannot be disabled. Recall that a controller C for A gives for each run ρ of A the set C(ρ) ∈ 2Σc ∪{λ} of actions that are enabled after this particular run. The SNNI-Control Problem (SNNICP) we are interested in is the following: Is there a controller C s.t. C(A) is SNNI ?

(SNNI-CP)

The SNNI-Controller Synthesis Problem (SNNI-CSP) asks to compute a witness when the answer to the SNNI-CP is “yes”.

4 Algorithms for the Synthesis Problems 4.1 Preliminary Remarks First we motivate our definition of controllers which h 0 1 are mappings from Runs(A) to 2Σc ∪{λ} . The common definition of a controller in the literature is a mapping a a from Runs(A) to Σc ∪ {λ}. Indeed, for the safety (or reachability) control problem, one can compute a map3 2 ping M : Runs(A) → 2Σc ∪{λ} (most permissive controller), and a controller C ensures the safety goal iff Fig. 3. Automaton D C(ρ) ∈ M (ρ). This implies that any sub-controller of M is a good controller. This is not the case for SNNI, even for finite automata, as the following example shows. Example 2. Let us consider the automaton D of Figure 3 with Σc = {a, h}. The largest sub-system of D which is SNNI is D itself. Disabling a from state 0 will result in an automaton which is not SNNI.  We are thus interested in computing the largest (if there is such) sub-system of A that we can control which is SNNI. Second, in our definition we allow a controller to forbid any controllable action. In contrast, in the literature, a controller should ensure some liveness and never block the system. In the context of security property, it makes sense to disable everything if the security policy cannot be enforced otherwise. This makes the SNNI-CP easy for finite automata.

Synthesis of Non-Interferent Timed Systems

35

Theorem 2. For finite automata, the SNNI-CP is PSPACE-Complete. The proof consists in proving that if a finite automaton can be restricted to be SNNI, then disabling all the Σc actions is a solution. Thus the SNNI-CP reduces to the SNNIVP and the result follows. Proof. As time is not taken into acount in untimed automaton, we can have C(ρ) = ∅ for finite automaton (for general timed automaton, this would mean that we block the time.) The proof of the theorem consists in proving that if a finite automaton can be restricted to be SNNI, then disabling all the Σc actions is a solution. Let C∀ be the controller defined by C∀ (ρ) = ∅. We prove the following: if C is a controller s.t. C(A) is SNNI, then C∀ (A) is SNNI. Assume a finite automaton D is SNNI. Let e ∈ Σh ∪ Σl and let Le be the set of words containing at least one e. Depending on the type of e we have: – if e ∈ Σl , then L((D\{e})\Σh) = L(D\Σh ) \ Le and as D is SNNI, it is also equal to L(D/Σh ) \ Le = L((D\{e})/Σh ); – if e ∈ Σh , L((D\{e})/Σh ) ⊆ L(D/Σh ) = L(D\Σh ) = L((D\{e})\Σh ). So, if D is SNNI, D\L is SNNI, ∀L ⊆ Σ. By remark 2, since L(C∀ (D)) = L(D\Σc ), if D is SNNI, then D\Σc is also SNNI and therefore C∀ (D) is SNNI. Let A be the TA we want to restrict. Assume there is a controller C s.t. C(A) is SNNI. C∀ (C(A)) is SNNI so C∀ (C(A)) = C∀ (A) is also SNNI which means that A\Σc is SNNI. This proves that: ∃C s.t. C(A) is SNNI ⇔ A\Σc is SNNI. It is then equivalent to check that A\Σc is SNNI to solve the SNNI-CP for A and this can be done in PSPACE. PSPACE-hardness comes from the reduction of SNNI-VP to SNNI-CP, by taking Σc = ∅.  Theorem 2 does not hold for timed automata as the following example demonstrates. Example 3. Figure 4 gives an example of a timed automaton H with high-level actions Σh = {h} and low-level actions Σl = {a, b}. Assume Σc = {a}. Notice that H\Σc is not h, x > 4 SNNI. Let the state based controller C be de0 2 fined by: C(0, x) = {a, λ} when H is in state a, x > 1 b (0, x) with x < 4; and C(0, x) = {a} when x = 4. Then C(H) is SNNI. In this example, 1 3 when x = 4 we prevent time from elapsing by forcing the firing of a which indirectly disables Fig. 4. The Automaton H action h. To do this we just have to add an invariant [x ≤ 4] to location 0 of H and this cuts out the dashed transitions rendering C(H) SNNI. 

4.2 Algorithms for SNNI-CP and SNNI-CSP In this section we first prove that the SNNI-CP is EXPTIME-hard for dTA. Then we give an EXPTIME algorithm to solve the SNNI-CP and SNNI-CSP.

36

G. Benattar et al.

Theorem 3. For dTA, the SNNI-CP is EXPTIME-Hard. Proof. The safety control problem for TA is EXPTIME-hard [14]. In the proof of this theorem, T.A. Henzinger and P.W. Kopke use timed automata where the controller chooses an action and the environment resolves non-determinism. The hardness proof reduces the halting problem for alternating Turing Machines using polynomial space to a safety control problem. In our framework, we use TA with controllable and uncontrollable actions. It is not difficult to adapt the hardness proof of [14] to TA which are deterministic w.r.t. Σc actions and non deterministic w.r.t. Σu actions. As Σu transitions can never be disabled (they act only as spoiling actions), we can use a different label for each uncontrollable transition without altering the result in our definition of the safety control problem. Hence: the safety control problem as defined in section 2 is EXPTIME-hard for deterministic TA (with controllable and uncontrollable transitions). This problem can be reduced to the safety control problem of TA with only one state bad. We can now reduce the safety control problem for deterministic TA which is EXPTIME-hard to the SNNI control problem on dTA. Let A = (Q ∪ {bad}, q0 , X, Σc ∪ Σu , E, Inv) be a TGA, with Σc (resp. Σu ) the set of controllable (resp. uncontrollable) actions, and bad a location to avoid. We define A by adding to A two uncontrollable transitions: (bad, true, h, ∅, qh ) and (qh , true, l, ∅, ql ) where qh and ql are fresh locations with invariant true. l and h are two fresh uncontrollable actions in A . We now define Σh = {h} and Σl = Σc ∪Σu ∪{l} for A . By definition of A , for any controller C, if location Bad is not reachable in C(A ), then the actions h and then l can not be fired. Thus if there is controller for C for A which avoids Bad, the same controller C renders A SNNI. Now if there is a controller C  s.t. C  (A ) is SNNI, it must never enable h: otherwise a (untimed) word w.h.l would be in Untimed(L(C  (A )/Σh )) but as no untimed word containing an l can be in Untimed(L(C  (A )\Σh )), and thus C  (A ) would not be SNNI. Notice that it does not matter whether we require the controllers to be non blocking (mappings from Runs(A) to 2Σc ∪{λ} \ ∅) or not as the reduction holds in any case.  To compute the most permissive controller (and we will also prove there is one), we build a safety game and solve a safety control problem. It may be necessary to iterate this procedure. Of course, we restrict our attention to TA in the class dTA for which the SNNI-VP is decidable. Let A = (Q, q0 , X, Σh ∪ Σl , E, Inv) be a TA s.t. A\Σh is deterministic. The idea of the reduction follows from the following remark: we want to find a controller C s.t. L(C(A)\Σh ) = L(C(A)/Σh ). For any controller C we have L(C(A)\Σh ) ⊆ L(C(A)/Σh ) because each run of C(A)\Σh is a run of C(A)/Σh ). To ensure SNNI we must have L(C(A)/Σh ) ⊆ L(A\Σh ): indeed, A\Σh is the largest language that can be generated with no Σh actions, so a necessary condition for enforcing SNNI is L(C(A)/Σh ) ⊆ L(A\Σh ). The controller C(A) indicates what must be pruned out in A to ensure the previous inclusion. Our algorithm thus proceeds as follows: we first try to find a controller C 1 which ensures that L(C 1 (A)/Σh ) ⊆ L(A\Σh ). If L(C 1 (A)/Σh ) = L(A\Σh ) then C 1 is the most permissive controller that enforces SNNI. It could be that what we had to prune out to ensure L(C 1 (A)/Σh ) ⊆ L(A\Σh ) does not render C 1 (A) SNNI. In this case we may have to iterate the previous procedure on the new system C 1 (A).

Synthesis of Non-Interferent Timed Systems

37

We first show how to compute C 1 . As A\Σh is deterministic, we can construct A2 = (Q ∪ {qbad }, q02 , X2 , Σh ∪ Σl , E2 , Inv2 ) which is a copy of A (with clock renaming) with qbad being a fresh location and s.t. A2 is a complete (i.e., L(A2 ) = T Σ ∗ ) version of A\Σh (A2 is also deterministic). We write last2 (w) the state (q, v) reached in A2 after reading a timed word w ∈ T Σ ∗ . A2 has the property that w ∈ L(A\Σh ) if the state reached in A2 after reading w is not in Bad with Bad = {(qbad , v) | v ∈ RX + }. Fact 1. Let w ∈ T Σ ∗ . Then w  ∈ L(A\Σh ) ⇐⇒ last2 (w) ∈ Bad. We now define the product Ap = A ×Σl A2 and the set of bad states, Bad⊗ of Ap to be the set of states where A2 is in Bad. − →p denotes the transition relation of the semantics of Ap and s0p the initial state of Ap . When it is clear from the context we omit the subscript p in − →p . w

Lemma 1. Let w ∈ L(A). Then there is a run ρ ∈ Runs(Ap ) s.t. ρ = s0p −−→p s with s ∈ Bad⊗ iff πΣl (w)  ∈ L(A\Σh ). The proof follows easily from Fact 1. Given a run ρ in Runs(Ap ), we let ρ|1 be the projection of the run ρ on A (uniquely determined) and ρ|2 be the unique run2 in A2 whose trace is πΣl (trace(ρ)). The following Theorem proves that any controller C s.t. C(A) is SNNI can be used to ensure that Bad⊗ is not reachable in the game Ap : Lemma 2. Let C be a controller for A s.t. C(A) is SNNI. Let C ⊗ be a controller on Ap defined by C ⊗ (ρ ) = C(ρ|1 ). Then, Reach(C ⊗ (Ap )) ∩ Bad⊗ = ∅. Proof. First C ⊗ is well-defined because ρ|1 is uniquely defined. Let C be a controller for A s.t. C(A) is SNNI. Assume Reach(C ⊗ (Ap )) ∩ Bad⊗  = ∅. By definition, there is a run ρ in Runs(C ⊗ (Ap )) such that: e

e

e

1 2 ρ = ((q0 , q02 ), (0, 0)) −−→ ((q1 , q1 ), (v1 , v1 )) −−→ · · · −−n→ ((qn , qn ), (vn , vn ))

en+1

  −−−→ ((qn+1 , qn+1 ), (vn+1 , vn+1 ))   with ((qn+1 , qn+1 ), (vn+1 , vn+1 )) ∈ Bad⊗ and we can assume (qi , vi )  ∈ Bad for 2 1 ≤ i ≤ n (and q0  ∈ Bad). Let ρ = ρ|1 and w = πΣl (trace(ρ )) = πΣl (trace(ρ)). We can prove (1): ρ ∈ Runs(C(A)) and (2): w  ∈ L(C(A)\Σh ). (1) directly follows from the definition of C ⊗ . This implies that w ∈ L(C(A)/Σh ). (2) follows from Lemma 1. By (1) and (2) we obtain that w ∈ L(C(A)/Σh ) \ L(C(A)\Σh ) i.e., L(C(A)/Σh )  = L(C(A)\Σh ) and so C(A) does not have the SNNI property which is a contradiction. Hence Reach(C ⊗ (Ap )) ∩ Bad⊗ = ∅. 

If we have a controller which solves the safety game (Ap , Bad⊗ ), we can build a controller which ensures that L(C(A)/Σh ) ⊆ L(A\Σh ). Notice that as emphasized before, this does not necessarily ensure that C(A) is SNNI. Lemma 3. Let C ⊗ be a controller for Ap s.t. Reach(C ⊗ (Ap ))∩Bad⊗ = ∅. Let C(ρ) = C ⊗ (ρ ) if ρ|1 = ρ. C is well-defined and L(C(A)/Σh ) ⊆ L(A\Σh ). 2

Recall that A2 is deterministic.

38

G. Benattar et al. e

e

e

1 2 Proof. Let ρ = (q0 , 0) −−→ (q1 , v1 ) −−→ · · · −−n→ (qn , vn ) be a run of A. Since e1 A2 is deterministic and complete there is exactly one run ρ = ((q0 , q0 ), (0, 0)) −−→ e2 en      ((q1 , q1 ), (v1 , v1 )) −−→ · · · −−→ ((qn , qn ), (vn , vn )) in Ap s.t. ρ|1 = ρ. So C is welldefined. Now, assume there is some w ∈ L(C(A)/Σh ) \ L(A\Σh ). Then, there is a run ρ in Runs(C(A)) ⊆ Runs(A) s.t. πΣl (trace(ρ)) = w, there is a unique run ρ ∈ Runs(Ap ) s.t. ρ|1 = ρ and trace(ρ ) = w. First by Lemma 1, last(ρ ) ∈ Bad⊗ . Second, this run ρ is in Runs(C ⊗ (Ap )) because of the definition of C. Hence Reach(C ⊗ (Ap ))∩ Bad⊗  = ∅ which is a contradiction. 

It follows that if C ⊗ is the most permissive controller for Ap then C(A) is a timed automaton (and can be effectively computed) because the most permissive controller for safety timed games is memoryless. More precisely, let RG(Ap ) be the the region graph of Ap . C is memoryless on RG(Ap \Σh ) because A2 is deterministic. The memory required by C is at most RG(A\Σh ) on the rest of the region graph of RG(Ap ). Assume the safety game (Ap , Bad⊗ ) can be won and C ⊗ is the most permissive controller. Let C be the controller obtained using Lemma 3. Controller C ensures that L(C(A)/Σh ) ⊆ L(A\Σh ). But as the following example shows, it may be the case that C(A) is not SNNI. Example 4. Consider the TA K of Figure 5 with Σh = {h} and Σc = {a}. We can compute C(K) from C ⊗ which sata, x ≥ 2 h isfies Reach(C ⊗ (K ×Σl K2 )) ∩ Bad⊗ = 0 4 3 ∅, and is given by the sub-automaton of K a, x ≥ 2 with the plain arrows. C(K) is obviously h b not SNNI. For the example of A(1) in Fig1 2 3 ure 1, if we compute C in the same manner, we obtain C(A(1)) = A(2) and moreover Fig. 5. The Automaton K L(C(A(1))/Σh ) = L(A(1)\Σh ). And then the most permissive sub-system which is SNNI is given by C(A(1)) = A(2) (the guard x ≥ 1 of A(1) is strenghtened).  The example of Figure 5 shows that computing the most permissive controller on Ap is not always sufficient. Actually, we may have to iterate the computation of the most permissive controller on the reduced system C(A). Lemma 4. Consider the controller C as defined in Lemma 3. If C(A)\Σh ≈ A\Σh then C(A) is SNNI. Proof. If C(A)\Σh ≈ A\Σh , then, L(C(A)/Σh ) ⊆ L(A\Σh ) = L(C(A)\Σh ). As L(C(A)\Σh ) ⊆ L(C(A)/Σh ) is always true, L(C(A)/Σh ) = L(C(A)\Σh ) and so, C(A) is SNNI.  Let ⊥ be the symbol that denotes non controllability (or the non existence of a controller). We inductively define the sequence of controllers C i and timed automata Ai as follows:

Synthesis of Non-Interferent Timed Systems

39

– let C 0 be the controller defined by C 0 (ρ) = 2Σc ∪{λ} and A0 = C 0 (A) = A; ⊗ – Let Aip = Ai ×Σl Ai2 and Ci+1 be the most permissive controller for the safety game ⊗ i (Ap , Badi ) (⊥ if no such controller exists). We use the notation Bad⊗ i because ⊗ this set depends on Ai2 . We define C i+1 using Lemma 3: C i+1 (ρ) = Ci+1 (ρ ) if  i+1 i+1 i ρ|1 = ρ. Let A = C (A ). By Lemma 4, if C i+1 (Ai )\Σh ≈ Ai \Σh then C i+1 (Ai ) is SNNI. Therefore this condition is a sufficient condition for the termination of the algorithm defined above: Lemma 5. There exists an index i ≥ 1 s.t. C i (Ai−1 ) is SNNI or C i = ⊥. Proof. We prove that the region graph of C i+1 (Ai ) is a subgraph of the region graph of C 1 (A0 ) for i ≥ 1. By Lemma 3 (and the remark following it), C 1 (A0 ) is a subgraph of RG(A × A2 ). Moreover C 1 is memoryless on A\Σh and requires a memory of less than |RG(A\Σh )| on the remaining part. Assume on this part, a node of RG(A × A2 ) is of the form ((q, r), k) where q is a location of A and r a region of A and k ∈ {1, |RG(A\Σh )|}. Assume RG(Ak ) is a subgraph of RG(Ak−1 ) for k ≥ 2 and RG(Ak−1 \Σh ) is subgraph of RG(A\Σh ). Using Lemma 3, we can compute Ak = C k (Ak−1 ) and: (1) RG(Ak \Σh ) is a subgraph of Ak−1 \Σh and (2) the memory needed for Ck⊗ on the remaining part is less than |RG(Ak−1 )|. Actually, because Ak−1 \Σh is deterministic, no more memory is required for C k . Indeed, the memory corresponds to the nodes of Ak \Σh . Thus a node of RG(Ak ) which is not in RG(Ak \Σh ) is of the form ((q, r), k, k  ) with k = k  or k  = qbad . This implies that RG(Ak ) is a subgraph of RG(Ak−1 ). The most permissive controller Ci⊗ will either disable at least one controllable trani−1 sition of Ai−1 p \Σh or keep all the controllable transitions of Ap \Σh . In the latter case i i−1 i i−1 A \Σh = A \Σh and otherwise |RG(A \Σh )| < |RG(A \Σh )|. This can go on at most |RG(A\Σh )| steps. In the end either Ai \Σh = Ai−1 \Σh and this implies that Ai \Σh ≈ Ai−1 \Σh (Lemma 4) or it is impossible to control Ai−1 and C i = ⊥. In any case, our algorithm terminates in less than |RG(A)| steps.  To prove that we obtain the most permissive controller which enforces SNNI, we use the following Lemma: Lemma 6. If M is a controller such that L(M (A)/Σh ) = L(M (A)\Σh ), then ∀i ≥ 0 and ∀ρ ∈ Runs(A), M (ρ) ⊆ C i (ρ). Proof. The proof is by induction: – for i = 0 it holds trivially. – Assume the Lemma holds for indices up until i. Thus we have Runs(M (A)) ⊆ Runs(Ai ). Therefore, we can define M over Ai and M (Ai ) is SNNI. By Lemma 2, ⊗ ⊗   M ⊗ is a controller for the safety game (Aip , Bad⊗ i ), therefore M (ρ ) ⊆ Ci+1 (ρ ) ⊗ i+1 because Ci+1 is the most permissive controller. This implies that M (ρ) ⊆ C (ρ) by definition of C i+1 .  Using Lemma 5, the sequence C i converges to a fix-point. Let C ∗ denote this fix-point.

40

G. Benattar et al.

Lemma 7. C ∗ is the most permissive controller for the SNNI-CSP. Proof. Either C ∗ = ⊥ and there is no way of enforcing SNNI (Lemma 2), or C ∗  =⊥ is such that L(C ∗ (A)/Σh ) = L(C ∗ (A)\Σh ) by Lemma 3. As for any valid controller M such that L(M (A)/Σh ) = L(M (A)\Σh ) we have M (ρ) ⊆ C ∗ (ρ) for each ρ ∈ Runs(A) (Lemma 6) the result follows.  Lemma 5 proves the existence of a bound on the number of times we have to solve safety games. For a timed automaton A in dTA, let |A| be the size of A. Lemma 8. For a dTA A, C ∗ can be computed in O(24.|A| ). Proof. As the proof of Lemma 5 shows, the region graph of Ai is a subgraph of the region graph of A1 , ∀i ≥ 1, and the algorithm ends in less than |RG(A)| steps. Computing the most permissive controller for Aip avoiding Bad⊗ i can be done in linear time in the size of the region graph of Aip . As RG(Ai ) is a subgraph of RG(A1 ), RG(Aip ) is a subgraph of RG(A1p ). So we have to solve at most |RG(A)| safety games of sizes at most |RG(A1p )|. As A1 is a subgraph of A0p = A0 ×Σl A02 , |RG(A1 )| ≤ |RG(A)|2 . And as A1p = A1 ×Σl A12 , |RG(A1p )| ≤ |RG(A)|3 . So, C ∗ can be computed in O(|RG(A)|.|RG(A1p )|) = O(|RG(A)|4 ) = O(24.|A| ).  Theorem 4. For dTA, the SNNI-CP and SNNI-CSP are EXPTIME-complete. For the special case of finite automata we even have: Lemma 9. For finite automata C ∗ = C 2 . Proof. We know that L(C 2 (A)\Σh ) ⊆ L(C 1 (A)\Σh ). Suppose that ∃w s.t. w ∈ L(C 1 (A)\Σh ) and w  ∈ L(C 2 (A)\Σh ) (w cannot not be the empty word). We can assume that w = u.l with u ∈ Σl∗ , l ∈ Σl ∩ Σc and u ∈ L(C 1 (A)\Σh ) and u.l  ∈ L(C 2 (A)\Σh ) (l is the first letter which witnesses the non membership property). If l had to be pruned in the computation of C 2 , it is because there is a word u.l.m with m ∈ Σu∗ s.t. πΣl (u.l.m) ∈ L(C 1 (A)/Σh ) but πΣl (u.l.m)  ∈ L(C 1 (A)\Σh ). But 1 1 by definition of C , L(C (A)/Σh ) ⊆ L(A\Σh ) (Lemma 3) and thus πΣl (u.l.m) ∈ L(A\Σh ). As u.l ∈ Σl∗ , πΣl (u.l.m) = u.l.πΣl (m) and πΣl (m) ∈ Σu∗ . Since u.l ∈ L(C 1 (A)\Σh ) and πΣl (m) ∈ Σu∗ , we have u.l.πΣl (m) ∈ L(C 1 (A)\Σh ) which is a contradiction. Thus L(C 2 (A)\Σh ) = L(C 1 (A)\Σh ) which is our stoping condition by lemma 4 and thus C ∗ = C 2 .  It follows that when A\Σh is deterministic, A a finite automaton, the SNNI-CSP is PSPACE-complete. As untimed automata can always be determinized, we can extend our algorithm to untimed automata when A\Σh non-deterministic. It suffices to determinize Ai2 , i = 1, 2: Theorem 5. For a finite automaton A such that A\Σh is non deterministic, the SNNICSP can be solved in EXPTIME. Proposition 1. There is a family of FA (Ai )i≥0 such that: (i) there is a most permissive controller Di∗ s.t. Di∗ (Ai ) is SNNI and (ii) the memory required by Di∗ is exponential in the size of Ai .

Synthesis of Non-Interferent Timed Systems

41

Proof. Let A be a finite automaton over the alphabet Σ. Define the automaton A as given by Figure 6. Assume the automaton B is the sub-automaton of A with initial state q0 . We take Σh = {h} = Σu and Σl = Σ = Σc . The most permissive controller D s.t. D(A ) is SNNI generates the largest sub-language of L(A ) s.t. L(A \Σh ) = L(A /Σh ) and thus it generates L(A) = L(A \Σh ). The controller D is memoryless on A \Σh as emphasized in Lemma 3. It needs finite memory on the remaining part i.e., on B. The controller D on B gives for each run a h w set of events of Σ that can be enabled: D(q0 −−→ q0 −−→ q0 ) = X with w ∈ Σ ∗ and X ⊆ Σl .As B is deterministic, D needs only the knowledge of w and we can write D(hw) ignoring the states of A . For B we can even write D(w) instead of D(hw). Define the equivalence relation ≡ on Σ ∗ by: w ≡ w if D(w) = D(w ). Denote the ∗ class of a word w by [w]. Because D is memory bounded, Σ/≡ is of finite index which is exactly the memory needed by D. Thus we can define an automaton D/≡ = q0 (M, m0 , Σ, →) by: M = {[w] | w ∈ Σ ∗ }, • Σl a m0 = [ε], and [w] −−→ [wa] for a ∈ D(hw). h D/≡ is an automaton which accepts L(A) (and it is isomorphic to D(B)) and the size of which is A • the size of D because B has only one state. This q0 automaton is deterministic and thus D/≡ is also deterministic and accepts L(A). There is a family (Ai )i≥0 of non-deterministic FA, such that Fig. 6. Automaton B the deterministic and language-equivalent automaton of each Ai requires at least exponential size. For each of these Ai we construct the i controller D/≡ as described before, and this controller must have at least an exponential size (w.r.t. to Ai ). This proves the EXPTIME lower bound. 

5 Conclusion and Future Work In this paper we have studied the strong non-deterministic non-interference control problem (SNNI-CP) and control synthesis problem (SNNI-CSP) in the timed setting. The main results we have obtained are: (1) the SNNI-CP can be solved if A\Σh can be determinized and is undecidable otherwise; (2) the SNNI-CSP can be solved by solving a finite sequence of safety games if A\Σh can be determinized. Table 2. Summary of the Results A Timed Automaton A Finite Automaton A\Σh Non-Det. A\Σh Det. A\Σh Non-Det. A\Σh Det. SNNI-VP undecidable PSPACE-C PSPACE-C PTIME SNNI-CP undecidable EXPTIME-C PSPACE-C PTIME SNNI-CSP undecidable EXPTIME-C EXPTIME PSPACE-C

The summary of the results is given in Table 2. For non-deterministic FA, we have proved that EXPTIME is a lower bound.

42

G. Benattar et al.

Our future work will consist in extending this work to other types of non-interference properties, CSNNI and BSNNI which are more involved than SNNI. Indeed, there is not always a least restrictive controller for (bi)simulation based non-interference. Thus it is interesting to determine conditions under which a least restrictive controller exists for the BSNNI-CSP and CSNNI-CSP.

References 1. Focardi, R., Gorrieri, R.: Classification of security properties. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001) 2. Focardi, R., Gorrieri, R.: The compositional security checker: A tool for the verification of information flow security properties. IEEE Trans. Softw. Eng. 23(9), 550–571 (1997) 3. Focardi, R., Ghelli, A., Gorrieri, R.: Using non interference for the analysis of security protocols. In: Proceedings of DIMACS Workshop on Design and Formal Verification of Security Protocols (1997) 4. van der Meyden, R., Zhang, C.: Algorithmic verification of noninterference properties. Elec. Notes in Theo. Comp. Science 168(1), 61–75 (2006); Proceedings of the Second International Workshop on Views on Designing Complex Architectures (VODCA 2006) (2006) 5. D’Souza, D., Raghavendra, K.R., Sprick, B.: An automata based approach for verifying information flow properties. Elec. Notes in Theo. Comp. Science 135, 39–58 (2005)l; Proceedings of the Second Workshop on Automated Reasoning for Security Protocol Analysison (ARSPA 2005) (2005) 6. Sabelfeld, A., Myers, A.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1) (2003) 7. Gardey, G., Mullins, J., Roux, O.H.: Non-interference control synthesis for security timed automata. Elec. Notes in Theo. Comp. Science 180(1), 35–53 (2005); Proceedings of the 3rd International Workshop on Security Issues in Concurrency (SecCo 2005) (2005) 8. Cassez, F., Mullins, J., Roux, O.H.: Synthesis of non-interferent systems. In: Proceedings of the 4th Int. Conf. on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS 2007). Communications in Computer and Inform. Science, vol. 1, pp. 307–321. Springer, Heidelberg (2007) 9. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science 126, 183–235 (1994) 10. Finkel, O.: On decision problems for timed automata. Bulletin of the European Association for Theoretical Computer Science 87, 185–190 (2005) 11. Maler, O., Pnueli, A., Sifakis, J.: On the synthesis of discrete controllers for timed systems. In: Mayr, E.W., Puech, C. (eds.) STACS 1995. LNCS, vol. 900, pp. 229–242. Springer, Heidelberg (1995) 12. D’Souza, D., Madhusudan, P.: Timed control synthesis for external specifications. In: Alt, H., Ferreira, A. (eds.) STACS 2002. LNCS, vol. 2285, pp. 571–582. Springer, Heidelberg (2002) 13. Stockmeyer, L.J., Meyer, A.R.: Word problems requiring exponential time: Preliminary report. In: STOC, pp. 1–9. ACM, New York (1973) 14. Henzinger, T., Kopke, P.: Discrete-time control for rectangular hybrid automata. In: Degano, P., Gorrieri, R., Marchetti-Spaccamela, A. (eds.) ICALP 1997. LNCS, vol. 1256, pp. 582– 593. Springer, Heidelberg (1997)

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net Anne Bouillard1 , Stefan Haar2 , and Sidney Rosario3 1

2

Irisa/ENS Cachan, Campus de Beaulieu, Rennes, France INRIA Saclay/ENS Cachan 61, avenue du Pr´esident Wilson 94235 Cachan, France 3 Irisa/Inria Rennes, Campus de Beaulieu, Rennes, France

Abstract. In concurrent real-time processes, the speed of individual components has a double impact: on the one hand, the overall latency of a compound process is affected by the latency of its components. But, if the composition has race conditions, the very outcome of the process will also depend on the latency of component processes. Using stochastic Petri nets, we investigate the probability of a transition occurrence being critical for the entire process, i.e. such that a small increase or decrease of the duration of the occurrence entails an increase or decrease of the total duration of the process. The first stage of the analysis focuses on occurrence nets, as obtained by partial order unfoldings, to determine criticality of events; we then lift to workflow nets to investigate criticality of transitions inside a workflow.

1

Introduction

This paper studies the impact of component performances - measured by transition delays - on the global performance of a composite workflow. This impact analysis is complicated by the presence of concurrency and of conflict, both of which may either hide individual delays or accentuate their impact. To capture these effects, we consider continuous time processes within the framework of partial order unfolding semantics [14, 10, 9] of Petri nets. To motivate the ideas, consider a machine servicing workflow, represented as a Petri net in Figure 1. A token in the initial place represents a client requesting that his machine be serviced. A client can revoke his request (by firing transition N ), but this has to be done before the servicing process has been started (by the firing of S). The machine has two components CX and CY , the operations servicing them are denoted by the transitions X and Y respectively. The component CY degrades when it is idle and has to be shipped to the client (denoted by transition D) as soon as possible after its servicing. If the machine can not be delivered (either because component CX ’s servicing has not yet finished or because the shipping process has not yet begun), after a certain time component CY has to be sent for servicing again (denoted by the firing of C). J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 43–57, 2009. c Springer-Verlag Berlin Heidelberg 2009 

44

A. Bouillard, S. Haar, and S. Rosario t N X

i

o D

S Y C

Fig. 1. A workflow net

The latency of events has a double impact on the configurations. Firstly, the overall latency of a configuration is affected by the latency of its individual events: the latency of a configuration is a max-plus combination of the latencies of its individual events. A second impact is the choice of configuration itself, since an event with a shorter latency can pre-empt the occurrence of a conflicting event whose delay is larger. The authors of [16] have analyzed first-passage time in event structures for a fixed configuration; here, we also take into account the second impact of real-time durations, namely, on choice. A concurrent system generally has several qualitatively possible evolutions (or configurations) that could occur. By ’qualitatively’ we mean the difference between runs that have different sets of events (rather than just different durations for the same set of events, which would be a merely quantitative distinction). Which one among the possible configurations actually occurs, depends in general on non-predetermined choices. In [6, 20, 4, 3], this is treated as a logical choice, or conflict; no timing issues are considered. Our approach combines the two orthogonal viewpoints, and considers timing and choice jointly rather than separately: the very shape and outcome of the process will depend on the latency of component processes. We capture the random and asynchronous character of such behaviours, and the dependencies encountered, e.g., in orchestrated processes, in Petri nets with stochastic delays on transitions. Although the work in this paper was initially motivated by Web-Services orchestrations, the scope of application encompasses all concurrent real-time processes. This paper is organized as follows. In Section 2, we recall the definitions for Petri Nets and their unfoldings. In Section 3, we introduce stochastic delays in those structures, which are then used to compute the occurrence probability of an event; In Section 4 we compute the probability for an event to be critical in an unfolding. Section 5 lifts the analysis to workflows and finishes the discussion of the running example; finally, Section 6 concludes. Proofs for the theorems can be found in an extended report [7].

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

2

45

Petri Nets

Definition 1. A net is a tuple N = (P , T , F ) where – P = ∅ is a set of places, – T =  ∅ is a set of transitions such that P ∩ T = ∅, – F ⊆ (P × T ) ∪ (T × P ) is a set of flow arcs. Let N = {0, 1, . . .}, the set of natural numbers. A marking is a multiset m of places, i.e. a map from P to N. A Petri net is a tuple N = (P , T , F , m), where (P , T , F ) is a finite net, and m : P → N is an initial marking. Elements of P ∪ T are called the nodes of N . For a transition t ∈ T , we call • t = {p | (p, t ) ∈ F } the preset of t, t• = {p | (t, p) ∈ F } the postset of t . A transition t is enabled in marking m if ∀p ∈ • t, m(p) > 0. This enabled transition can fire, resulting in a new marking m = m − • t + t• ; this firing relation is denoted by m[t m . A marking m is reachable if there exists a sequence of transitions t0 , t1 . . . tn such that m0 [t0 m1 [t1 . . . [tn m. A net is safe if for all reachable markings m, m(p) ⊆ {0, 1} for all p ∈ P . From now on, we will consider only safe nets, and consider markings simply as place sets, i.e. we use the symbol m for the set {p ∈ P | m(p) = 1}. Let ≺ the transitive closure of F and the reflexive closure of ≺. The set of causes or prime configuration of x ∈ P ∪ T is [x]  {y | y x}. Further, write t1 #im t2 for transitions t1 and t2 if and only if t1 = t2 and • t1 ∩ • t2 = ∅; the conflict relation # ⊆ (T ∪ P )2 is given by a # b ⇔ ∃ta , tb ∈ T : ta #im tb ∧ ta a ∧ tb b.

(1)

Definition 2. A net ON = (B , E , G) is an occurrence net if and only if it satisfies 1. 2. 3. 4. 5.

is a partial order; for all b ∈ B , |• b| ∈ {0, 1}; for all x ∈ B ∪ E , [x] is finite; no self-conflict, i.e. there is no x ∈ B ∪ E such that x#x; the set of ≺-minimal nodes C0 is contained in B and finite.

The nodes of E are called events, those of B conditions. For every e in E, let e = •• e and e◦ = e• • . As for each place b, |• b| ≤ 1, the firing of event e requires that all events in ◦ e have fired previously. We also suppose that E contains an an initial event ⊥ such that ◦ e = {⊥} iff e is ≺-minimal in E \ ({⊥} ∪ • ⊥). A prefix of ON is any subnet spanned by a downward closed subset π ⊆ B ∪E , i.e. ∀x ∈ π, [x] ⊆ π. Prefix κ is a configuration if and only if it is conflict-free, i.e. x ∈ κ and x#y imply y ∈ κ. Denote as C(ON ) the set of ON ’s configurations. Call any ⊆-maximal element of C(ON ) a run of ON . Denote the set of ON ’s runs as Θ(ON ), or Θ if no confusion can arise. A pair (x, y) ∈ (B ∪ E )2 of nodes is concurrent, written x co y, if and only if neither x y nor y x nor x#y hold. Any set of conditions W ⊆ B such that all conditions in W are pairwise concurrent, is called a co-set. A ⊆ −maximal co-set is a cut. ◦

46

A. Bouillard, S. Haar, and S. Rosario

Occurrence nets are the mathematical form of the partial order unfolding semantics for Petri nets [10]; although more general applications are possible, we will focus here on unfoldings of safe Petri nets only. If N1 = (P1 , T1 , F1 ) and N2 = (P2 , T2 , F2 ) are nets, a homomorphism is a mapping h : P1 ∪ T1 → P2 ∪ T2 such that h(P1 ) ⊆ P2 and for every t1 ∈ T1 , the restriction of h to • t1 is a bijection between the set • t1 in N1 and the set • h(t1 ) • in N2 , and similarly for t1 • and (h(t1 )) . A branching process of safe Petri net N = (N , m0 ) is a pair β = (ON , π), where ON = (B , E , G) is an occurrence net, and π is a homomorphism from ON to N such that the restriction of π to C0 is a bijection from C0 to m0 , and for every e1 , e2 ∈ E , if • e1 = • e2 and h(e1 ) = h(e2 ) then e1 = e2 . Branching processes β1 = (ON 1 , π1 ) and β2 = (ON 2 , π2 ) for N are isomorphic iff there exists a bijective homomorphism h : ON 1 → ON 2 such that π1 = π2 ◦ h. The unique (up to isomorphism) maximal branching process β = (UN , π) of N is called the unfolding of N . Following [10], the unfolding of N can be computed using the canonical algorithm given below (we omit any cut-off criteria here since they are not essential for our purposes). Let β = (ON β , πβ ) be a branching process of N = (P , T , F , m0 ), where ON β = (Bβ , Eβ , Gβ ). Denote as PE(β) ⊆ T × P(Bβ ) the set of possible extensions of β, i.e. of the pairs (t , W ) such that – W is a co-set of ON β , – • t = πβ (W ), – Eβ contains no event e such that πβ (e) = t and • e = W . The unfolding procedure adapted from [10] for safe Petri net N = (N , m0 ) is then: – Let C0  m0 × {∅} and initialize β = (C0 , ∅, ∅, πβ ) with πβ sending all conditions in C0 to the corresponding place in m0 . – For given β = (ON β , πβ ) with ON β = (Bβ , Eβ , Gβ ), compute PE(β) and replace • Eβ by Eβ ∪ PE(β), • • Bβ by Bβ ∪ V , where V  {(p, e) | e ∈ PE(β), p ∈ πβ (e) }, and • Gβ by Gβ ∪ U , where U  {(b, (t , W )) | (t , W ) ∈ PE(β), b ∈ W } ∪   (e, (p, e)) | e ∈ PE(β), p ∈ πβ (e)• ; finally, extend πβ to the new nodes in the natural way, i.e. (t , W )  →t and (p, e)  → p. Figure 2 shows a prefix of the unfolding of the net of Figure 1. Note the multiple occurrences of the looping transition t (shaded in the figure). Every occurrence of t here corresponds to a distinct way in which the net of Figure 1 reaches the output transition o. Every occurrence of t is followed by the place i, which denotes that the net of Figure 1 has come back to its initial marking.

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net t

N i

X

S

i t

D

47

i D

t

C

Y

i

Y C

Y

Fig. 2. The (partial) unfolding of the workflow net of Figure 1

3

Adding Time and Probability

Until now, we have defined structures that model the concurrency between events. The applications and properties we are interested in (mainly Web-services) are strongly related to the timed behavior of those structures (cf. [11]). 3.1

Definitions and Assumptions

We will consider safe Petri nets N = (P , T , F , m0 ) such that each transition t ∈ T is equipped with a probability law Pt whose support is contained in [0, ∞). Pt gives the law of the delay δt for firing t after t is enabled. If t becomes enabled at time τ , a new realization δt (ω) of δt is drawn from Pt , independently of other transitions and of previous realizations of δt . If t is continuously enabled during the interval [τ, τ + δt (ω)], then t fires at time τ + δt (ω), otherwise it has been preempted. Upon unfolding N , the events of UN inherit the delay law from the corresponding transitions of N : we obtain a family (δe )e∈E such that δe ∼ δπ(e) . Note that our approach is not to be confounded with Timed Event Structures, see [12],where delays merely indicate when an event may occur (but is not forced to). Let ON = (B, E, G) be the unfolding of N . Each value ω = (δ(e))e∈E in the space ΩE  [0, ∞)E will be seen to yield a unique configuration θ of ON . We make the following assumptions: 1. The measures (Pe )e∈E are pairwise independent. 2. No Pe has atoms: ∀ e ∈ E : ∀x ∈ [0, ∞) : Pe ({x}) = 0. Heights. The height of an event e is defined (see, e.g., [13]) recursively by H(e, ω)  max {H(e , ω)} + δ(e)  ◦ e∈ e

and H(⊥, ω) = 0;

(2)

a configuration κ has height H(κ, ω)  max {H(e, ω)} . e∈κ

(3)

48

A. Bouillard, S. Haar, and S. Rosario

Note that only the causality relation and the delays are relevant in the computation of H(e, ω), conflicting events have no influence. In other words, for every event e of E, H(e, ω) is defined, regardless of whether or not e actually occurs. We may thus apply different firing policies without modifying H(•, •); on the other hand, the occurrence of e will depend on ω through the firing policy. Here, all decisions will be made according to race policy: the first event whose delay expires first preempts its competitors. We use Ω instead of ΩE . For τ ∈ [0, ∞), denote as Eτ (ω)  {e | H(e, ω)  τ } the random set of those events whose height is bounded by τ . Theorem 1. Under assumptions 1 and 2, the following properties hold. 1. H(e, ω) < ∞ for all e ∈ E and almost all ω ∈ Ω. 2. H(e, ω) = H(e  , ω) almost surely for any e, e  ∈ E such that e = e  . 3. For all τ ∈ [0, ∞), the set Eτ (ω) is finite for almost all ω. 3.2

Occurrence of an Event

Let us define with the above notation the occurrence predicate occ(e, ω); it is true if and only if e effectively occurs under ω; that is, all of e’s preconditions are satisfied under ω, and none of e’s fast adversaries, occurs. Formally we have the following definition: Definition 3. Set occ(⊥, ω) to true for all ω ∈ Ω, and for any ω ∈ Ω, let recursively occ(e, ω) be true iff ∀ e ∈

◦

e : occ(e  , ω)



∧ ∀ e ∈ check(e, ω) : ¬occ(e  , ω),

(4)

where check(e, ω)  {e  | e#e  ∧ H(e  , ω)  H(e, ω)}. Further, for all e ∈ E , define Occ(e)  {ω | occ(e, ω)}. In other words, occ(e) holds iff event e eventually occurs, under ω and the race policy. Letting R(ω)  {e ∈ E | occ(e, ω)} the set of events that occur under ω, we have: Lemma 1. For almost all ω ∈ Ω, R(ω) ∈ Θ(ON ). 3.3

Probability of Occurrence

The occurrence of an event e under any ω is determined by [e] and the set of events {e | e#e } (see definition of occ(e, ω)). In fact, the latter set can be further restricted to events e that are in minimal conflict with e. Minimal Conflict: If e#e , but there exist events e1 e, e1 ≺ e such that e1 #e1 , then e#e can be seen as a conflict derived from e1 and e1 . The height of e in any run ω, H(e , ω), can not affect the occurrence of e which is decided by the race between the mutually conflicting events e1 and e1 . This inspires the following definition for minimal conflict [4, 3]:

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

49

Definition 4 (Minimal Conflict). Two events e, e ∈ E are in minimal conflict, e#μ e iff: ([e] × [e ]) ∩ # = {(e, e )}. Thus the set of events which completely determine the occurrence of an event e is a prefix containing e which is closed under minimal conflict. This set B(e) is formally defined as: 1. e ∈ B(e); 2. if e1 ∈ B(e) and e2 ≺ e1 , then e2 ∈ B(e); 3. if e1 ∈ B(e) and e1 #μ e2 , then e2 ∈ B(e). Calculating P(Occ(e)): Occ(e) = {ω | occ(e, ω)} = {ω | e ∈ R(ω)}. Occ(e) can be partitioned into equivalence classes of runs in the following way: in any equivalence class C, any two runs ω1 , ω2 are such that R(ω1 ) ∩ B(e) = R(ω2 ) ∩ B(e). For any run ω ∈ C, the set of events {e |occ(e , ω), e ∈ B(e)} is the same, denoted by κC . Denote the set of equivalence classes of Occ(e) by Occ(e)/B(e) .  Occ(e) = C 

C∈Occ(e)/B(e)

and so P(Occ(e)) = C∈Occ(e)/B(e) P(C). Let p(κC ) denote each term of this summation. B(e) is an occurrence net in itself. For every equivalence class C in Occ(e)/B(e) , the set κC is a maximal configuration of B(e) which contains e, and vice-versa. Hence  P(Occ(e)) = p(κC ). (5) e∈κC ∈ΘB(e)

We thus need to compute all possible ways in which a maximal configuration κC could occur in B(e). This can be done for any occurrence net ON using a Markov chain, which is a graph of configurations κ of ON with probabilistic transitions. This graph is constructed as below: 1. The states of the graph are the configurations κ of ON . 2. Define the set of events enabled in a configuration κ1 as enab(κ1 )  {e ∈ E \ κ1 | κ1 ∪ {e} ∈ C(ON )}

(6)

The probability to go from state κ1 to state κ2 = κ1 ∪ {e} is Pκ1 ,κ2 = 

λe e ∈enab(κ

1)

λe

.

3. Transitions between any other states have zero probability.

(7)

50

A. Bouillard, S. Haar, and S. Rosario

The initial state of the Markov chain is the minimal configuration {⊥} and the maximal states are the maximal configurations of ON . Let prec(κ) denote the set of immediate predecessor states of κ in the graph. We obtain p(κ) recursively as: 

p(κ) =

p(κ ).Pκ ,κ ,

(8)

κ ∈prec(κ)

taking p({⊥}) = 1. Equation (5) can be computed only when B(e) is finite.

4 4.1

Critical Chains in Occurrence Nets When Is a Critical for b?

We now turn to the central problem of criticality. As a simple example consider the occurrence net in Figure 3 and the only maximal configuration u = {a, b, c}. Any change in the delay δc of event c will affect the delay δu of configuration u. Event c is thus critical for the configuration u for all possible delay values of a, b and c. The same cannot be said for events a and b: if δa > δb , a increase or decrease in δb by an amount such that δa > δb + does not affect δu . Similarly, a is non-critical when δb > δa . Events a and b are thus critical for configuration u only in certain situations, depending on the delays of both a and b. We will study first criticality of events for a configuration, and then move on to asking whether a transition is critical. The latter will become meaningful in the context of workflow nets and their unfoldings. To formalize our question, let ue be the tuple from [0, ∞)E whose e-component is 1 and all of whose other components are 0. We are interested in situations in which the delay of e is critical for the delay of configuration κ, in the following sense: crit (e, κ, ω) ⇐⇒ ∀ ε > 0 : H(κ, ω) < H(κ, ω + ε · ue ). In the example of Figures 1 and 2, let us ask whether the first occurrence of X (called X0 ) is critical for the first occurrence D0 of D, assuming both occur. This is the case iff the delay required by X0 is longer than that of Y0 . Here and in the remainder of the paper, let all exponential transition delay parameters be denoted by λ with the name of the transition as subscript, i.e., λX for the delay parameter at transition X, etc. We obtain, by independence of the delays,

a

c b Fig. 3. An occurrence net

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

P(crit (X0 , [D0 ], ω)) =

51

λY . λX + λY

An event e is in Crit (e, ω) if it is critical for the configuration that occurs with respect to ω. That is, for all positive but “small enough” increases of e  s delay, that increase is also “felt” by R: Crit (e, ω) :={e | ∃η s. th. ∀ ε ∈]0, η[: H(R(ω), ω) < H(R(ω +ε·ue ), ω +ε · ue )} . (9) Indeed, due to Assumption 1), no pair of events can have the same height. Then, for sufficiently small increases of latencies the events that occur do not change and R(ω) = R(ω + ε · ue ). If ε is to large, there could be a change in the run that occurs and the total height of the occurring run could become smaller. The definitions given for defining critical events are valid only for finite configurations, i.e. we consider all heights to be finite. The notion of critical event cannot be well-defined for an infinite configuration. For example, take a configuration κ = e0 , f1 , e1 , f1 , . . ., where ∀i, j ∈ N, ei < ei+1 and fj < fj+1 and ¬(ei #fj ). If event ei occurs at time t, then, at that time, events e0 , . . . , ei are critical, and not event fj . Conversely, if event fj occurs at time t, events f0 , . . . , fj are critical and not events ei . Making t grow to infinity, should we consider that the critical events are all the events, or none? Whatever our choice, it will not articulate any meaningful information about our system. Problem CRIT. Given a finite configuration κ. What is the probability P({ω | crit (e, κ, ω)}) for the delay of e ∈ κ to be critical? For notational convenience, write x ω y to say that the delay of x is critical for the height of [y] in ω. More formally, we have the following definition. Definition 5. For all ω, let ω be the smallest reflexive relation on E that satisfies: 1. For any u ∈ E and x ∈ ◦ u, x ω u if and only if ∀ e ∈ {x} : H(e, ω) < H(x, ω). 2. For all ω, relation ω is transitive: x ω y ω z ⇒ x ω z.

◦

u\

A critical chain of ON for ω is a maximal set cc ⊆ {e | Crit (e, ω)} such that for all x, y ∈ cc, either x ω y or y ω x. If there exists ω such that x ω y, then x < y. There can be more than one critical chain for a given ω; however, under Assumption 1, the set of those ω has measure 0 under P, i.e. ω is uniquely defined for almost all ω. The following lemma ensures that every critical chain contains a minimal event and is the finite sequence of events x0 , . . . , xn where x0 ∈ min(E) and ∀i ∈ {1, . . . , n}, xi−1 ∈ ◦ xi . The lemma follows directly from Definition 5. Lemma 2. For every event y such that Crit (y, ω) and y = ⊥, ∃x ∈ E such that x ω y and x ∈ ◦ y. In section 4.2, we first give an algorithm to compute the critical events for a given configuration and given timings on the events, then we describe a method to solve Problem CRIT.

52

A. Bouillard, S. Haar, and S. Rosario

4.2

Critical Events for a Given Configuration and Given Timings

For a given finite configuration κ and a given ω, one can find a critical chain of critical events using Algorithm 1. Indeed, from the definition, an event of κ that has the maximum height is critical. Then, one can find a critical chain that ends with that event. Then, from Lemma 2 and Definition 5, it is easy to see that at each step of the loop, one computes a critical event that is a predecessor of the last computed critical event. This gives a maximal critical chain (the condition [e ] \ {e } = ∅ is equivalent to e ∈ min(E)). Algorithm 1. Critical chain Take e ∈ κ such that H(e, ω) = H(κ, ω); cc ← [e]; κ ← [e] \ {e}; while κ = ∅ do Take e  ∈ κ such that H(e  , ω) = H(κ, ω); cc ← e  :: cc; κ ← [e ] \ {e }; end while return cc.

4.3

Computation of the Criticality Probability

We now give a method to compute the probability of an event to be critical. Note that as the critical character of an event depends on the future of that event, we need the configurations to be finite and in finite number. As stated in the previous section, the behavior of the net can be modeled by a Markov chain whose states are the configurations and we will use the notations already defined. Since a Markov chain can be seen as a directed graph labeled by the transition probabilities or by the events on the arcs, we will use graph theoretic terminology. Each maximal path of the chain (from the empty configuration to a run κ) defines an order of occurrence of the event in the configuration κ. From this order, one can define the critical chain on the path; if the events of that path are in their occurrence order e1 , . . . , en , we have: 1. en is critical; 2. if ek is critical and if {i | i < k, ei < ek } is non-empty, define i0  max{i | i < k, ei < ek }. Event i0 is then the last event to occur before ek . This event does not exist (the considered set is empty) if ek is a minimal event. Then – ei0 ω ek and – j ∈ {i0 + 1, . . . , k − 1} such that ei0 ω ej ω ek : ei0 is critical and there is no critical event between ei0 and ek . Under Assumption 1, the critical chain constructed in this way is unique with probability 1. The occurrence of an event e depends only on the “past” of event e, whereas the critical character of an event depends only on the “future” of e

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

53

(that is, the events that occur after it), thanks to the memoryless properties of the exponential distribution. Thanks to that property, the past and the future of e can be separated in the computations. We now develop an algorithm to compute that probability. We will use the following notations: – For two states κ1 , κ2 of the chain P(κ1 , κ2 ) is the probability to reach κ2 from κ1 . – We denote by Pcrit (κ, e) the probability of e to be critical if starting from configuration κ, e is a minimal event (that is, if κ ∪ {e} is a configuration). Pcrit (κ, e) = 0 otherwise. For a maximal event e of a longest run κ, one has Pcrit (κ − {e}, e) = Pκ−{e},κ . Let e be a maximal event – recall that the maximal events are those that may occur at the latest time in κ – of a run κ. From the above, configuration κ occurs and e is critical if and only if configuration κ occurs and e is the last event to occur. The probability for that event is P(∅, κ − {e}) · Pκ−{e},κ . Now, let us compute Pcrit for the other arcs. Let (κ1 , κ2 ) be an arc such that every arc successor of it has its Pcrit computed. It is always possible to find such an arc because the graph is acyclic. Using a topological sort, one can find an order on the configurations such that this condition is always satisfied. Denote by e the unique event in κ2 − κ1 . From the choice of configuration κ1 , for a run κ that contains κ1 ∪ {e}, if e is the first event to occur, e is critical iff ∃f ∈ e◦ ∩ κ such that ◦ f ∩ (κ − κ1 ) = {e}

and f is critical .

(10)

Indeed, from Definition 5.1, e can be critical only if there is a critical event f in e◦ . Moreover, if there is a event u ∈ ◦ f ∩ (κ − κ1 ), then H(u) > H(e) and u is critical, not e. Equation (10) leads to a method to recursively compute Pcrit . Let F be the set of events f satisfying Equation (10) for a run κ and AF = {(κi , κi ), i ∈ {1, . . . , m}} be the set of arcs labeled by an event in F reachable from κ2 (we denote the label of (κi , κi ) by fi ). We have Pcrit (κ1 , e) =

n 

P(κ1 , κ2 )P(κ2 , κi )P(κi , κi )Pcrit (κi , fi ).

i=1

This formula can be explained in the following way: event e can be critical from κ1 if e is the first event to occur in the remaining of a run (by definition of Pcrit ). Then, consider the next event f to occur in e◦ . From Equation (10), e can be critical only if f can be critical. Then, f is a label of an arc in AF . Let (κi , κi ) be this arc. The probability to effectively reach that arc is P(κ2 , κi ) and the path that has been followed between configurations κ2 and κi does not matter: the events occurring are concurrent to f (f ∈ e◦ and ∀e ∈ κi − κ2 , e ∈ / ◦ f ) and they are the same for every path, so their order does not matter. For the rest of the formula, one has to remark that f being critical from κi is independent of what happens before conditionally to the occurrence of the state κi . Then, the probability for an event e to be critical is

54

A. Bouillard, S. Haar, and S. Rosario

Pcrit (e) =



P(κ)Pcrit (κ, e).

κ⊆κ∪{e}∈C(ON )

5

Criticality of a Component in a Workflow

The above discussion covers the criticality of events in an occurrence net. However, it is of much greater relevance in practice to ask whether a given system component is critical for the performance of a compound system, in particular for systems and services that are to be frequently used. The knowledge of criticality in a complex system allows e.g. to allocate resources - maintenance, renewal, replacement by newer but costly equipment, etc - where they yield best global results: if only a limited budget for such interventions is available, one should strive to use it as much as possible on improvement of the performance in bottlenecks of the system. Clearly, the above discussions on criticality in occurrence nets can serve as preparations for the system analysis here, in the sense that one wishes to lift statements on an occurrence of t being critical for an occurrence of t in the unfolding UN , to the net N itself and to saying that t is critical for t . However, this is not very meaningful for general nets since the occurrences of t and t may be only loosely coupled. We can, however, give a precise meaning to transition criticality in a particular class of Petri nets, called workflow nets. The following definitions are based on [1]. Definition 6 (WF-Net). A net W∗ = (P∗ , T∗ , F∗ ) is a WF-net1 if and only if: 1. W has two special places, source place i and sink place o, such that • i = o• = ∅. 2. If we add a transition t to T∗ that connects place o with i, i.e. • t = {o} and t• = {i}, then the resulting net W = (P , T , F ) - the looped version of W∗ - is strongly connected. W is then called a looped WF-net, and t is called the loop transition of W . WF-net W is sound iff 1. m0 = {i}; 2. m0 is a home marking, i.e. from every reachable marking of N , m0 is reachable; 3. N has no dead transitions, i.e. for every t ∈ T there is a reachable marking m such that m[t . It is known that WF-net W is sound iff N is live and bounded [2]. Let us call any Petri net N = (W , m0 ) for which W is a looped and sound WF-net a WF Petri net, or WFPN. 1

WorkFlow net.

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

55

In Figure 1, between two consecutive occurrences of the loop transition, transition N will be critical for the entire workflow every time it actually occurs, and transition X, Y and C can each be critical if N does not occur. More precisely, in that case both X and Y will occur, X exactly once, Y possibly several times; in fact, Y occurs exactly one more time than C does, before leaving the loop. We will make this more precise now. To start, note that the successive occurrences of the loop transition provide a natural regeneration point for the stochastic behaviour of the net. The loop transition also marks the end of one execution of the workflow and the passage to the next execution. We will thus consider the criticality problem with a focus on the loop transition: at each new occurrence of it, look back to the period since its last occurrence, and ask which of the other transitions have this time been critical for the total time spent. The dynamics of WFPNs features a sequence of rounds separated by the successive occurrences e1 , e2 , . . . of t. Formally, for any event e in the unfolding (ON , π) of N , define the round number of e by round(e)  |π −1 ({t}) ∩ [e]|. Call tn (ω) the nth occurrence of t under ω; that is, one has round(e) < n for all e ≺ t and round (e  ) ≥ n for all t e  . We will consider the following problem: (P) Given a sound WFPN N and a transition x = t of N , what is the probability Pcrit (x, n) that the occurrence (if any) in round n of x is critical for tn ? Observe that the loop transition t synchronises the flow at the end of each round, hence it is critical in every round. Due to this synchronisation, if xn , the nth occurrence of a transition x is critical for a round, then xn remains critical for all successive rounds of the looped WF-Net. As mentioned above, the synchronization at the end of a workflow round and in the firing of t induces a renewal of the underlying Markov processes. In particular, Pcrit (x, n) = Pcrit (x, 1) for any round n. We will therefore discard the round index n and represent the previous terms by Pcrit (x), which denotes the probability that a transition x of N is critical for a round. The problem (P) can thus be restated as: Given a sound WFPN N and a transition x = t of N , what is the probability Pcrit (x) that the occurrence (if any) of x is critical in an execution round of N? Solving this problem for the example of Figure 1 and its unfolding in Figure 2, we obtain the following results: N – Transition N is critical in a round iff δN < δS , hence Pcrit (N ) = λNλ+λ . S – If δN > δS , both S and D are critical in that round, hence Pcrit (S) = S Pcrit (D) = λNλ+λ . S – For criticality of X, Y and C, the number of firings Num C of C in a round is central. We note that (i) Y fires Num C + 1 times in this round. (ii) X is critical in this round iff it fires after the last firing of Y , otherwise Y is P critical. For transitions P and Q, let PP/Q be λPλ+λ , the probability of the Q delay of P being lesser than that of Q. We then have:

56

A. Bouillard, S. Haar, and S. Rosario

Pcrit (X) = Pcrit (S) ·

∞   i PY /X · PC/X · PY /X · PX/C · PD/C i=0

= Pcrit (S) · PY /X · PX/C · PD/C ·

1 1 − PY /X · PC/X

Since Y is critical in a round whenever X is not critical, we have Pcrit (Y ) = Pcrit (S) − Pcrit (X). Finally, C is critical in a round whenever Y is critical, except for the case when Num C = 0, when C does not occur. We thus have, Pcrit (C) = Pcrit (Y ) − Pcrit (S) · PX/Y · PD/C . In practice, it will be acceptable for X to be critical but not for transitions that may have to be iterated a large number of times, such as Y and C. Therefore, one will strive to increase PY /X to keep Pcrit (X) large.

6

Conclusion and Outlook

We have established several properties of distributed Markovian systems allowing to exhibit the critical events of a non-deterministic process, and studied how to lift this analysis to workflow nets. We have used a timed Markovian model in computations, whose execution traces are linearly ordered sequences. One might therefore think that we could have dropped the use of partial orders entirely and have simply used interleaved semantics. However, only the causal semantics provided by unfoldings allows to retrieve the dependencies which are crucial in finding critical events : the fact that event e occurs before event e  in itself does not imply that e is critical for e  , since the ordering of the two events may result merely from the contingent delay values. In that case, both events evolve independently of one another, and modifications in the component corresponding to e would have no impact on e  . Criticality implies causal ordering, hence in order to analyze criticality, the investigation of partial order unfoldings cannot be avoided. Identification and prediction of likely bottlenecks in composite processes allows to anticipate possible performance deterioration. Conversely, once the bottlenecks of an intended composite application are known, resource allocation can be optimized so that attention is focused on latency-critical components by reducing the critical local latencies. More delicate analyses, such as concerning monotonicity (see [8]) and robustness of global performance with respect to local performances, are under way or part of future work.

References 1. van der Aalst, W.M.P.: The application of Petri Nets to Workflow Management. Journal of Circuits, Systems and Computers 8(1), 21–66 (1998) 2. van der Aalst, W.M.P.: Verification of Workflow nets. In: Az´ema, P., Balbo, G. (eds.) ICATPN 1997. LNCS, vol. 1248, pp. 407–426. Springer, Heidelberg (1997)

Critical Paths in the Partial Order Unfolding of a Stochastic Petri Net

57

3. Abbes, S., Benveniste, A.: True-concurrency probabilistic models: Markov nets and a law of large numbers. Theor. Comput. Sci. 390(2-3), 129–170 (2008) 4. Abbes, S., Benveniste, A.: Probabilistic models for true-concurrency: branching cells and distributed probabilities for event structures. Information and Computation 204(2), 231–274 (2006) 5. Ajmone Marsan, M., Balbo, G., Conte, G., Donatelli, S., Franceschinis, G.: Modeling with Generalized Stochastic Petri Nets. Parallel Computing Series. Wiley, Chichester (1995) 6. Benveniste, A., Fabre, E., Haar, S.: Markov Nets: Probabilistic Models for distributed and concurrent systems. IEEE Trans. Aut. Control 48(11), 1936–1950 (2003) 7. Bouillard, A., Haar, S., Rosario, S.: Critical paths in the Partial Order Unfolding of a Stochastic Petri Net. INRIA Research report (August 2009) 8. Bouillard, A., Rosario, S., Benveniste, A., Haar, S.: Monotonicity in Service Orchestrations. Petri Nets (2009), http://petrinets2009.lip6.fr/ 9. Engelfriet, J.: Branching Processes of Petri Nets. Acta Informatica 28, 575–591 (1991) 10. Esparza, J., R¨ omer, S., Vogler, W.: An improvement of McMillan’s unfolding algorithm. Formal Methods in System Design 20(3), 285–310 (2002) 11. Haas, P.: Stochastic Petri Nets. Modelling, Stability, Simulation. Springer Series in Operations Research, Berlin (2002) 12. Katoen, J.-P., Baier, C., Latella, D.: Metric semantics for true concurrent real time. Theoretical Computer Science 254, 501–542 (2001) 13. Mairesse, J., Gaubert, S.: Modeling and Analysis of Timed Petri Nets using Heaps of Pieces. IEEE Trans. Autom. Control 44(4), 683–697 (1999) 14. McMillan, K.: Using Unfoldings to avoid the state explosion problem in the verification of asynchronous circuits. In: 4th Workshop on Computer Aided Verification, pp. 164–174 (1992) 15. Nielsen, M., Plotkin, G., Winskel, G.: Petri nets, event structures, and domains, Part I. TCS 13, 85–108 (1981) 16. Ruys, T.C., Langerak, R., Katoen, J.-P., Latella, D., Massink, M.: First passage time analysis of stochastic process algebra using partial orders. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 220–235. Springer, Heidelberg (2001) 17. Rosario, S., Benveniste, A., Haar, S., Jard, C.: Probabilistic QoS and soft contracts for transaction based Web services. In: Proceedings ICWS 2007, pp. 126–133 (2007) 18. Rosario, S., Kitchin, D.E., Benveniste, A., Cook, W., Haar, S., Jard, C.: Event structure semantics of orc. In: Dumas, M., Heckel, R. (eds.) WS-FM 2007. LNCS, vol. 4937, pp. 154–168. Springer, Heidelberg (2008); long version as INRIA Research Report Nr 6221 19. Tucker, H.G.: An Introduction to probability and mathematical statistics. Academic Press, London (1962) 20. Varacca, D., V¨ olzer, H., Winskel, G.: Probabilistic event structures and domains. Theor. Comput. Sci. 358(2-3), 173–199 (2006)

Speeding Up Model Checking of Timed-Models by Combining Scenario Specialization and Live Component Analysis V´ıctor Braberman1 , Diego Garbervestky1, Nicol´as Kicillof2 , Daniel Monteverde1,3 , and Alfredo Olivero3,4 1

DC, FCEyN, UBA - Argentina {vbraber,diegog}@dc.uba.ar 2 Microsoft - USA [email protected] 3 INTEC, UADE - Argentina {damonteverde,aolivero}@uade.edu.ar 4 ECyT, UNSAM - Argentina

Abstract. The common practice for verifying properties described as event occurrence patterns is to translate them into observer state machines. The resulting observer is then composed with (the components of) the system under analysis in order to verify a reachability property. Live Component Analysis is a “cone of influence” abstraction technique aiming at mitigating state explosion by detecting, at each observer location, which components are actually relevant for model checking purposes. Interestingly enough, the more locations the observer has, the more precise the relevance analysis becomes. This work proposes the formal underpinnings of a method to safely leverage this fact when properties are stated as event patterns (scenarios). That is, we present a sound and complete method of property manipulation based on specializing and complementing scenarios. The application of this method is illustrated on two case studies of distributed real-time system designs, showing dramatic improvements in the verification phase, even in situations where verification of the original scenario was unfeasible.

1

Introduction

The use of observers to express properties for the automatic verification of models of reactive software is common-place (e.g., [2,1,12], etc). This is specially the case when requirements are heavily based on event occurrences, since using logical formalisms tends to be cumbersome, if possible at all [12]. In most cases, (automaton) observers are either hand-written or generated from some high-level property specification notation (for example, event patterns). Once defined, observers are composed with the components of the System Under Analysis (SUA), and a reachability property is verified using a model checker. 

Research partially supported by CONICET and the projects UBACyT X021, ANPCyT PICTO-CRUP 31352 and ANPCyT PICT 32440.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 58–72, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Speeding Up Model Checking of Timed-Models

59

Live Component Analysis (LCA) is a special case of cone-of-influence abstraction [13] that works by instructing a model checker to ignore the state of some components at the observer-location level [10,11]. Supressing irrelevant activity mitigates state space explosion and has a –sometimes dramatically– positive impact on the performance of verification tools in terms of time, size and counterexample length. The fact that the technique works at the observer-location level implies that the more locations the observer has, the more precise the analysis becomes and that precision may in turn positively impact the verification phase. In this article we describe a human-in-the-loop method to safely obtain detailed versions of the original observers, which may imply dramatic improvements in time and space during verification. Of course, allowing a Verification Engineer (VE) straightforwardly manipulate the observer to exploit this phenomenon is a risky and awkward business, since validity of verifications might be jeopardized (i.e., will verification results have some formal link with the verification of original properties?). Actually, our approach consists in enabling a VE to modify a high level representation of the original verification goal. To do this, we propose theoretical and practical tools to soundly manipulate scenarios created in the specification phase, instead of the observer automata obtained by translating them. We call this manipulation specialization. It essentially amounts to adding constraints and/or dividing the goal into cases. To the best of our knowledge, this sort of manipulation, although typical in logical and type-theoretic frameworks, is novel for scenario-based notations. More concretely, the method is based on the observation that the chances for a more effective optimization are greatly improved by formulating guesses about the shape of violating traces. The informal notion of “guessing” is formalized as scenario specialization. To formalize and validate our method, we choose V T S [12] (a visual scenario notation) as the formalism to express properties. Its minimality and expressive power enable the definition of all the required notions for checking soundness of manipulations. V T S comes in two flavors: existential scenarios enabling the expression of pattern of events (essentially, a partial ordered set of events), which usually stand for negative scenarios and, not surprisingly, are checked by converting them into an observer automata; and conditional scenarios allowing to express universal properties requiring that, whenever a pattern (the antecedent ) is matched in a trace, it must be also possible to match at least one of the (consequent ) patterns. For the sake of simplicity, the method will be illustrated on verification goals given as existential scenarios. Nevertheless, conditional scenarios will also play a key role to articulate, manipulate and check the completeness assumption underlying the specialization of an existential goal. The ability to feature consequents non-trivially intertwined with the antecedent pattern (i.e., referring to events that should happen before, in between, and/or after events of the antecedent) is a key feature for automatically expressing completeness assumptions. According to our case studies, those completeness provisos usually

60

V. Braberman et al.

may be verified efficiently against (the model of) the SUA by further applying conservative abstractions on scenarios and the SUA. Contributions: we have pointed out that adding detail to property observer automata may speed up model checking phase when SUA and observer are preprocessed by LCA. Thus, this paper presents the formal underpinnings and validation for a novel, sound and complete user-intervention approach in the verification of models featuring real-time components. More concretely, we show how to leverage that phenomenon as follows: – We equip V T S with the notion of specialization. The presentation of this concept is compactly based on morphisms. – We introduce the formal link between specialization and satisfiability of scenarios, allowing their sound deductive manipulation. – We also show how to check that manipulations are safe by building and checking a conditional scenario. That is, we show that specialization may be efficiently checked to be complete w.r.t. the original verification goal for the SUA. – We build proof-of-concept tools and illustrate the ideas on case studies. The article is structured as follows: we start by describing the running case studies and provide a novel and concise presentation of V T S based on morphisms. Then, we introduce the notion of specialization and its related results. In the following section we explain the method, combined with tools and results, and illustrate it with applications to case studies. Finally, we relate this work to other similar efforts, discuss treats to validity and draw conclusions.

2

Motivating Case Study

The following case study illustrates both the use of observers to model safety properties and the role of Live Component Analysis. MinePump is a timed automata [4] model of a design of a fault-detection mechanism for a distributed mine-drainage controller [8]. We are interested in the behavior of the subsystem responsible of detecting failures in sensors. A watchdog task (wd) periodically checks the availability of a water-level-sensing device (hlw) by sending a request and extracting acknowledgments that were received and queued during the previous cycle (by another sporadic task, ackh). When the watchdog finds the queue empty, it registers a fault condition in a shared memory (alarmadded), which is periodically read (alarmget) and forwarded (alarmsent) by a proxy task (proxy) through a net (net) to a remote console (display) featuring a latching mechanism (latch). We want to analyze whether the following condition is possible “the remote operator is informed of a failure of the water sensor too late”. The automaton in Fig. 1 (a) captures a trace violating the requirement, while Fig. 1 (b) shows a more detailed observer which makes explicit the control flow in the chain of parallel activities. The verification consists in checking whether location 2 (respectively 7) is reachable when composed with the SUA.

Speeding Up Model Checking of Timed-Models

2.1

61

Live Component Analysis

Live Component Analysis (LCA) has been conceived to tackle state explosion in a verification setting pursuing the detection of design flaws in a set of concurrent timed-activities [10]. ObsSlice [11] is a tool implementing LCA. When fed with a network of timed automata consisting of a SUA and an observer, ObsSlice statically discovers for each observer location a set of modeling elements (automata and/or clocks) that can be safely ignored (disabled) without compromising the validity of arbitrary TCTL [3] formulas stated over the observer (i.e., an exact reduction method w.r.t. branching-time analysis). The effect of ObsSlice on observers is conveyed by “%Disable” annotations (Fig. 1). *

fault {X}

%Disable:hlw,wd,akch,queue, alarm,proxy,net,latch,display

*-{alarmreceived, alarmdisplayed}

alarmadded

0 alarmdisplayed X>D

*- {alarmget, alarmdisplayed}

*- {alarmadded, alarmdisplayed}

*

0

fault {X}

1

%Disable:hlw,wd,

2

akch,queue

alarmget %Disable:alarm

3 alarmdisplayed X>D X>D

2

alarmsent

1

%Disable:proxy

4

alarmreceived %Disable:net

wakeup

5

%Disable:latch

alarmdisplayed

fault

%Disable:hlw,wd,akch,queue, alarm,proxy,net,latch,display

3

*-{alarmreceived, alarmdisplayed}

(a)

*-{wakeup, alarmdisplayed}

7

%Disable:display

6 Alarmdisplayed

*-{alarmdiaplyed}

%Disable:display

8

(b)

Fig. 1. Observers: (a) Original Version (b) Detailed Version

The result of running ObsSlice is a transformed network of timed automata that avoids irrelevant behavior while being equivalent to the input network, up to branching-time observation (i.e., preserves TCTL satisfaction over the composed system, including reachability). For instance, the observer of Fig. 1 (b) composed with the SUA reaches location 7 if and only if the same location is reachable in the corresponding transformed network of timed automata computed by ObsSlice. For the observer in Fig. 1 (a), ObsSlice localizes the property by declaring globally relevant nine of the twenty timed automata involved in the complete model and deactivates components when the observer enters trap locations. If this localization is not performed verification turns out to be practically unfeasible. On the other hand, on the observer in Fig. 1 (b) the tool discovers that, after the alarmadded event is matched, the sensor (hlw), watchdog (wd), acknowledgment handler (ackh), and the queue that accumulates those acks (queue), are no longer relevant since their behavior would have no impact in future evolution of the observed flow. We can see in the observer the incremental disabling of components that ObsSlice safely performs after each location. We will see, later in this article, that the intuitively better deactivation profile for the more detailed version actually translates into a performance gain in the model checking phase. 2.2

Describing Properties Using V T S

In V T S, labels associated to points stand for event occurrences, arrows stand for precedence and a negated label over an arrow means absence. The high-level counterpart of the observer shown in Fig.1(a) is the existential V T S scenario in Fig.2 (a).

62

V. Braberman et al.

fault

¬ alarmdisplayed >D (a)

alarmdisplayed

alarmadded fault

alarmget

alarmset ¬ alarmdisplayed >D (b)

alarmareceived

wakeup alarmdisplayed

Fig. 2. MinePump: (a) Original Property (b) Specialized Version

Thus, we are talking about a fault event for which the following alarmdisplayed happens later than D time units. In this case, the relationship between the scenario and the observer obtained seems to be fairly simple, but the gap widens considerably for more complex requirements [12]. On the other hand, the scenario in Fig.2 (b) makes explicit the control flow in the chain of parallel activities. The article focuses, in general terms, on two basic questions: which relationship holds between Fig.2 (a) and Fig.2 (b)? and, more importantly, how can it be known that verifying (the scenario in) Fig.2 (b) is equivalent to verifying Fig.2 (a).

3

Visual Timed Scenarios

V T S is a scenario-based notation designed to graphically define predicates over complex control or interaction flows. In V T S, there are two kinds of scenarios: existential and conditional ones. In what follows we revisit the definition presented in [12] by compactly reintroducing notions using morphisms, and extending it to include scenario specialization. 3.1

Existential Scenarios

An existential V T S scenario is basically an annotated strict partial order of relevant events, denoting a (possibly infinite) set of matching time-stamped traces. Existential V T S is used to state a simple though relevant family of questions of the form “Is there a potential run that matches this generic scenario?”. When interpreted as negative scenarios, as is the case in this work, these questions can express infringements of safety or progress requirements. They turn out to be decidable, by translating a scenario into a Timed Automata (observer) that recognizes matching runs [12]. This automaton is composed with the SUA to check whether a violating execution is reachable by using available model checking tools for Timed Automata like Kronos [7] and Uppaal [6]. The basic elements of the graphical notation are points connected by lines and arrows. Points are labeled with sets of events, where the point stands for an occurrence of one of the events during execution. An arrow between two points indicates that an occurrence of the source point precedes an occurrence of the target. Thus, the occurrences of two points that are neither directly nor indirectly connected, may appear in any order in a trace. A dashed line linking two points specifies that they must represent different event instances, but their relative order is irrelevant. Both arrows and dashed lines may have associated time restrictions and forbidden events between their ends. V T S can also identify the beginning of an execution (depicted with a big full circle).

Speeding Up Model Checking of Timed-Models

63

Definition 1 (Scenario). A scenario is a tuple Σ, P, ,  ≡, <, γ, δ, where Σ is a finite set of events; P is a set of points;  : P → 2Σ is a function that labels each point with a set of events;  ≡ ⊆ P × P is an irreflexive relation among points (separation); <⊆ (P  {0} × P ) is a precedence relation between points –asymmetric and irreflexive– (0 represents the beginning of execution); γ : (< ∪  ≡) → 2Σ assigns to each pair of related points the set of events forbidden between them; and δ : (< ∪  ≡) → Φ assigns a restriction (expressed as a logical combinations of interval time constraints1 ) for the time elapsed between each pair of related points. The formal semantics of V T S is given by assigning to each scenario a set of traces that satisfy it based on the notion of matching [12]. A matching is a mapping from event occurrences in a time-stamped trace to the scenario points, such that all constraints imposed by the scenario are satisfied between those event occurrences. For example, the scenario in Fig.2 (a) expresses a predicate that is true for a run if and only if it contains a fault followed by the next alarmdisplayed in more than D time units. The arrow indicates that fault occurs before alarmdisplayed. The negated label on it states that no other occurrence of alarmdisplayed is found in between. The temporal constraint “the distance between both events is greater than D”, is expressed by attaching a “> D” to the arrow. In the scenario of Fig.2 (b) we used an abbreviation for a frequent idiom: certain point represents the next occurrence of alarmadded after fault. The abbreviation is a second (open) arrow and is equivalent to adding alarmadded as a forbidden event on the arrow. As a counterpart, V T S also includes an abbreviation for previous, when the forbidden event coincides with the source one (see Fig. 4). See [12] for more information on V T S features. In [12] it is shown how to build a Tableau observer TS that recognizes all traces matching a scenario S, so that model checking A  S is equivalent to model checking a reachability formula on the parallel composition of A with TS . Definition 2 (Scenario Morphism). Given two scenarios S1 , S2 (assuming a common universe of labels), and f a total function between P1 and P2 we say that f is a morphism from S1 to S2 (denoted f : S1 → S2 ) iff for all p, q ∈ P1 : M1: 2 (f (p)) ⊆ 1 (p) M2: γ1 (p, q) ⊆ γ2 (f (p), f (q))

γ1 (0, q) ⊆ γ2 (0, f (q))

M3: if p <1 q then f (p) <2 f (q)

3.2

M4: if p  ≡1 q then f (p)  ≡2 f (q) M5: δ2 (f (p), f (q)) ⊆ δ1 (p, q)

δ2 (0, f (q)) ⊆ δ1 (0, q)

Conditional Scenarios

Conditional scenarios (CSs) [12] are useful to state that whenever a matching is encountered in a given trace for a scenario (the antecedent ), the same matching must be extensible to cover at least one scenario in the set of the so called consequent scenarios. This notion is actually the scenario counterpart of the 1

When the scenario is translated into a TA for model checking purposes, Φ must be restricted to real intervals with integer bounds.

64

V. Braberman et al.

propositional scheme A =⇒ (C1 ∨ . . . ∨ Cn ) where scenario A is interconnected with each scenario Ci . Although conditional scenarios were meant to enable verification engineers (VE) to express verification goals, in this work conditional scenarios are used as a means to automatically state, prove, or refute the expected formal link between the original goal (existential scenario) and the manipulations done by the VE. Technically speaking, the antecedent is a common substructure of all consequents enabling complex relationship between points in antecedent and consequents. Syntactically, a conditional scenario is a scenario that plays the role of the antecedent embedded into consequents. A set-theoretic notion of inclusion, called specialization, is introduced in [12]. In this article, we redefine all those notions in terms of morphisms. That is, the embedding of antecedents into consequents is now presented as a set of morphisms. Actually, due to decidability concerns, we require morphisms to be such that all points in the codomain but not in the image are reachable from a point in the image by following next and previous arrows [12]. That is, we say that an injective morphism f : S1 → S2 is matching-kernel iff R(f (P1 )) = P2 where R(X) is an operator that provides every point reachable from X ⊆ P2 by following next and previous arrows in S2 . We note such morphism as . Definition 3 (Conditional Scenario). Given an antecedent scenario S0 and an indexed set of consequent scenarios Si with the respective matching-kernel morphisms fi : S0  Si , we call C = S0 , {(Si , fi )}i=1...k  a Conditional Scenario. In the graphical notation, consequent elements (points and arrows) are depicted in gray and numbered in order to distinguish between different consequents. The antecedent image under the morphisms is highlighted in black. Fig. 3 shows a CS expressing that between a fault occurs and an alarm is displayed, the intermediate chain of events shown in the consequent is required to happen. alarmadded fault

1

1

alarmget 1

1

alarmsent 1

1

¬ alarmdisplayed >D

alarmrecieved 1

1

wakeup 1

1

alarmdisplayed 1

Fig. 3. CS stating the chain of events that is supposed to happen

Model checking of a CS C = S0 , {(Si , fi )}i=1...k  is done by building a set of existential scenarios that stand for the possible violations of C. More precisely, there is an algorithm that generates a set of existential scenarios Nj (called negative scenarios) and morphisms nj : S0  Nj for j = 1 . . . n such that: (a) S0 , {(Si , fi )}i=1...k ∪ {(Nj , nj )}j=1...n  is a tautological CS (i.e., if S0 is matched then necessarily one of the consequents is also matched), and (b) there is no way to extend a matching of a Nj to match any of the Si (i.e., Nj reveals a violation of C). Then, it is not difficult to see that, if each Nj were checked unfeasible in a timed automata A (for instance, using conservative abstractions), then A  C would necessarily hold. Interestingly enough, this model-checking approach explicitly generates the consequents potentially missing in a CS.

Speeding Up Model Checking of Timed-Models

4

65

Scenario Specialization and Optimization Method

In this section we introduce a scenario specialization notion based on morphisms and formally present some of the intuitive definitions from previous sections. Given two existential scenarios S1 and S2 , we say that S2 specializes S1 and, conversely, S1 generalizes S2 (denoted S2 <: S1 ) when there exists a morphism m : S1 → S2 . This relation establishes that S1 is embedded into S2 if the latter features more constrains (this is analogous to a logical subsumption). Interestingly enough, the formal semantics of existential scenarios can then be defined using specialization (a syntactic notion) as follows. A time-stamped sequence of events (trace σ) produced by timed models like timed automata can be regarded as a totally ordered scenario Sσ 2 . Thus, under this interpretation, the existence of a morphism (specialization) coincides with the notion of matching in [12] (i.e., σ  S iff Sσ <: S). We say that a timed automata satisfies a scenario (A  S ) iff A exhibits at least one time-divergent trace that, regarded as a scenario, specializes S. Note also that if S2 <: S1 and A  S2 , then A  S1 (by composing the witness morphisms). In general it is not true that if A  S1 , then necessarily A  S2 holds. However, as we will see later, we can check whether A  S1 implies A  S2 by checking exhaustiveness using conditional scenarios. Additionally, the formal semantics of CS can also be compactly defined in terms of morphisms. A trace σ satisfies a CS C, (σ  C) iff for every morphism m : S0 → Sσ there exists mi : Si → Sσ , for some i ∈ {1..k}, such that m = mi ◦fi . In the next section, we will introduce the optimization method using the previously presented notions. However, is worth mentioning that [9] shows how specialization can be extended to conditional scenarios. Specialization works contravariantly on the antecedent (i.e, weakening it) and covariantly on consequents (i.e., strengthening them). We believe that those results generalize the following optimization method, which will be explored as future work. 4.1

Optimization Method

Method 1 is a sketch of the procedure to safely verify properties using scenario specialization. It starts with a verification goal given as an existential scenario and a SUA. Now we assume that the original verification goal consumes excessive time and space resources, so the method can be used to mitigate state space explosion. In what follows, Verify(SUA, S) denotes modelchecking a reachability property on the result of applying LCA to SUA and the tableau of S (i.e., TS ). VE provides a set of specializations (line 1). When LCA is applied to them, precision is improved and verification is hopefully sped up. Note that specializations can be checked in parallel. Then there are two possible courses of actions depending on the result. If a match is found (line 5) then, since specialization matching implies the original scenario is matchable also (line 6), we are done. Else, it would 2

Sσ has a single-labeled point per event occurrence in the trace, plus the end point, and explicitly features separation and time distance constraints between every pair of points as well as forbidding all events that do not actually occur in between.

66

V. Braberman et al.

Algorithm 1. Specialization based method Input: SUA: TA network; G: V T S existential scenario Output: G Matchable?: boolean  such that G  <: G (m : G → G  ) 1: Provide G1 , . . . , Gn i i i 2: for each Gi do 3: Ri := Verify(SUA, Gi ) // better precision and better computation time 4: end  for 5: if (Ri = true) then 6: G Matchable? := true 7: else 8: P := G, {(Gi , mi )}i=1...n  9: N = {Ni }i=1...k := GenN egative(P) 10: for each Ni ∈ N do 11: Ri := Verify(SUA , Ni ) // Ni <: Ni and SUA is an abstraction of SUA 12: end  for 13: if (Ri = false) then 14: G Matchable? := false 15: else 16: for each Ni such that Ri = true do 17: R i := Verify(SUA, Ni ) 18: end for  19: G Matchable? := (R i = true) 20: end if 21: end if 22: return G Matchable?

be necessary to check exhaustiveness of specialization to safely conclude the original goal is non-matchable. That is automatically expressed as satisfiability of a CS P made up of the original goal as antecedent and the specializations as consequents (line 8). Fig. 3 and Fig. 5a show this construction for the MinePump and RemoteSensing examples, respectively. Note that, if the conditional scenario were true, we would know that the original scenario is actually non-matchable since the conditional scenario tells us that, whenever we can find a match for the original scenario, one of the specializations is bound to happen (and we have already discarded that in previous steps). The set of negative scenarios needed to model check a CS can be automatically derived from it (line 9) corresponding to the exhaustiveness claim. They are also methodologically valuable intermediate artifacts, since they explicitly reveal and document the engineer’s belief on either scenarios that cannot happen, or scenarios that do not exercise worst cases for the original verification goal. When checking the infeasibility of negative scenarios, it is important to note that the SUA may be abstracted and a negative scenario may be generalized (line 11). The reason is simple: if generalized versions of negative scenarios are proven to be non-matchable over an abstract version of the SUA, we can safely conclude that the conditional scenario has no way to be violated and thus the exhaustiveness proviso holds. In this context, typical abstractions include getting rid of temporal constraints on negative scenarios and applying convexhull approximation when model checking against SUA (see case studies). These strategies have proven very effective in practice. In the worst case, if a negative

Speeding Up Model Checking of Timed-Models

67

scenario cannot be discarded (i.e, conservative abstractions and/or generalizations show it may be potentially matched), it is actually checked as it is (line 17) to determine whether matchings were spurious (due to aggressive abstractions) or it is actually a case where the original goal is matched. Notice that it may not be necessary to examine every specialization (line 2) in the loop. As soon as one produces Ri = true, the method terminates returning G Matchable? = true. Something similar happens with the loop in line 16.

5

Case Studies Analysis and Verification Results

Here we apply our method to two case studies: MinePump and RemoteSensing that will be explained afterwards. In Tables 1 and 2 we compare the time and memory consumed by model checking tools to verify an original and a specialized scenario, for the normal and the sliced versions of the SUA. We use Uppaal 4.0.2 as a model checker running on a Pentium IV 3Ghz, 2GB RAM, LINUX 2.6.3, and ObsSlice as the LCA. Uppaal was run using different search orders (BFS, DFS, RND (i.e., random DFS)), state space reductions (none, conservative, aggressive) and state space representations (DBMs, compact data structure, and convex hull abstraction). We decided to show experiments for each example using the most effective parameter setting for the model checker (BFS for MinePump; DFS and Random DFS for RemoteSensing). When using BFS, we also provide the comparison in terms of the shortest traces and the memory consumed to generate them (line Shortest Trace in both tables). ObsSlice execution times are Table 1. MinePump Verification time in seconds, and memory in Mbytes Default verif. settings Original Scenario Fig. 2 (a) Specialized Scenario Fig. 2 (b) DBM + BFS Normal Sliced Normal Sliced +settings D match? time mem. time mem. time mem. time mem. – 3201 yes 345.45 93.3 342.63 91.6 342.42 88.1 34.96 27.4 – 3202 no 1293.63 167.1 1271.83 163.3 1225.03 154.1 887.09 120.8 Shortest 3201 yes 677.33 208.7 686.85 207.6 727.67 208.0 52.98 49.0 Trace length / mem 321 st / 91 Kb 322 st / 91 Kb 322 st / 94 Kb 175 st / 50 Kb

Table 2. RemoteSensing Verification time in seconds (O/T: >11hs), and memory in MBytes (O/M: Out of Memory) Default verif. settings: Original Scenario Fig. 4 Specialized Scenario Fig. 6 DBM Normal Sliced Normal Sliced + settings match? time mem. time mem. time mem. time mem. DFS yes – O/M 1892.03 187.8 – O/M 55.58 28.8 RND best yes – O/M 178.26 19.5 – O/M 6.53 8.2 RND worst yes – O/M 4476.29 110.2 – O/M 71.81 43.1 RND aver. yes – O/M 1658.90 82.5 – O/M 35.16 19.6 Shortest yes – O/M O/T – – O/M 21401.00 579.7 Trace (CDS) length / mem – – – – – – 157steps. / 84Kb

68

V. Braberman et al.

not reported, being negligible w.r.t. verification times (less than five seconds). Moreover the results of the LCA technique can be reused provided VE only alter timing constraints in subsequent verifications. In MinePump (described in Sec. 2), we focus our analysis on the scenario in which the alarm may go off after its deadline D (Fig. 2(a)). As Table 1 shows slicing according to the original scenario is of little help in the verification phase, if we eliminate by hand timed components that interact neither with the property nor with the subsystem under analysis. The specialization proposed in Fig. 2(b) provides more detail, stating the existence of a sequence of events between f ault and alarmdisplayed that includes alarmadded, alarmget, alarmset, alarmreceived and wakeup. This helps ObsSlice do a more precise job deactivating components; which is significantly reflected in time, space and size of counterexamples during the model checking phase. Note that in case D=3202 the specialized version is not matchable. Thus, Fig. 3 expresses specialization exhaustiveness as a CS (line 8 of method) required to be checked in order to ensure that the result is sound. Exhaustiveness of the specialization can be verified using the LCA on generalizations of each negative scenario obtained by eliminating timing constraints (line 11). Actually, five negative scenarios were generated, not shown in the article due to space limitations. The verification of exhaustiveness can be done using convex hull over-approximation and takes about 10 secs. The other case study, called RemoteSensing, is a system consisting of a central node and two remote sensors [12]. Sensors regularly sample a pair of environmental variables V 1 and V 2, and store their values in shared memory. Signals are periodically sent to the sensors by threads running in the central node. Each sensor runs a thread dedicated to handle these messages by reading the last stored value from shared memory and sending it back to the central node. The latter pairs up the readings of each end-to-end task (i.e., the pipeline of activities that starts with a request of the corresponding variable and ends sending the sampled value to the pairing component for processing). A freshness requirement violation for a single data flow is informally stated as “value of variable V 1 used by the pairing component has been sampled in a too distant time instant”. Fig. 4 shows an existential scenario that matches whenever two signals conveying values for V 1 and V 2 are paired and the time distance between the sampling of V 1 and the pairing instant is greater than 455 time units. Note the use of the previous notation in order to express that there is no other V 1arrives-event after a particular V 1arrives and before an uppair-event. This example shows that specialization can be also used as a tool for a “proof by case” approach to model checking. In RemoteSensing, the VE provides additional information indicating all different ways an uppair event can occur before the occurrence of uppair included in Fig. 4 and the next occurrence of V 2arrives sampleV1 storeV1

readV1

¬ v1sentfails

V1sent V1arrives uppair

>455

V1V2Paired 1

Fig. 4. Existential V T S scenario: Freshness Violation

Speeding Up Model Checking of Timed-Models uppair

uppair 2 2

V2arrives 2 2

2

2

69

3

2

sampleV1 storeV1 readV1¬ v1sentfailsV1sent V1arrives

1

1

uppair >455

uppair

rrive

s

sampleV1 storeV1 readV1 V1sent V1arrives uppair V1V2Paired ¬ v1sentfails

1

(a) CS stating the expected 3 possible alternatives for previous uppair event and its next V 2arrives event uppair

V2 a

1

V2arrives 1

1

uppair

2

uppair V1V2Paired

(b) Neg. scenario: V 2arrives does not occur uppair

uppair

sampleV1 storeV1 readV1¬ v1sentfailsV1sent V1arrives

uppair V1V2Paired

(c) Neg. scenario: there are 3 uppairs during a candidate end-to-end job

sampleV1 storeV1 readV1 V1sent V1arrives ¬ v1sentfails

uppair V1V2Paired

>455

(d) Neg. scenario: previous uppair occurs before the sampling

Fig. 5. CS for the specialization and its respective negative scenarios uppair sampleV1

storeV1

readV1

V2arrives

¬ v1sentfails

V1sent V1arrives

uppair

V1V2Paired

>455

Fig. 6. Remote Sensing: the specialization used in verification

relative to the same scenario. Fig. 5a shows a CS that expresses exhaustiveness of specialization provided for this example. In the original verification goal of RemoteSensing, ObsSlice (see Table 2) is key to make verification feasible. It detects: (a) the irrelevance of sampler 2, (b) the irrelevance of sampler 1’s behavior as soon as its values are read (ReadV 1); and (c) that the rest of the modeling components are no longer relevant once the pairing component is triggered (i.e. the uppair event). Two key observations provide the rationale for the specializations presented: i) the signal rate in data flow for V 1 is slower than that for V 2, ii) once the first signal carrying V 2 (after the previous uppair) is registered by the pairing latch unit, the activity of that pipeline is no longer relevant and the occurrence of the pairing event only depends upon tracked behavior for the matched job carrying V 1. It turns out that it is worth making explicit this scenario fragment of expected behavior (see Fig. 6) in order to help ObsSlice detect the predicted irrelevance of activities of data flow for V 2 after V 2arrives, thus dramatically improving model checker performance w.r.t. bug finding on the model sliced in terms of the original scenario (line 3 of method). Of course, this guess can be formally stated, and efficiently and soundly analyzed3 as the CS in Fig. 5a. Figures 5b, 5c and 5d, show negative scenarios that were discarded as infeasible in a few secs. using overapproximation by convex hull (line 11). They are actually generalizations 3

Note that exhaustiveness check is not actually required in this particular example because Fig. 6 is actually matchable.

70

V. Braberman et al.

obtained from negative scenarios generated by the tool (line 9) by eliminating the timing constraint.

6

Related Work

The closest related work on automatic syntactic preprocessing of timed models are the clock-reduction technique for TAs presented in [14], and the static-guard analysis to find location-dependent maximum constants based on relevant guards [5]. Similarly to ObsSlice here, these techniques examine timed-components at a syntactic level to derive reductions that preserve the branching-time structure. In [14], like in ObsSlice, there is also a limited use of timing information (clocks are variables) to keep the preprocessing as light as possible. However, ObsSlice includes an “activity calculus” that can be applied to a SUA given as a parallel composition (i.e., not-already composed). Contrary to both techniques, which are indeed orthogonal to that of ObsSlice, our optimization essentially implies the deactivation of irrelevant components (not just clocks) during the on-the-fly verification step. Several approaches leverage the existence of partial information on expected/relevant behavior either provided by humans or mined by tools (e.g., test purposes [15,18], etc.). Several formally-stated interaction-based notations can be found in the literature suitable for describing systems using triggered scenarios or for specifying temporal properties (e.g., [16,19], etc.). We chose V T S as our base notation since some of its features make it suitable for defining and implementing conditional scenario specialization. More precisely: (a) V T S has a simple formal syntax and descriptive semantics based on partial orders and morphisms, (b) V T S verification algorithms are based on Timed Automata, for which tool support is readily available, and (c) V T S CSs can be automatically completed to a tautological form (a key feature for the exhaustiveness check). Further discussion of the related literature for scenario notations can be found in [12], while related work on automatic syntactic preprocessing of timed models in [10,11]. We are not aware of any scenario-based notation equipped with a set of deductive rules. In [17] a fragment of LSCs is shown to translatable into temporal logics which would enable some sort of deductive manipulation. Unlike their approach, our manipulations may be performed by the VE at the syntactic level not at a semantic layer like temporal logics or automata. A syntactic notion of refinement for Timed MSCs is presented in [20]. Since the authors pursue a development process based on refining charts, these notions distinguish whether the timing constraint is an assumption about the environment or a constraint on process performance. Our specialization concept is not meant to change the level of abstraction as refinements do. To our knowledge, the combination of live component analysis with scenarios, and the application of the latter to guide and improve the former constitutes an innovative approach. In some hard-to-check models, VEs would probably give up the pretension to provide exhaustive sets of specializations that are believed

Speeding Up Model Checking of Timed-Models

71

to exhibit the worst-case scenario for the verification goal. Thus, it is reasonable to compare our techniques with scenario-control ones (e.g., [15]). Firstly, our combination of specialization with LCA is not just focused on constraining model exploration by means of parallel composition, but it was devised as a way to conservatively optimize model checking. Secondly, events added in a specialization are actually merged in a single scenario with the property to be checked. Finally, our method generates a set of scenarios that, together with the ones checked, provide complete coverage of the original goal. Even assuming that exhaustive model checking is out of discussion, we believe that explicit description of discarded scenarios is a valuable tool.

7

Conclusions and Ongoing Work

We introduce an human-driven, exact optimization technique based on manipulation and checking of scenarios that dramatically reduces back-end modelchecking effort by improving the positive effects of LCA. Driven by the need to provide a neat framework for the technique, we define the first steps towards equipping the scenario notation V T S (a visual formalism to express, manipulate and model check event-based requirements for real-time systems) with a rigorous theory of syntactic relationships (specializations) between scenarios. One of the main steps in the method consists in specializing the original scenario into one or more cases, to achieve higher static detection of irrelevant activity in the model. V T S equipped with the notion of specialization, as defined in this paper, is well suited for this combination: case specialization is a neatly defined concept, and its exhaustiveness of coverage (i.e., are these all possible cases?) can be expressed as a conditional scenario. Thus, our method provides warnings whenever a set of specializations is potentially pruning state space and thus hiding bugs. Moreover, it identifies the scenarios not being considered which can be in turn checked for infeasibility. In theory, larger observers might contribute to larger state spaces, thus a more expensive verification process. However, this is not bound to happen and we plan to characterize those cases. In addition, results of this paper show that, combining specialization with LCA may actually provide a valuable approach specially when the VE has a good hint of candidate counterexamples.

References 1. Aceto, L., Burgue˜ no, A., Larsen, K.G.: Model checking via reachability testing for timed automata. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 263–280. Springer, Heidelberg (1998) 2. Alpern, B., Schneider, F.: Verifying temporal properties without temporal logic. ACM Trans. Programming Lang. and Systems 11(1), 147–167 (1989) 3. Alur, R., Courcoubetis, C., Dill, D.L.: Model-checking in dense real-time. Information and Computation 104(1), 2–34 (1993) 4. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126(2), 183–235 (1994)

72

V. Braberman et al.

5. Behrmann, G., Bouyer, P., Fleury, E., Larsen, K.G.: Static guard analysis in timed automata verification. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 254–270. Springer, Heidelberg (2003) 6. Bengtsson, J., Larsen, K.G., Larsson, F., Pettersson, P., Yi, W.: UPPAAL - a tool suite for automatic verification of real-time systems. In: Proceedings of the International Conference on Hybrid Systems, pp. 232–243. Springer, Heidelberg (1995) 7. Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine, S.: Kronos: A model-checking tool for real-time systems. In: Y. Vardi, M. (ed.) CAV 1998. LNCS, vol. 1427, pp. 546–550. Springer, Heidelberg (1998) 8. Braberman, V.: Modeling and Checking Real-Time Systems Designs. PhD thesis, FCEyN. Univ. de Buenos Aires (2000) 9. Braberman, V., Garbervetsky, D., Kicillof, N., Monteverde, D., Olivero, A.: Specializing scenarios. Technical report, DC. FCEN. UBA (2008), http://www.dc.uba.ar/people/exclusivos/vbraber 10. Braberman, V.A., Garbervetsky, D., Olivero, A.: Improving the verification of timed systems using influence information. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 21–36. Springer, Heidelberg (2002) 11. Braberman, V.A., Garbervetsky, D., Olivero, A.: ObsSlice: A timed automata slicer based on observers. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 470–474. Springer, Heidelberg (2004) 12. Braberman, V., Kicillof, N., Olivero, A.: A scenario-matching approach to the description and model checking of real-time properties. IEEE Transactions on Software Engineering 31(12), 1028–1041 (2005) 13. Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (1999) 14. Daws, C., Yovine, S.: Reducing the number of clock variables of timed automata. In: Proceedings of IEEE RTSS 1996. IEEE Computer Society Press, Los Alamitos (1996) 15. Grieskamp, W., Kicillof, N., Tillmann, N.: Action machines: A framework for encoding and composing partial behaviors. Int. Jour. SEKE 16(5), 705–726 (2006) 16. Harel, D., Marelly, R.: Playing with time: On the specification and execution of time-enriched LSCs. In: Proceedings of the 10th IEEE/ACM International Symposium MASCOTS 2002, pp. 193–202. IEEE Computer Society Press, Los Alamitos (2002) 17. Kugler, H.-J., Harel, D., Pnueli, A., Lu, Y., Bontemps, Y.: Temporal Logic for Scenario-Based Specifications. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 445–460. Springer, Heidelberg (2005) 18. Ledru, Y., du Bousquet, L., Bontron, P., Maury, O., Oriat, C., Potet, M.-L.: Test purposes: Adapting the notion of specification to testing. In: Proceedings of the 16th IEEE Int. Conf. ASE 2001. IEEE Computer Society Press, Los Alamitos (2001) 19. Sengupta, B., Cleaveland, R.: Triggered message sequence charts. In: SIGSOFT FSE, pp. 167–176 (2002) 20. Zheng, T., Khendek, F., Parreaux, B.: Refining timed mscs. In: Reed, R., Reed, J. (eds.) SDL 2003. LNCS, vol. 2708, pp. 234–250. Springer, Heidelberg (2003)

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation Peter Bulychev1 , Thomas Chatain2 , Alexandre David3 , and Kim G. Larsen3 1

Lomonosov Moscow State University, Russia [email protected] 2 LSV, ENS Cachan, France [email protected] 3 CISS, Aalborg University, Denmark {adavid,kgl}@cs.aau.dk

Abstract. In this paper we focus on property-preserving preorders between timed game automata and their application to control of partially observable systems. We define timed weak alternating simulation as a preorder between timed game automata, which preserves controllability. We define the rules of building a symbolic turn-based two-player game such that the existence of a winning strategy is equivalent to the simulation being satisfied. We also propose an on-the-fly algorithm for solving this game. This simulation checking method can be applied to the case of non-alternating or strong simulations as well. We illustrate our algorithm by a case study and report on results.

1

Introduction

Since the introduction of timed automata [3] the technology and tool support [18,8,6] for model-checking and analysis of timed automata based formalisms have reached a level mature enough for industrial applications as witnessed by a large and growing number of case studies. Most recently, efficient on-the-fly algorithms for solving reachability and safety games based on timed game automata have been put forward [9] and made available within the tool Uppaal-Tiga. The tool has been recently used in an industrial case study [17] with the company Skov A/S for synthesizing climate control programs to be used in modern pig and poultry stables. Also Uppaal-Tiga has been used for autonomous robot control [1]. Despite this success, the state-space explosion problem is a reality preventing the tools from scaling up to arbitrarily large and complex systems. We need complementary techniques allowing for the verification and analysis efforts to be carried out on suitable abstractions. Assume that S is a timed (game) automaton and assume that φ is a property to be established (solved) for S. Now S may be a timed automaton too complex for 

This work has been supported by the EC FP7 under grant numbers INFSO-ICT-224249 (Multiform www.ict-multiform.eu) and ICT-214755 (Quasimodo www.quasimodo.aau.dk), and the VKR Center of Excellence MT-LAB (www.mtlab.dk).

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 73–87, 2009. c Springer-Verlag Berlin Heidelberg 2009 

74

P. Bulychev et al.

our verification tool to settle the property φ, or S may be a timed automaton with a number of unobservable features that can not be exploited in any realizable strategy for solving the game. The goal of abstraction is to replace the complex (or unobservable) model S with an abstract timed automaton A being smaller in size, less complex and fully observable. This method requires the user not only to supply the abstraction but also to argue that the abstraction is correct in the sense that all relevant properties established (controllable) for A also hold (are controllable) for S; i.e. it should be established that S ≥ A for some property-preserving relationship ≥ between timed (game) automata. If one wants to detect errors in S (i.e to show that φ is not satisfied on S) rather than show its correctness, he can prove that φ is not satisfied on A and show that A ≥ S. The possible choices for the preorder ≥ obviously depend heavily on the class of properties to be preserved as well as the underlying modeling formalism. In this paper we introduce the logic ATCTL being a universal fragment of the real-time logic TCTL [2]. We introduce the notion of weak alternating timed simulation between timed game automata. This relation is proved to preserve controllability with respect to ATCTL. We reduce the problem of checking given notion of simulation to the problem of solving timed reachability turn-based game of two players. Also we provide symbolic on-the-fly algorithm for solving this game, which is a derivative of the algorithm of solving timed games proposed in [9]. It should be mentioned that in our algorithm we have exploited the fact that simulation-checking game is turn-based, i.e., in each game state only one player is permitted to make a move. This makes our algorithm simpler than the one, proposed in [9]. This algorithm can be also applied to checking nonalternating weak simulation, i.e., to the case when there are no uncontrollable transitions in timed automata. Related work. Decidability for timed (bi)simulation between timed automata was given in [10] using a “product” region construction. This technique provided the computational basis of the tool Epsilon [11]. In [21] a zone-based algorithm for checking (weak) timed bisimulation – and hence not suffering the regionexplosion in Epsilon – was proposed though never implemented in any tool. For fully observable and deterministic abstract models timed simulation may be reduced to a reachability problem of S in the context of a suitably constructed testing automaton monitoring that the behavior exhibited is within the bounds of A [16]. Alternating temporal logics were introduced in [4] and alternating simulation between finite-state systems was introduced in [5]. The application of our method using weak alternating simulation for the problem of timed control under partial observability improves the direct method proposed in [13] to solve the same problem. The current paper has been preceeded by the paper [12]. In that paper the simulation-checking task has been reduced to the task of reachability analysis of timed game automata, which in turn can be performed using the tool Uppaal-Tiga [9]. This reduction was tricky because the formalism of timed game automata is not well suited for expressing simulation-checking games. In

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

75

the current paper we use another more natural formalism for defining simulationchecking games. The new simulation-checking games are turn-based (only one player owns each game state), and that makes them easier to solve. The current paper is self-contained and does not refer to [12]. Overview of the Paper. In Section 2 we present the models of timed automata and timed game automata as well as the logic ATCTL. In Section 3 we define weak alternating timed simulation preorder. We prove that it preserves controllability with respect to ATCTL, and propose the algorithm of solving it.

2 2.1

Timed Games and Preliminaries Timed Automata

Let X be a finite set of real-valued variables called clocks. We denote B(X) the set of constraints ϕ generated by the grammar: ϕ ::= x ∼ k | ϕ ∧ ϕ where k ∈ Z, x ∈ X and ∼ ∈ {<, ≤, =, >, ≥}. A valuation of the variables in X is a mapping v : X  → R≥0 . We write 0 for the valuation that assigns 0 to each clock. For Y ⊆ X, we denote by v[Y ] the valuation assigning 0 (resp. v(x)) for any x ∈ Y (resp. x ∈ X \ Y ). We denote v + δ for δ ∈ R≥0 the valuation s.t. for all x ∈ X, (v + δ)(x) = v(x) + δ. For g ∈ B(X) and v ∈ RX ≥0 , we write v |= g if v satisfies g. We denote [[g]] = {v ∈ RX | v |= g}. ≥0 Definition 1 (Timed Automaton [3]). A Timed Automaton (TA) is a tuple A = (L, l0 , Σ, X, E, Inv) where L is a finite set of locations, l0 ∈ L is the initial location, Σ is the set of actions, X is a finite set of real-valued clocks, Inv : L → B(X) associates to each location its invariant and E ⊆ L × B(X) × Σ × 2X × L is a finite set of transitions, where t = (l, g, a, R, l ) ∈ E represents a transition from the location l to l , labeled by a, with the guard g, that resets the clocks in R. One special label τ is used to code the fact that a transition is not observable. A state of a TA is a pair (l, v) ∈ L × RX ≥0 that consists of a discrete part and a valuation of the clocks. From a state (l, v) ∈ L × RX ≥0 s.t. v |= Inv (l), a TA can either let time progress or do a discrete transition and reach a new state. This is a defined by the transition relation −→ built as follows: for a ∈ Σ, (l, v) −−→ (l , v  )   if there exists a transition e = (l, g, a, Y, l ) in E s.t. v |= g, v = v[Y ] and v  |= Inv (l ), we denote the fact that e is enabled from v by Enabled(e, v) δ

and abbreviate v  = P oste (v). For δ ≥ 0, (l, v) −−→ (l, v  ) if v  = v + δ and v, v  ∈ [[Inv (l)]]. Thus the semantics of a TA is the labeled transition system  SA = (Q, q0 , −→) where Q = L×RX ≥0 , q0 = (l0 , 0) and the set of labels is Σ∪R≥0 . A run of a timed automaton A is a sequence (q0 , δ1 , q1 , t1 , q1 , δ2 , q2 , t2 , q2 . . . ) of alternating time and discrete transitions in SA . We use Runs(q, A) for the set of runs that start in state q. We write Runs(A) for Runs((l0 , 0), A). If ρ is a finite run we denote Duration(ρ) the total elapsed time all along the run. a+ a Let’s define q −−−→ q  iff q −−→ q  or there exists a sequence of states q1 , . . . , qn a a a a a∗ a+ such, that q −−→ q1 −−→ . . . −−→ qn −−→ q  , and define q −−−→ q  iff q −−−→ q 

76

P. Bulychev et al. a

b

a

or q = q  . We use the superposition of transitions: q −−→−−→ q  iff ∃q  · q −−→ b q  −−→ q  . 2.2

Symbolic Operations on Clock Valuations

The state space of timed automaton is infinite and thus it should be handled using symbolic methods. Consider set of clocks X and a set of clock valuations X Z ⊆ R≥0 . We use the following abbreviations Z  = {v + δ|v ∈ Z ∧ δ ∈ R≥0 } and Z  = {v|{v} ∩ Z = ∅}, these operations are called future and past correspondingly. Difference bounded matrixes (DBM) can be used to encode [[g]]   for every g ∈  B(X) [7]. The  set of DBMs is closed under the future ( ), past( ), intersection ( ) union ( ) and complementary (¬) operations. We use symbolic extension of P oste function: P oste (Z) = {P oste (v)|v ∈ Z ∧ Enabled(e, v)}, also we use P rede (Z) = {v|P oste (v) ∈ Z}. These two functions can be implemented using operations on DBMs. 2.3

ATCTL

In this article, we consider the restricted subset of universal fragment of the real-time logic TCTL [2], we call it ATCTL. Definition 2 (ATCTL). A formula of ATCTL is either A φ1 Ut φ2 or A φ1 Wt φ2 , where A denotes the quantifier “for all path” and Ut ( resp. Wt ) denotes the temporal operator “until” ( resp. “weak until”), t ∈ Z ∪ {+∞} and the φi ’s are sets of observable actions. A run ρ of a timed automaton A satisfies φ1 Ut φ2 iff there exists a prefix ρ of ρ such that: 1) all observable actions of ρ are in φ1 and 2) the last action of ρ is in φ2 and 3) Duration(ρ ) ≤ t. Then we write ρ |= φ1 Ut φ2 . A run ρ of a timed automaton A satisfies φ1 Wt φ2 iff either it satisfies φ1 Ut φ2 or only actions of φ1 occur in ρ. Then we write ρ |= φ1 Wt φ2 . When all the runs of a timed automaton A satisfy a property φ, we write A |= A φ. In the following, the proposed notions of strategies and outcome are similar to the setting of asymmetric concurrent games in [14]. 2.4

Timed Games

Definition 3 (Timed Game Automaton [19]). A Timed Game Automaton (TGA) G is a timed automaton with its set of transitions E partitioned into controllable (E c ) and uncontrollable (E u ) transitions. We assume that a controllable transition and an uncontrollable transition never share the same observable label. In addition, invariants are restricted to Inv : L → B  (X) where B  is the subset of B using constraints of the form x ≤ k, which is needed to handle forced actions. Given a TGA G and a control property φ ≡ A φ1 Ut φ2 (resp. A φ1 Wt φ2 ) of ATCTL, the reachability ( resp. safety) control problem consists in finding a

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

77

strategy f for the controller such that all the runs of G supervised by f satisfy the formula. By “the game (G, φ)” we refer to the control problem for G and φ. The formal definition of the control problems is based on the definitions of strategies and outcomes. In any given situation, the strategies suggest to do a particular transition e after a given delay δ. A strategy [19] is described by a function that during the course of the game constantly gives information as to what the players want to do, in the form of a pair (δ, e) ∈ (R≥0 × E) ∪ {(∞, ⊥)}. (∞, ⊥) means that the strategy wants to delay forever. The environment has priority when choosing its actions: If the controller and the environment want to play at the same time, the environment actually plays. In addition, the environment can decide not to take action if an invariant requires to leave a state and the controller can do so. Assumptions. We consider only runs that are infinite and contain infinitely many observable transitions. We assume that from every state, either a delay action with positive duration or a controllable action can occur. Definition 4 (Strategies). Let G = (L, l0 , Σ, X, E, Inv) be a TGA. A strategy over G for the controller ( resp. the environment) is a function f from the set of runs Runs((l0 , 0), G) to (R≥0 × E c ) ∪ {(∞, ⊥)} ( resp. (R≥0 × E u ) ∪ {(∞, ⊥)}). def We denote (δ(ρ), e(ρ)) = f (ρ) and we require that for every run ρ leading to a state q, – if δ(ρ) = 0 then the transition e(ρ) is possible from q. – for all δ  ≤ δ(ρ), waiting δ  time units after ρ is possible and the augmented δ

run ρ = ρ −→ (abusing notation) satisfies: f (ρ ) = (δ(ρ) − δ  , e(ρ)). Furthermore, the controller is forced to play if an invariant expires, (and, by assumption it can always play). This can be specified as follows: if no positive delay is possible from q, then the strategy of the controller satisfies δ(ρ) = 0. A strategy is called a memoryless strategy if it depends only on the last state of a run. We assume only memoryless strategies. The restricted behavior of a TGA G when the controller plays a strategy fc and the opponent plays a strategy fu is defined by the notion of outcome. Definition 5 (Outcome). Let G = (L, l0 , Σ, X, E, Inv) be a TGA and fc , resp. fu , a strategy over G for the controller, resp. the environment. The outcome Outcome(q, fc , fu ) from q in G is the (possibly infinite) maximal run ρ = (ρ0 , . . . , ρi , . . . ) such that for every i ∈ N (or 0 ≤ i < |ρ| 2 for finite runs), – ρ2i = min{δ  c (ρ0 , . . . , ρ2i−1 ), δu (ρ0 , . . . , ρ2i−1 )} e (ρ , . . . , ρ2i ) if δu (ρ0 , . . . , ρ2i ) = 0 – ρ2i+1 = u 0 ec (ρ0 , . . . , ρ2i ) otherwise A strategy fc for the controller is winning in the game (A, A φ) if for every fu , Outcome(q0 , fc , fu ) satisfies φ. We say that a formula φ is controllable in A, and we write A |= A φ, if there exists a winning strategy for the game (A, A φ).

78

3

P. Bulychev et al.

Playing Games with Timed Games

In this section we let A and B be two timed game automata. We want to find conditions that ensure that any property of ATCTL that is controllable in B is also controllable in A. In the context of model-checking, simulation relations allow us to verify some properties of a concrete model using a more abstract version of the model, after checking the fact that the abstract model simulates the concrete one. Here we are also considering the more general problem of controller synthesis: Some actions are controllable (the models A and B are TGA) and we want to use an abstraction of the model to build controllers for some properties of the concrete model. For this we define weak alternating simulation relation, such that if A ≥ B, then any property of ATCTL that is controllable in B is also controllable in A. 3.1

Weak Alternating Simulation

We define weak alternating simulation relation as a relation R between the states of A and those of B such that if (qA , qB ) ∈ R, then every property that is controllable in B from qB is also controllable in A from qA . Thus every controllable transition that can be taken from qB must be matched by an equally labeled controllable transition from qA . And on the other hand, every uncontrollable transition in A tends to make A harder to control than B; then we require that it is matched by an equally labeled uncontrollable transition in B. Progress of time. It is necessary to check that if the controller of B is able to avoid playing any action during a given delay, then the controller of A is able to do the same. To understand why this is required, think of a control property where the goal is simply to reach a given time without playing any observable action, unless the environment plays an uncontrollable action. If the controller of B is able to wait, then it has a winning strategy for this property. So the controller of A must be able to win too. Symmetrically, we should in principle check that if the environment of A is able to avoid playing any action during a given delay, then the environment of B is able to do the same. Actually this property does not need to be checked since, by assumption, the environments are never forced to play. τ actions. We consider the case when there are no τ transitions in the model A. It is a natural limitation, because abstract models usually do not have any invisible behavior. Besides that, permitting the τ transitions in A complicates the definition and the computation of the corresponding simulation relation, because in this case any delay in B can be matched by a series of delays in A separated by τ transitions. Model B can contain τ transitions. Controllable τ transitions in B don’t have to be matched in A, but the state, which is reachable by controllable τ transition from qB , should be still simulated by qA . Additionally any uncontrollable

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

79

observable transition in B is allowed to be preceded by a finite amount of uncontrollable τ transitions. The last point makes our simulation weaker (i.e. more pairs of models satisfy our definition) but still preserves the observable features. Definition 6 (Timed Weak Alternating Simulation). A weak alternating simulation relation between two TGAs A = (LA , lA0 , Σ \ {τ }, XA , EA , InvA ) and B = (LB , lB0 , Σ, XB , EB , InvB ) is a relation R ⊆ QA × QB such that (q0 A , q0 B ) ∈ R and for every (qA , qB ) ∈ R and for every observable action a τ

  – (qB − →c qB ) =⇒ ((qA , qB ) ∈ R) a a      – (qB − →c qB ) =⇒ ∃qA (qA − →c qA ∧ (qA , qB ) ∈ R) a τ∗ a      – (qA − →u qA ) =⇒ ∃qB (qB −→u − →u qB ∧ (qA , qB ) ∈ R) δ

  – (qB − → qB ) =⇒ ∃qA

δ

   (qA − → qA ∧ (qA , qB ) ∈ R)

(τ action) (controllable) (uncontrollable) (delay)

We write A ≥ B if there exists a weak alternating simulation relation between A and B. Theorem 1. If A and B are two timed games such that A ≥ B, then for every formula A φ ∈ ATCTL, if B |= A φ, then A |= A φ. Proof (Proof Outline). We show how to build a winning strategy fAc for the controller in A from a winning strategy fBc for the controller in B using the relation R. The strategy fAc that we build is such that for every strategy fAu for the environment in A, there exists a strategy fBu (that we build also from fAu using R) such that the outcome of fAu and fAc in A matches the outcome of fBu and fBc in B (w.r.t. the observations) and one can play the two games simultaneously such that all along the plays the current state qA in A is related by R to the current state qB in B. The strategy fAc is built by playing a fake game in B that imitates (w.r.t R) the game in A. – When the environment of A plays a transition, play an equally labeled uncontrollable transition in the fake game B such that the states in A and B are still related by R. – When the controller of A plays an observable transition, play an equally labeled controllable transition in the fake game B such that the states in A and B are still related by R. – Otherwise let time elapse in B as it elapses in A. The rest of the proof consists in showing that the strategy fAc is well defined, i.e. the required actions are possible. This is done by induction on the length of the finite runs of the games. Like the case of untimed weak simulation, timed weak simulation doesn’t respect the branching structure of the models [20]. Thus if we allow nested quantifiers

80

P. Bulychev et al.

in the considered logic ATCTL, then weak timed simulation will not preserve the satisfiability of its formulas. In the current paper we don’t study a characterization of timed alternating simulation in terms of logic, it is planned for a future work. Theorem 1 can be used to show that all the formulas that are uncontrollable for the abstract model A are also uncontrollable for the concrete model S (by checking S ≥ A). However, if we want to show that all the formulas controllable in A are also controllable in model S that contains invisible behaviour, then we can’t apply theorem 1 straightforwardly. For this case we can check the simulation between the inverted models according to the following theorem: Theorem 2. If TGAs A and B  are obtained from TGAs A and B by replacing c controllable transitions by uncontrollable transitions and vice versa (i.e. EB  = u u c c u u c   EB , EB  = EB , EA = EA , EA = EA ) and B ≥ A , then for every formula A φ ∈ ATCTL, if B |= A φ, then A |= A φ. 3.2

Simulation Checking Game

In this section we consider the task of checking weak alternating simulation between TGAs A = (LA , lA0 , Σ \ {τ }, XA , EA , InvA ) and B = (LB , lB0 , Σ, XB , EB , InvB ), i.e. A ≥ B. We assume that LA ∩ LB = ∅ and XA ∩ XB = ∅. There is an uncontrollable τ loop in TGA M iff there is a reachable state τ+ q ∈ QM such that q −−→u q. We assume that there are no uncontrollable τ loops in B. We use one of the well known methods of checking simulation relations. The method reduces the simulation checking task to the task of solving a two-players game [15]. In this game one player, Spoiler, tries to put the models in an inconsistent state by taking controllable transitions in B and uncontrollable in A. The other player, Duplicator, tries to prevent Spoiler from doing that by repeating Spoiler’s transition in the opposite model. The simulation checking game is infinite for our case because the state spaces of the original models are infinite. Therefore we solve our game using symbolic methods. Definition of Simulation Checking Game. The simulation checking game is turn-based, which means that in each game state only one player is allowed to make a move. The game states are represented by the tuples (lA , lB , Z, a), XA ∪XB where lA ∈ LA , lB ∈ LB , a ∈ {⊥} ∪ Σ \ {τ } and Z ⊆ R≥0 . All the game states (lA , lB , Z, a) such that a = ⊥ are states of the player Spoiler and we use the shorthand (lA , lB , Z)S for identifying them. All other states belong to player Duplicator and we’ll use the shorthand (lA , lB , Z, a)D for them. We use the function T ype() which given a game state as an input returns its owner. We use an abbrevation Z(S) for the third component of a game state S. For two game states S1 and S2 we write S1 → S2 if there is a game transition from S1 to S2 . The game transition relation is constructed as follows:

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

81

  c – (lA , lB , Z)S → (lA , lB , Z  )S iff e = (lB , g, τ, Y, lB ) ∈ EB and Z  =   P oste (Z) ∩ [[InvB (lB )]]   c – (lA , lB , Z)S → (lA , lB , Z  , a)D iff e = (lB , g, a, Y, lB ) ∈ EB ,a = τ and Z  = P oste (Z)   u – (lA , lB , Z)S → (lA , lB , Z  , a)D iff e = (lA , g, a, Y, lA ) ∈ EA and Z  = P oste (Z)   c – (lA , lB , Z, a)D → (lA , lB , Z  )S iff e = (lA , g, a, Y, lA ) ∈ EA , Z =  P oste (Z) ∩ [[InvB (lB )]]   u – (lA , lB , Z, a)D → (lA , lB , Z  )S iff e = (lB , g, a, Y, lB ) ∈ EB , Z =   P oste (Z) ∩ [[InvB (lB )]]   u – (lA , lB , Z, a)D → (lA , lB , Z  , a)D iff e = (lB , g, τ, Y, lB ) ∈ EB , Z  = P oste (Z)

Remind that observable controllable and uncontrollable transitions of one model never share the same label, thus controllable transition in B can’t be matched by uncontrollable transition in B and uncontrollable transition in A can’t be matched by controllable transition in A. Consider the initial game state S0 = (lA0 , lB0 , {0} ∩ [[InvB (lB0 )]])S . The set of all game states, which are reachable from S0 by the game transition relation, is finite and can be built by forward exploration. For each game transition α = (S  → S  ) we store the transition e of one of the models, which has been used in it. It allows us to define function P redα :     2Z(S ) → 2Z(S ) (resp. P ostα : 2Z(S ) → 2Z(S ) ), such that it returns the set of all the predecessors (resp. successors) of Z  . For instance if α = (S  → S  ) is a transition of the first type, in which transition e of the model B has been used, and Z  ⊆ Z(S  ), then P redα (Z  ) = Z(S  ) ∩ {(sA , sB )|(sA , sB ) ∈ Z  ∧ sB ∈ P rede (sB )}. The fourth (delay) requirement of the simulation definition is not presented in the game rules, because this requirement can be checked by player Spoiler alone and thus he can modify the set of concrete winning states without interacting with Duplicator. As it has been mentioned before model B is not allowed to have uncontrollable τ loops. It makes sense for the transitions of the last type because otherwise Duplicator could move along such a loop forever and thus win even if there is no simulation. Conservative static analysis can be used to detect τ loops before running simulation checking algorithm. Simulation-checking games for finite-state automata are finite and thus can be solved by back-propagating the set of game states which are known to be winning for Spoiler [15]. In our case each game state S includes a possibly infinite set of clock valuations Z(S), some of them are winning for Spoiler. We use function W in(S) ⊆ Z(S) to store them. Definition 7. Let us say that function W in defines the set of winning states of the player Spoiler, if the following requirements are fulfilled: – if T ype(S) = Spoiler and S = (lA , lB , Z)S , then     W in(S) = Z(S) ∩ Z(S) ∩ ¬[[InvA (lA )]] ∪ α=S→S  P redα (W in(S  )) ,

82

P. Bulychev et al.

– if T ype(S) = Duplicator, then  W in(S) = Z(S) \ α=S→S  P redα (Z(S  ) \ W in(S  )), – W in is the least such function according to the preorder f ≤ g ≡ ∀S(f (S) ⊆ g(S)). The first point of this definition stands for the fact that Spoiler wins in a state of the concrete game if the invariant of A is violated or if he can delay and move to some other winning state. The second point means that Duplicator loses in a state of concrete game if he can’t move to some other game state, which is winning for him. Theorem 3. For every two models A and B there is one and only one function W in, such that it satisfies definition 7. Theorem 4. Let W in be a function which satisfies definition 7. Then A simulates B with respect to weak alternating simulation iff 0 ∈ W in(S0 ). Solving Simulation Checking Game. Our goal is to build the function W in which defines the set of winning states for Spoiler, and then checks whether Spoiler wins in the initial state. We can do it by firstly building game graph in the forward manner and than back-propagating the values of the W in function. If we use this approach, we have to build the entire game graph even if there is no simulation and it can be proved after a few steps. To avoid this we develop an efficient on-the-fly algorithm based on the algorithm for solving timed games [9]. This algorithm combines forward exploration of a state-space and backward propagation of a winning set. Being on-the-fly, the symbolic algorithm may terminate before having explored the entire state-space, i.e. as soon as a winning strategy has been identified. The symbolic on-the-fly algorithm for computing simulation-checking game is given in Figure 1. The algorithm is based on a waiting-list, W aiting, of edges in the game graph to be explored, and a passed-list, P assed, containing all the symbolic states of the simulation-graph encountered so far by the algorithm. For each explored game state S the symbolic representation of the set of corresponding winning states is stored in W in[S] ⊆ Z(S). The set Depend[S] indicates the set of predecessors of S which must be reevaluated when new information about W in[S] is obtained. Each time when an edge e = (S, S  ) is considered with S  ∈ P assed and W in[S  ]  Z(S  ) the edge e is added to the dependency set of S  in order that possible future information about additional winning states within S  may also be back-propagated to S. There is a major difference between the original algorithm [9] and the derivative algorithm, presented in this paper. The function P redt (X, Y ) has been used in the original algorithm for back-propagation of winning states. It returns the set of the states, from which we can reach X by time elapsing and along the path we avoid Y . The simulation-checking game is turn-based, it means that in each game state only one player can make a move. Thus the set of the states to be avoided during the back-propagation is empty and the past operator (X  )

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

83

Initialization: S0 = (lA0 , lB0 , 0 ∩ [[InvB (lB0 )]]))S W in[S0 ] = [[InvB (lB0 )]] ∩ ([[InvB (lB0 )]] ∩ ¬[[InvA (lA0 )]]) W aiting = {(S0 , S)|S0 → S} Depend[S0 ] = ∅ P assed = ∅ Main: while ((W aiting  = ∅) ∧ (0 ∈ / W in[S0 ])) do  (S, S ) = pop(W aiting) if S  ∈ / P assed then P assed = P assed ∪ {S  } Depend[S  ] = {(S, S  )} (lA , lB , Z, a) = S  if T ype(S ) = Spoiler W in[S  ] = Z(S  ) ∩ (Z(S  ) ∩ ¬[[InvA (lA )]]) else if {S  |S  → S  } = ∅ then W in[S  ] = Z(S  ) else W in[S  ] = ∅ end if W aiting = W aiting ∪ {(S  , S  )|S  → S  } if W in[S  ]  = ∅ then W aiting = W aiting ∪ {(S, S  )} else (* reevaluate *) if T ype(S) = Spoiler then  W in∗ = W in[S] ∪ (Z(S) ∩ ( α=S→S  P redα (W in[S  ])) ) else  W in∗ = Z(S) \ α=S→S  P redα (Z(S  ) \ W in[S  ]) end if if W in∗  ⊆ W in[S] then W aiting = W aiting ∪ Depend[S]; W in[S] = W in∗ ; end if Depend[S  ] = Depend[S  ] ∪ {(S, S  )} end if end while Fig. 1. On-The-Fly Algorithm for Solving Simulation Checking Games

can be used instead of the P redt (X, Y ) function. The P redt (X, Y ) function is more expensive to compute than operator X  (when Y is nonempty). Theorem 5. The given algorithm terminates. Upon its termination there are two possible situations: – 0 ∈ W in[S0 ] is fulfilled and A doesn’t simulate B – W in defines the set of winning states of Spoiler in the simulation checking game

84

P. Bulychev et al.

It follows from the theorem 1 that A simulates B if and only if 0 ∈ W in[S0 ] upon termination of the given algorithm. 3.3

Handling Forced Transitions

If we remove the assumption that a controller can always make a transition, then it will be possible for a model to come to a state where an invariant has expired and only an environment is able to play. We consider infinite runs only and thus environment will be forced to play in this case. Theorem 1 is not valid for models with such kind of forced transitions. However this special case can be handled by complementing these uncontrollable transitions by controllable transitions which are enabled only when the invariants of their source states expire. From a controllability point of view the transformed models are equivalent to the original models. Thus it is correct to apply theorem 1 to transformed models to prove that all the ATCTL formulas that are controllable for one model with forced environment transitions are also controllable for the other model. 3.4

Handling Unobservable Transitions

Consider the task of checking whether A ≥ B. In the current paper A is not allowed to have any τ transitions. This restriction seems to be reasonable because A is typically an abstraction and doesn’t contain any invisible activity. If this restriction is removed, then the simulation relation is more complex to define and to compute, because in this case we have to allow to match one delay in B by series of delays and τ transitions in A. For instance, the delay for 2 time units in B could be matched in A by delay for 1 time unit, τ transition to some other state and than again by delay for 1 time unit in that state. This makes it impossible to apply the proposed algorithm and more complex to develop the appropriate one.

4

Experimental Results

The problem of timed controllability under partial observability has been studied in the paper [13]. In this task a controller has only imperfect or partial information on the state of the system. This imperfect information is given in terms of a finite number of observations on the state of the system. The controller can only use such observations to distinguish states and base its strategy on. In paper [12] we showed that this problem can be solved by generating controller strategy for an abstract and fully observable model and proving that this abstract model simulates the original one. We use the same model as we used in the case study in the paper [12]. A box is placed on a moving conveyor belt to reach a place where it is filled. The box has to go through a number of steps, that is a parameter N in the model. Each step takes a variable duration (0 to 1 time unit); consequently, the exact time when the box arrives in the state Ready is unknown. And the box might stay only N + 3 time units in the state Ready.

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

85

Fig. 2. Concrete model of a box (left) and abstract model (right)

Thus the challenge for the controller is to fill the box while it is in the state Ready. This would be easy if the controller observes the progress of the box on the conveyor belt. But we assume precisely that this is not the case. Then the controller has to fill the box at a time where it is sure that the box is in the state Ready, however the box has progressed on the conveyor belt. Figure 2 (left part) shows a model of the system as a timed game automaton. The loop represents the progress on the conveyor belt, incrementing the variable pos, which represents the position on the belt. We therefore introduce a fully observable, abstract model, shown in Figure 2 (right part). In both models all the transitions are non observable except transitions which end at the states Win and Loose, and they are marked by fill and remove actions correspondingly. We can use Uppaal-Tiga to check this model for controllability. To guarantee that the strategy obtained from this abstract model also correctly controls our original concrete model we use proposed algorithm to establish a timed weak alternating simulation between the two models and apply theorem 2. We have checked the simulation between the abstract and the concrete model for different values of N using the algorithm proposed in the current paper and using the algorithm proposed in the paper [12]. Table 1 shows the execution time obtained experimentally for these two algorithms. It could be seen that the new Table 1. Experimental results proposed algorithm N time (in seconds) 1000 0.051 2000 0.098 3000 0.147 4000 0.196 5000 0.247 6000 0.304 7000 0.356 8000 0.411 9000 0.468 10000 0.525 15000 0.805 20000 1.085

reduction-based algorithm [12] N time (in seconds) 100 0.3 200 0.9 300 2.0 400 3.5 500 5.4 600 7.7 700 10.4 800 13.6 900 17.1 1000 21.1

86

P. Bulychev et al.

algorithm is better than the old one as it checks the simulation relation in linear time, while the timed game obtained using the old method is solved only in quadratic time. The main reason for that is that we avoid computing expensive P redt function, as we are using turn-based simulation checking games.

5

Conclusion

In the current paper weak alternating timed simulation has been defined which preserves controllability w.r.t. ATCTL. We have proposed the algorithm for checking this simulation by finding a winning strategy in a symbolic two-players simulation checking game. We showed that this simulation checking game can be solved using a modification of the on-the-fly algorithm, proposed in the paper [9]. We have exploited the fact that our simulation-checking game is turn-based, i.e. in each game state only one player is permitted to make a move. It made it possible to use more effective algorithm than the original algorithm for solving arbitrary timed games. The proposed algorithm has been implemented as a part of the tool UppaalTiga. It has a user-friendly GUI and a user is allowed to play a simulation checking game against the tool to find the reason for the simulation to be fullfilled or to be not fulfilled. We compared the algorithm proposed in the current paper with the algorithm proposed in the paper [12] and demonstrated that the new algorithm performs better than the old one. The methods developed in this paper allow user to check for refinement of timed models, which can be useful in CEGAR-like approaches or iterative development of models.

References 1. Abdedda¨ım, Y., Asarin, E., Gallien, M., Ingrand, F., Lessire, C., Sighireanu, M.: Planning Robust Temporal Plans A Comparison Between CBTP and TGA Approaches. In: Proceedings of the International Conference on Automated Planning and Scheduling International Conference on Automated Planning and Scheduling (ICAPS 2007). AAAI Press, Menlo Park (2007) 2. Alur, R., Courcoubetis, C., Dill, D.L.: Model-checking in dense real-time. Inf. Comput. 104(1), 2–34 (1993) 3. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science 126(2), 183–235 (1994) 4. Alur, R., Henzinger, T.A., Kupferman, O.: Alternating-time temporal logic. In: FOCS, pp. 100–109 (1997) 5. Alur, R., Henzinger, T.A., Kupferman, O., Vardi, M.Y.: Alternating refinement relations. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 163–178. Springer, Heidelberg (1998) 6. Behrmann, G., Larsen, K.G., Rasmussen, J.I.: Optimal scheduling using priced timed automata. In: SIGMETRICS Performance Evaluation Review (2005)

Efficient on-the-fly Algorithm for Checking Alternating Timed Simulation

87

7. Bengtsson, J.E., Yi, W.: Timed automata: Semantics, algorithms and tools. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 2004, pp. 87–124. Springer, Heidelberg (2004) 8. Bozga, M., Daws, C., Maler, O., Olivero, A., Tripakis, S., Yovine, S.: Kronos: a model-checking tool for real-time systems. In: Vardi, M.Y. (ed.) CAV 1998. LNCS, vol. 1427, pp. 546–550. Springer, Heidelberg (1998) 9. Cassez, F., David, A., Fleury, E., Larsen, K.G., Lime, D.: Efficient on-the-fly algorithms for the analysis of timed games. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 66–80. Springer, Heidelberg (2005) 10. Cerans, K.: Decidability of bisimulation equivalences for parallel timer processes. In: Probst, D.K., von Bochmann, G. (eds.) CAV 1992. LNCS, vol. 663, pp. 302–315. Springer, Heidelberg (1993) 11. Cerans, K., Godskesen, J.C., Larsen, K.G.: Timed modal specification – theory and tools. In: Courcoubetis, C. (ed.) CAV 1993. LNCS, vol. 697, pp. 253–267. Springer, Heidelberg (1993) 12. Chatain, T., David, A., Larsen, K.G.: Playing games with timed games. Research Report LSV-08-34, Laboratoire Sp´ecification et V´erification, ENS Cachan, France, 15 pages (December 2008) 13. Cassez, F., David, A., Larsen, K.G., Lime, D., Raskin, J.-F.: Timed control with observation based and stuttering invariant strategies. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds.) ATVA 2007. LNCS, vol. 4762, pp. 192–206. Springer, Heidelberg (2007) 14. de Alfaro, L., Faella, M., Henzinger, T.A., Majumdar, R., Stoelinga, M.: The element of surprise in timed games. In: Amadio, R.M., Lugiez, D. (eds.) CONCUR 2003. LNCS, vol. 2761, pp. 144–158. Springer, Heidelberg (2003) 15. Etessami, K., Wilke, T., Schuller, R.A.: Fair simulation relations, parity games, and state space reduction for buchi automata. SIAM Journal on Computing 34, 1159–1175 (2001) 16. Jensen, H.E., Larsen, K.G., Skou, A.: Scaling up Uppaal automatic verification of real-time systems using compositionality and abstraction. In: Joseph, M. (ed.) FTRTFT 2000. LNCS, vol. 1926, pp. 19–30. Springer, Heidelberg (2000) 17. Jessen, J.J., Rasmussen, J.I., Larsen, K.G., David, A.: Guided controller synthesis for climate controller using uppaal tiga. In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 227–240. Springer, Heidelberg (2007) 18. Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. Journal of Software Tools for Technology Transfer (STTT) 1(1-2), 134–152 (1997) 19. Maler, O., Pnueli, A., Sifakis, J.: On the synthesis of discrete controllers for timed systems. In: Mayr, E.W., Puech, C. (eds.) STACS 1995. LNCS, vol. 900, pp. 229– 242. Springer, Heidelberg (1995) 20. van Glabbeek, R.J., Weijland, W.P.: Branching time and abstraction in bisimulation semantics. J. ACM 43(3), 555–600 (1996) 21. Weise, C., Lenzkes, D.: Efficient scaling-invariant checking of timed bisimulation. In: Reischuk, R., Morvan, M. (eds.) STACS 1997. LNCS, vol. 1200, pp. 177–188. Springer, Heidelberg (1997)

Model Checking Logic WCTL with Multi Constrained Modalities on One Clock Priced Timed Automata Ashish Chiplunkar, Shankara Narayanan Krishna, and Chinmay Jain Department of Computer Science and Engineering, IIT Bombay, India {ashishc,krishnas,chinmayjain}@cse.iitb.ac.in

Abstract. We consider the model of priced timed automata, an extension of timed automata and study the model checking problem of logic WCTL with multi constrained modalities. For simple modalities, it is known that this is decidable [10] for one clock priced timed automata, and is not [14] when the number of clocks is more than one. For the model of priced timed automata with 2 stopwatch costs having no discrete costs, we give an algorithm for model checking the existential fragment of WCTL with multi constrained modalities. The algorithm runs in time that is doubly exponential in the size of the input(automaton, formula).

1

Introduction

Timed automata [3] are a well established model in the verification of timed systems. An extension of timed automata useful in controller synthesis and scheduling [4],[9],[15] is priced timed automata, introduced in [6], [7]. Recently, a lot of work has happened in (1) model checking priced timed automata on logics WCTL, WMTL [12], [10](2) answering optimization questions like minimum (maximum) cost reachability [6], [7], [13], and cost optimal infinite schedules [8], [9] and (3) finding optimal strategies in priced timed games [5], [11]. In this paper, we look at the model checking problem on priced timed automata with respect to logic WCTL having multi constrained modalities. It is known that model checking WCTL is decidable for one clock priced timed automata [10] while, with 2 clocks and one cost, it is undecidable [14]. The problem of considering logic WCTL with multi constrained modalities was suggested in [10]. Here, we give an algorithm for model checking the fragment of this logic excluding A(...U...) formulae on priced timed automata with a single clock, two stopwatches and no edge costs. The algorithm proceeds in the following stages: First, we define the “granularity” of a formula φ with respect to a priced timed automaton A. We show that for a formula φ of depth d, the granularity (gran(A, φ)) will be of the form 2k , k ≤ d, k ∈ N. We then observe that if gran(A, φ) = 2k , k ≤ d, then gran(2d .A, 2d .φ) = 1 where, 2d .A is the automaton obtained by multiplying all constants appearing in guards of A by 2d , and 2d .φ is obtained by multiplying all constants appearing in the modalities J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 88–102, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Model Checking Logic WCTL with Multi Constrained Modalities

89

of φ by 2d . For the case when the granularity of φ with respect to A is 1, we construct from A and φ, a graph whose paths will be abstractions of runs of A satisfying some conditions. For a given path p in this graph, we construct a LP which will be feasible iff there is a run of A corresponding to p satisfying φ. We also prove that the paths we consider are of bounded length and give an upper bound on the lengths of the paths p corresponding to which we have to construct an LP. The paper is organized as follows: Section 2 gives the definitions of priced timed automata and logic WCTL with multi constrained modalities; Section 3 defines the notion of granularity for a formula φ with respect to a priced timed automata A and proves upper bounds of the granularity; Section 4 describes how to look at different “stages” of a run in A, construct the graph and hence the LP for a given path. Section 5 discusses the complexity of the algorithm.

2

Preliminaries

Let R denote the set of non-negative reals. A one clock stopwatch timed automaton (1 clock STA) without edge costs A is a tuple A = (L, X, Σ, Z, E, L, CL) where L is a finite set of locations; X = {x} is a clock; Σ is a finite set of propositions; Z = {z1 , z2 , . . . , zn } is a finite set of stopwatches; E ⊆ L × G × {reset, noreset} × L is a finite set of edges where G is the set of constraints (guards) of the form x ∼ c where c ∈ N and ∼ is one of <, ≤, =, ≥, >; L : L → 2Σ is a map assigning a subset of Σ, to each location and CL : L → {0, 1}n is a map assigning an n-dimensional binary vector to each location, indicating the rate of each cost variable zi . The semantics of a one clock STA without edge costs is defined as a transition system TA = (Q × Rn ,  −→) where, Q = L × R is the set  of states;  −→ = −→t is the transition relation defined as  t∈R

– for t = 0 ((l, ν(x)), z)  −→t ((l , ν  (x)), z  ) iff there is an edge e = (l, g, r, l) in E for some g, r such that x satisfies g, z  = z (since there are no edge costs) and ν  (x) = 0 if r = reset, else ν  (x) = ν(x) (discrete transition) – for t > 0 ((l, ν(x)), z)  −→t ((l , ν  (x)), z  ) iff l = l, ν  (x) = ν(x) + t and  z = z + t · CL (l) (delay transition) where ν(x) stands for the value of clock x. A run ρ = ((qi , z i ))i≥0 of the automaton A from state q0 is an infinite path in TA . ρ = (q0 , z 0 )  −→t0 (q1 , z 1 )  −→t1 ∞  . . . (qi , z i)  −→ti (qi+1 , z i+1 )  −→ti+1 . . . such that ti = ∞ and z 0 = 0. A finite i=0

run is any finite path in TA starting from the initial cost 0. If we imagine a “global” clock xglobal , which is 0 when the run starts, and is never reset, then the run ρ can be thought of as a tuple (Sρ , Cρ ) where – Sρ : R → Q gives the state at clock value ν(xglobal ) in ρ (the “target” state if a discrete transition takes place at ν(xglobal )) – Cρ : R → Rn gives the vector of costs accumulated from the beginning of ρ till ν(xglobal ) (with the edge cost included if a discrete transition takes place at ν(xglobal )).

90

A. Chiplunkar, S.N. Krishna, and C. Jain

W CT Lmc: Logic WCTL with multi constrained modalities: The logic W CT Lmc is given by the grammar Φ ::= a | ¬Φ | Φ ∨ Φ | EΦUz1 ∼1 c1 ,...,zn ∼n cn Φ | AΦUz1 ∼1 c1 ,...,zn ∼n cn Φ where a ∈ Σ, the set of atomic propositions, each of ∼i is one of <, ≤, =, ≥, > and each ci ∈ N ∪ {∞}. We define the function depth inductively on W CT Lmc formulae as follows: (i) depth(a) = 0 ∀ a ∈ Σ, (ii)depth(¬ϕ) = depth(ϕ), (iii) depth(ϕ1 ∨ ϕ2 ) = max{depth(ϕ1 ), depth(ϕ2 )}, (iv) depth(Eϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 ) = 1 + max{depth(ϕ1 ), depth(ϕ2 )}, and (v) depth(Aϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 ) = 1 + max{depth(ϕ1 ), depth(ϕ2 )}. Let A be a 1 clock STA and let q = (l, x) be a state in its transition system TA . The satisfaction relation q |= ϕ for a state q and a W CT Lmc formula ϕ is defined recursively as follows. (i) q |= a iff a ∈ L(l), (ii) q |= ¬ϕ iff it is not the case that q |= ϕ, (iii) q |= ϕ1 ∨ ϕ2 iff q |= ϕ1 or q |= ϕ2 , (iv) q |= Eϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 iff there exists a run ρ of A from q such that ρ |= ϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 , (v) q |= Aϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 iff all runs ρ of A from q are such that ρ |= ϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 , and (vi) ρ |= ϕ1 Uz1 ∼1 c1 ,...,zn ∼n cn ϕ2 iff ∃ a constant tf such that : (Sρ (t) |= ϕ1 ∀t ∈ [0, tf )) ∧ (Sρ (tf ) |= ϕ2 ) ∧ (z = Cρ (tf ) ⇒ zi ∼i ci for each i). If the automaton for which q |= ϕ holds is not clear from the context, then we write A, q |= ϕ. For convenience, we call EW CT Lmc the subclass of W CT Lmc defined by the grammar Φ ::= a | ¬Φ | Φ ∨ Φ | EΦUz1 ∼1 c1 ,...,zn ∼n cn Φ

3

Granularity

In this section, we define the notion of “granularity” of a W CT Lmc formula ϕ with respect to a 1 clock STA A. Definition 1. Given a 1 clock STA A and a W CT Lmc formula ϕ, we say that ϕ is continuous at the state (l, x0 ) if there exists a neighborhood δ > 0 such that for all ∈ (−δ, δ) (l, x0 + ) |= ϕ iff (l, x0 ) |= ϕ. We call a state (l, x0 ) to be a critical state of A for ϕ if ϕ is not continuous at (l, x0 ). A clock value x0 is a critical value of A for ϕ if (l, x0 ) is a critical state of A for ϕ, for some location l. In other words, (l, x0 ) is a critical state of A for ϕ if the truth value of (l, x) |= ϕ is discontinuous at x = x0 , if we vary x keeping l constant.

Model Checking Logic WCTL with Multi Constrained Modalities

l1 (1, 1); {a1 }

x=1 reset

l1


l1



(1, 0); {a1 }

(0, 1); {a1 }

x=1

91

l0 (0, 0); {a0 }

Fig. 1. 1 clock STA A1

Example 1. Consider the one clock STA A1 described by figure 1. The numbers in the parentheses indicate the cost rates while the symbols in the braces are atomic propositions. Let ϕ1 = Ea1 Uz1 =1,z2 =1 a0 . Then (l1 , x0 ) |= ϕ1 iff x0 = 1/2 (proved later as a part of proposition 4). Thus (l1 , 1/2) is a critical state and 1/2 is a critical value of A1 for ϕ1 . Similarly, if ϕ1 = Ea1 Uz1 <1,z2 <1 a0 then (l1 , x0 ) |= ϕ1 iff 1/2 < x0 ≤ 1. Thus (l1 , 1/2) and (l1 , 1) are some of the critical states and 1/2, 1 are some of the critical values of A1 for ϕ1 . Definition 2. For a 1 clock STA A and a W CT Lmc formula ϕ, we define the granularity of ϕ with respect to A to be the least integer constant g > 0 such that g  xc is an integer for each critical value xc of A for ϕ, provided such a g exists; otherwise the granularity is infinite. In other words, granularity is the least common multiple of the integers appearing as denominators in the reduced forms of the critical values, provided all the critical values are rational. We can thus make the following proposition regarding the critical values and granularity. Proposition 1. Let CV (A, ϕ) denote the set of all critical values of A for ϕ and let gran(A, ϕ) denote the granularity of ϕ with respect to A. Then 1. CV (A, ¬ϕ) = CV (A, ϕ) and hence gran(A, ¬ϕ) = gran(A, ϕ) 2. CV (A, ϕ1 ∨ ϕ2 ) ⊆ CV (A, ϕ1 ) ∪ CV (A, ϕ2 ) and hence gran(A, ϕ1 ∨ ϕ2 ) divides lcm(gran(A, ϕ1 ), gran(A, ϕ2 )) Proof. Part 1 is straightforward from the definition of critical values. We prove part 2. Suppose x ∈ / CV (A, ϕ1 ) and x ∈ / CV (A, ϕ2 ). Thus both ϕ1 and ϕ2 are continuous at (l, x) for every location l. Therefore ϕ1 ∨ ϕ2 is continuous at (l, x) for every location l which means x ∈ / CV (A, ϕ1 ∨ ϕ2 ). Thus CV (A, ϕ1 ∨ ϕ2 ) ⊆ CV (A, ϕ1 ) ∪ CV (A, ϕ2 ). The claim about granularity follows.   The following result is immediate from the definition of critical values and the above observations. Proposition 2. For a 1 clock STA A, the critical values of A for any W CT Lmc formula ϕ do not exceed the maximum of the constants appearing in the guards of A. Proof. See [1].

92

A. Chiplunkar, S.N. Krishna, and C. Jain

In section 3.1, we will state an upper bound on the granularity when A has two stopwatches, while in section 3.2 we will prove that the bound is tight. Prior to that we need to observe the following results. Definition 3. For a positive integer k, a 1 clock STA A and a W CT Lmc formula ϕ, we define k · A to be the 1 clock STA A obtained from A by replacing all guards x ∼ c with x ∼ k.c. k · ϕ is the formula obtained by scaling by k all the constants appearing in the (nested) modalities in ϕ. Proposition 3. For a positive integer k, a 1 clock STA A and a W CT Lmc formula ϕ we have 1. For l ∈ L A, (l, x) |= ϕ iff (k · A), (l, kx) |= k · ϕ. 2. CV (k · A, k · ϕ) = {kx | x ∈ CV (A, ϕ)}. 3. If gran(A, ϕ) divides k then gran(k · A, k · ϕ) = 1. Proof. The proof is straightforward once we observe that for every run ρ = ((l0 , x0 ), z 0 )  −→t0 ((l1 , x1 ), z 1 )  −→t1 . . . ((li , xi ), z i )  −→ti ((li+1 , xi+1 ), z i+1 ) ti+1  −→  . . . of A there is a corresponding run ρ = ((l0 , kx0 ), k · z 0 )  −→kt0 1 kt1 i kti i+1 ((l1 , kx1 ), k · z )  −→ . . . ((li , kxi ), k · z )  −→ ((li+1 , kxi+1 ), k · z )  −→kti+1 . . . of k · A   3.1

Granularity Upper Bound

In this section, we give an upper bound for the granularity of a EW CT Lmc formula φ with respect to a 1 clock STA A with two stopwatches. Theorem 1. Let A be a 1 clock STA with two stopwatches and let ϕ be a EW CT Lmc formula. Then the granularity of ϕ with respect to A is of the form 2d where d ∈ N and d ≤ depth(ϕ). Proof. See [1]. 3.2

 

Tightness of the Upper Bound

In this section we argue that the upper bound on granularity stated in theorem 1 is tight. For each i ∈ N we exhibit an automaton Ai and a EW CT Lmc formula ϕi of depth i such that 1/2i ∈ CV (Ai , ϕi ). Proposition 4. Let A1 be as shown in figure 1 on page 91 and Ai be constructed from Ai−1 as shown in figure 2. Let ϕ1 = Ea1 Uz1 =1,z2 =1 a0 and ϕi = Eai Uz1 =1,z2 =1 ϕi−1 . Then Ai , (li , x) |= ϕi iff x = 1/2i . Proof. We prove the claim by induction on i. It is clear that depth(ϕi ) = i for any i. When i = 1, suppose A1 , (l1 , x0 ) |= ϕ1 . Suppose that the witnessing run spends time x1 in l1 , x2 in l1 and x3 in l1 after which it enters l0 . Then we have x0 + x1 = 1, x2 + x3 = 1, x1 + x2 = 1, and x1 + x3 = 1, which imply that x0 = 1/2.

Model Checking Logic WCTL with Multi Constrained Modalities

93

Ai−1

li (1, 1); {ai }

x=1 reset

li


li



li−1

(1, 0); {ai }

(0, 1); {ai }

(1, 1); {ai−1 }

Fig. 2. Construction of Ai from Ai−1

For i > 1 by induction hypothesis we know that Ai−1 , (li−1 , x) |= ϕi−1 iff x = 1/2i−1 . Again suppose Ai , (li , x0 ) |= ϕi and that the witnessing run spends time x1 in li , x2 in li and x3 in li after which it enters li−1 . Note that the moment li−1 is entered the proposition ai is no longer satisfied. Hence the clock must be 1/2i−1 for the state to satisfy ϕi−1 . Now we have x0 + x1 = 1, x2 + x3 = 1/2i−1 , x1 + x2 = 1, and x1 + x3 = 1. These relations imply that x0 = 1/2i .  

4

Decidability in the Absence of Edge Costs

In this section, we prove that model checking 1 clock STAs with two stopwatches and no edge costs against EW CT Lmc formulae is decidable. We will prove the solvability of the following problem, and the decidability will follow. Problem 1. Given a 1 clock STA A with two stopwatches and no edge costs, a EW CT Lmc formula ϕ, and a location l of A, compute {x ∈ R+ | (l, x) |= ϕ}. For the further discussion we require the concept of “stages” of a run, defined as follows. Definition 4. Let A be a 1 clock STA with two stopwatches and let cmax be the greatest constant that appears in the guards over the edges of A. A stage of a run ρ is the part of ρ between two consecutive occurrences of states with integral clock value ≤ cmax on ρ, or is the part of ρ from the beginning of ρ till the first time a state with integral clock value ≤ cmax is reached. We say that a location is present in a stage if a nonzero amount of time is spent at the location in the stage. We first consider the case when ϕ = Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 and gran(A, ϕ) = gran(A, ϕ1 ) = gran(A, ϕ2 ) = 1. Suppose that the problem has been solved for each location and for ϕ1 as well as ϕ2 . We propose a graph construction followed by an algorithmic approach involving checking feasibility of a linear program. The graph will be constructed in such a way that paths in the graph will be abstractions of runs of A satisfying ϕ1 Uϕ2 , each edge abstracting a stage. The LP for a given path in the graph will be constructed in such a way that it will be feasible iff there is a corresponding run of A satisfying ϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 . For an example, see [1].

94

A. Chiplunkar, S.N. Krishna, and C. Jain

4.1

Construction of Graph

Let cmax be the largest constant appearing in the guards of A. The vertices of the graph are introduced according to the following rules, where l, l and l stand for locations of A and i ≥ 0 stands for an integer. 1. 2. 3. 4. 5. 6.

For For For For For For

all all all all all all

l, l, l, l, l, l,

i ≤ cmax if (l, i) |= ϕ1 then l, {i} is a vertex. i < cmax if (l, x) |= ϕ1 , x ∈ (i, i + 1) then l, (i, i + 1) is a vertex. if (l, x) |= ϕ1 , x > cmax then l, (cmax , ∞) is a vertex. i ≤ cmax if (l, i) |= ϕ2 then l, {i}t is a vertex. i < cmax if (l, x) |= ϕ2 , x ∈ (i, i + 1) then l, (i, i + 1)t is a vertex. if (l, x) |= ϕ2 , x > cmax then l, (cmax , ∞)t is a vertex.

We will call the vertices with subscript t as “target” vertices. Before describing the edges of the graph, let us see the variables that we are going to use in the linear program. There are only 4 possibilities for location costs of A which are [0, 0], [0, 1], [1, 0] and [1, 1]. We associate with a stage, a symbol representing one of the 16 sets of such costs, depending on the locations present in that stage. We will call this symbol the signature of the stage. We will associate variables corresponding to each pair (S, c) where S is a signature and c is a location cost in the set represented by that signature. This variable will indicate the total time spent in locations having that cost, in stages which have that signature. All these symbols and variables are shown in the Table 1. Table 1. Sets of costs, signatures and cost-variables corresponding to each pair Set of costs {} {[0, 0]} {[0, 1]} {[0, 0], [0, 1]} {[1, 0]} {[0, 0], [1, 0]} {[0, 1], [1, 0]} {[0, 0], [0, 1], [1, 0]} {[1, 1]} {[0, 0], [1, 1]} {[0, 1], [1, 1]} {[0, 0], [0, 1], [1, 1]} {[1, 0], [1, 1]} {[0, 0], [1, 0], [1, 1]} {[0, 1], [1, 0], [1, 1]} {[0, 0], [0, 1], [1, 0], [1, 1]}

Signature (0, 0) S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S13 S14 S15

X(1,0) X(3,0) X(5,0) X(7,0) X(9,0) X(11,0) X(13,0) X(15,0)

(0, 1)

(1, 0)

(1, 1)

-

-

-

X(2,1) X(3,1) X(6,1) X(7,1) X(10,1) X(11,1) X(14,1) X(15,1)

X(4,2) X(5,2) X(6,2) X(7,2) X(12,2) X(13,2) X(14,2) X(15,2)

X(8,3) X(9,3) X(10,3) X(11,3) X(12,3) X(13,3) X(14,3) X(15,3)

Now we look at obtaining edges of the graph. As stated earlier, each edge in the graph will abstract a stage of a run. The edge will retain the following information about the stage (1) the signature of the stage, (2)the set of variables

Model Checking Logic WCTL with Multi Constrained Modalities

95

which are required to be positive in the stage and (3) the type of the stage. For i ≤ cmax , let A{i} denote A with edges restricted to those enabled when x = i. Similarly, for i < cmax let A(i,i+1) denote A with edges restricted to those enabled when x ∈ (i, i + 1) and A(cmax ,∞) denote A with edges restricted to those enabled when x > cmax . We add edges in the graph according to the following rules, where u −→ v means a directed edge from u to v. We will call an edge “type j” if it has been introduced due to rule j. 1. For each l, l , i ≤ cmax , l, {i} −→ l , {i}, l, {i} −→ l , {i}t if both vertices exist and there is a discrete transition not resetting the clock from first to second in A{i} . This edge has label (S0 , {}, type 1). Note that this trivially results in the edge l, {i} −→ l, {i}t if both vertices exist. 2. For each l, l , i ≤ cmax , l, {i} −→ l , {0}, l, {i} −→ l , {0}t if both vertices exist and there is a discrete transition resetting the clock from first to second in A{i} . This edge has label (S0 , {}, type 2). 3. For each l, l , i < cmax , l, {i} −→ l , {i + 1}, l, {i} −→ l , {i + 1}t if both vertices exist and there is a path in A(i,i+1) from l to l such that no edge resets the clock and the path including l, l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge has label (Sj , {X(j,k) , X(j,k ) }, type 3) where j is chosen depending on the set of costs at locations on the path including l, l and k, k  are chosen to indicate the cost at l, l respectively. 4. For each l, l , i < cmax , l, {i} −→ l , {0}, l, {i} −→ l , {0}t if both vertices exist and there is a path in A(i,i+1) from l to l such that only the last edge resets the clock and the path including l, excluding l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge has label (Sj , {X(j,k) }, type 4) where j is chosen depending on the set of costs at locations on the path including l, excluding l , and k is chosen to indicate the cost at l. 5. For each l, l , l, {cmax} −→ l , {0}, l, {cmax} −→ l , {0}t if both vertices exist and there is a path in A(cmax ,∞) from l to l such that only the last edge resets the clock and the path including l, excluding l passes through only those locations l , for which (l , x) |= ϕ1 for x > cmax . This edge has label (Sj , {X(j,k) }, type 5) where j is chosen depending on the set of costs at locations on the path including l, excluding l , and k is chosen to indicate the cost at l. 6. For each l, l , l, {cmax} −→ l , (cmax , ∞)t , if both vertices exist and there is a path in A(cmax ,∞) from l to l such that no edge resets the clock and the path including l passes through only those locations l , for which (l , x) |= ϕ1 for x > cmax . This edge has label (Sj , {X(j,k) }, type 6) where j is chosen depending on the set of costs at locations on the path including l, and k is chosen to indicate the cost at l. 7. For each l, l , i < cmax , l, (i, i + 1) −→ l , {i + 1}, l, (i, i + 1) −→ l , {i + 1}t if both vertices exist and there is path in A(i,i+1) from l to l such that no edge resets the clock and the path including l, l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge

96

8.

9.

10.

11.

12.

A. Chiplunkar, S.N. Krishna, and C. Jain

has label (Sj , {X(j,k ) }, type 7) where j is chosen depending on the set of costs at locations on the path including l, l and k  is chosen to indicate the cost at l . For each l, l , i < cmax , l, (i, i + 1) −→ l , {0}, l, (i, i + 1) −→ l , {0}t if both vertices exist and there is path in A(i,i+1) from l to l such that only the last edge resets the clock and the path including l, excluding l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge has label (Sj , {}, type 8) where j is chosen depending on the set of costs at locations on the path including l, excluding l . For each l, l , l, (cmax , ∞) −→ l , {0}, l, (cmax , ∞) −→ l , {0}t if both vertices exist and there is path in A(cmax ,∞) from l to l such that only the last edge resets the clock and the path including l, excluding l passes through only those locations l , for which (l , x) |= ϕ1 for x > cmax . This edge has label (Sj , {}, type 9) where j is chosen depending on the set of costs at locations on the path including l, excluding l . For each l, l , l, (cmax , ∞) −→ l , (cmax , ∞)t if both vertices exist and there is path in A(cmax ,∞) from l to l such that no edge resets the clock and the path including l passes through only those locations l , for which (l , x) |= ϕ1 for x > cmax . This edge has label (Sj , {}, type 10) where j is chosen depending on the set of costs at locations on the path including l. For each l, l , i < cmax , l, (i, i + 1) −→ l , (i, i + 1)t if both vertices exist and there is path in A(i,i+1) from l to l such that no edge resets the clock and the path including l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge has label (Sj , {}, type 11) where j is chosen depending on the set of costs at locations on the path including l. For each l, l , i < cmax , l, {i} −→ l , (i, i + 1)t , if both vertices exist and there is a path in A(i,i+1) from l to l such that no edge resets the clock and the path including l passes through only those locations l , for which (l , x) |= ϕ1 for x ∈ (i, i + 1). This edge has label (Sj , {X(j,k) }, type 12) where j is chosen depending on the set of costs at locations on the path including l, and k is chosen to indicate the cost at l.

If there are multiple paths from a vertex to another, satisfying the criteria, we put multiple edges but we put a single edge for multiple paths resulting in the same label. Thus all the edges from a vertex to another have distinct labels. Hence the number of edges in the graph is finite. We can observe that the construction of the graph is such that any run satisfying ϕ1 U ϕ2 can be abstracted to get a path which finally terminates into a “target” vertex. The first vertex of the path will be l, {i} if the run begins from the state (l, i), it will be l, (i, i + 1) if the run begins from the state (l, x) where x ∈ (i, i + 1), and l, (cmax , ∞) if the run begins from the state (l, x) where x > cmax . 4.2

Formation of Linear Program

Given a path in the constructed graph which ends in a “target” vertex, we now wish to find whether it can be the abstraction of a run which satisfies

Model Checking Logic WCTL with Multi Constrained Modalities

97

ϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 . We form a linear program which will be feasible iff such a run exists. We trace a path in the graph and simultaneously manipulate the variables Γ , M AXj , M INj , strictminj , strictmaxj for j ∈ {1, 2, . . . , 15}. Here, Γ is a set that should contain all variables which must be positive in the path, M INj , M AXj are respectively the lower and upper bounds on the total time that can be spent in the stages having signature Sj ; while strictminj , strictmaxj are booleans indicating whether or not the respective bounds are strict. M AXj and M INj , for each j are integers initialized to 0, strictminj , strictmaxj for each j are booleans initialized to f alse while Γ is initially the empty set. The variables are manipulated by iterating over the edges as follows. For each edge on the path do – Γ := Γ ∪ S where S is the set of variables in the label of the edge. – Update M INj , M AXj , strictminj , strictmaxj if the signature in the label of the edge is Sj , as follows. • For type 3 edge: M INj := M INj + 1; M AXj := M AXj + 1 • For type 4, type 7 or type 12 edge: M AXj := M AXj + 1; strictminj := true; strictmaxj := true • For type 5 or type 6 edge: M AXj := ∞; 1 strictminj := true; strictmaxj := true • For type 8 or type 11 edge: M AXj := M AXj + 1; strictmaxj := true • For type 9 or type 10 edge: M AXj := ∞; strictmaxj := true Thus in the end, Γ contains all variables which must be positive, M INj , M AXj are respectively the lower and upper bounds on the total time that can be spent in the stages having signature Sj ; while the boolean values of strictminj , strictmaxj indicate whether or not the respective bounds are strict. The required linear program looks as follows.  X(j,k)  M INj ∀j ∈ {1, 2, . . . , 15} (1) k



X(j,k)  M AXj ∀j ∈ {1, 2, . . . , 15}

(2)

X > 0 ∀X ∈ Γ  X(j,2) + X(j,3) ∼1 c1

(3)

k

 j

 j

(4)

j

X(j,1) +



X(j,3) ∼2 c2

(5)

j

X(j,k) ≥ 0 ∀j, k

(6)

Constraints 1 and 2 enforce the bounds on the total time that can be spent in the stages having signature Sj , where  is > if strictminj = true else it is ≥ and  is < if strictmaxj = true else it is ≤. Constraint 3 ensures that the 1

If M AXj = ∞ then it remains ∞ after executing M AXj := M AXj + 1.

98

A. Chiplunkar, S.N. Krishna, and C. Jain

variables which are required to be positive for some edge are indeed positive. Constraints 4 and 5 ensure that the costs accumulated into the variables satisfy the modalities z1 ∼1 c1 and z2 ∼2 c2 respectively. Indeed, this linear program can be checked for feasibility [2]. We next argue that if the above system is feasible, then there is actually a run in A satisfying ϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 whose abstraction is the path under consideration. Note that the “type” of an edge determines what duration the stages represented by that edge can have; and M INj , M AXj , strictminj , strictmaxj have been updated accordingly. For example, the duration of any stage represented by a “type 3” edge has to be necessarily 1 and that of any stage represented by a “type 4”, “type 7” or “type 12” edge has to be in the interval (0, 1). Suppose the system is feasible for a path p (which ends in a “target” vertex) and let the variables themselves represent their values at a feasible point. Fix a signature Sj and consider all edges in p which have signature Sj . M INj will be updated to finally hold the sum of the minimum durations of stages corresponding to these edges and strictminj will be true iff at least one of the stages has a strict lower bound on its duration. We can make a similar statement about M AXj and strictmaxj . We can distribute the values of the variables X(j,k) (arbitrarily) among these edges in such a way that the total over k received by each edge is within its interval and if an edge enforces some variable to be positive, then it receives a positive value for that variable. Next, let X(j,k,e) denote the value that an edge e having signature Sj receives from X(j,k) for various k. Consider the path pe in the appropriate restricted automaton which resulted in the introduction of e in the graph. We can distribute the value X(j,k,e) (again arbitrarily) among locations on pe which have cost represented by k, again ensuring that if e requires a positive amount of time to spent in a location, then the distribution indeed respects this constraint. This distribution when performed on each k will give the time spent in each of the locations on pe , and hence will define a stage represented by e. Such stages for each e on p will define a run of the automaton. This run, for each j, k will spend time X(j,k) on locations with cost represented by k during stages having signature Sj and hence will satisfy the modalities z1 ∼1 c1 and z2 ∼2 c2 . Furthermore, from the construction of the graph and the choice of p it is clear that this run must satisfy ϕ1 Uϕ2 . 4.3

Bound on the Length of Paths

In order to determine whether (l, x) |= Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 , we thus have to check whether there is a path in the graph ending in a target vertex from the vertex l, {i}, l, (i, i+1), or l, (cmax , ∞) depending on whether x = i ≤ cmax , x ∈ (i, i + 1) where i < cmax or x > cmax respectively. We next prove an upper bound on the length of the paths for which the linear program needs to be constructed and tested for feasibility. Theorem 2. If there is a path p in the graph from a vertex v to some target vertex vt such that the constructed LP is feasible, then there exists a path p ,

Model Checking Logic WCTL with Multi Constrained Modalities

99

from v to v  , which visits any vertex at most B = 2c1 + 2c2 + 4 times, and whose LP is feasible. Proof. See [1].

 

See [1] for an example showing the construction of the graph and coming up with the LP. 4.4

The Proof of Decidability

We have come up with a method to solve problem 1 when ϕ =Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 and gran(A, ϕ) = gran(A, ϕ1 ) = gran(A, ϕ2 ) = 1. The approach is to find, for each vertex of the form l, {i}, l, (i, i + 1), l, (cmax , ∞) which is present in the graph, whether or not there exists a path to some target vertex, visiting any vertex at most 2c1 + 2c2 + 4 times, for which the linear program constructed is feasible. In the general case, when ϕ = Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 and depth(ϕ) = d we  know due to theorem 1 that gran(A, ϕ) = 2d for some d ≤ d. Further, due to proposition 3 we know that it is sufficient to solve the problem for the instance 2d · A, 2d · ϕ. For this instance we also have gran(2d · A, 2d · ϕ) = gran(2d · A, 2d · ϕ1 ) = gran(2d ·A, 2d ·ϕ2 ) = 1, again due to proposition 3. The other possibilities for the structure of ϕ are a, ¬ϕ1 , ϕ1 ∨ ϕ2 which are straightforward to handle. Thus we have proved the following theorem. Theorem 3. Problem 1 is solvable.

5

Complexity Analysis

In this section, we analyse the complexity of the algorithm suggested in section 4 to compute the set of states of automaton A that satisfy the formula ϕ . Initially suppose ϕ = Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 and gran(A , ϕ ) = gran(A , ϕ1 ) = gran(A , ϕ2 ) = 1. Let us first analyse the complexity of processing the graph. Let V be the number of vertices in the graph and B = 2c1 + 2c2 + 4 be the bound suggested in section 4.3. Note that for various paths, the size of the LP (number of variables and number of equalities / inequalities) is bounded and the bound is independent of the input. [2] suggests a method to determine the feasibility of a system of linear strict inequalities. Our LP can be converted to a set of LPs of such a form (the number of LPs is exponential in the number of non-strict inequalities in the original LP) by replacing each non-strict inequality once by equality and once by the corresponding strict inequality. The equalities being linear, can be used to eliminate variables. Again, as the number of nonstrict inequalities is bounded, the size of this set of LPs is bounded and thus we can say that checking the feasibility of the LP takes constant time. Since we need to consider only those paths in the graph in which each vertex is visited at most B times, the length of such a path is atmost V B and hence the number of such paths is O(V V B ). The processing of each path to get the LP takes O(V B) time and hence the processing of the whole graph takes O(V V B · V B)

100

A. Chiplunkar, S.N. Krishna, and C. Jain

time. Note that if cmax is the maximum constant appearing in the guards of A and the set of locations of A is L, then V = 2 · |L| · (cmax + 1). In the general case, starting from a one clock STA A and a formula ϕ = Eϕ1 Uz1 ∼1 c1 ,z2 ∼2 c2 ϕ2 , we need to scale both A and ϕ by 2d where d = depth(ϕ) to get A and ϕ satisfying gran(A , ϕ ) = gran(A , ϕ1 ) = gran(A , ϕ2 ) = 1. Let c1 = 2d · c1 , c2 = 2d · c2 , and cmax = 2d · cmax (cmax , cmax are respectively the maximum constants appearing in guards of A, A ). We overapproximate the overall complexity as follows. Let c1max and c2max denote the maximum constants with which z1 and z2 respectively are compared in ϕ and let c∗1 = 2d · c1max , c∗2 = 2d · c2max and c∗max = 2d · cmax . Finding regions satisfying a subformula of ϕ, after having found the regions satisfying its immediate subformulae, will ∗ ∗ take time at most O((V ∗ )(V B ) · (V ∗ B ∗ )) where V ∗ = 2 · |L| · (c∗max + 1) and ∗ ∗ B ∗ = 2c∗1 + 2c∗2 + 4. The total time taken will thus be O(s · (V ∗ )(V B ) · (V ∗ B ∗ )) where s is the “size” of ϕ. Let us analyse the space taken by this approach. For a formula ϕ of depth d, O(2d · |L| · cmax ) space will be sufficient to store for each region, whether it satisfies a given subformula of ϕ. If the sets of regions satisfying subformule of ϕ are computed in a postorder manner, then at any time we need to remember such information for only a “small” collection of subformulae whose size is logarithmic in the size of ϕ. Thus, the total space required for this purpose is O(2d · |L| · cmax · log s). At any time, the graph corresponding to at most one subformula, and to at most one path in this graph needs to be stored in memory. This graph will take O(2d · (|L| + |E|) · cmax ) space and the path takes O(V ∗ B ∗ ) = O(22d · |L| · cmax · (c1max + c2max )) space. To conclude, we can say that the time taken by the approach is doubly exponential and the space required is exponential in the input size.

6

Decidability in the Presence of Edge Costs

The decidability of model checking of 1 clock priced timed automata against WCTL formulae has been proved in [10] for the case when edge costs are absent, and the following approach has been suggested for the case when edge costs are involved: Given an automaton A, a state (l, x) and a WCTL formula ϕ = Eϕ1 Uz∼c ϕ2 , the idea proposed is to construct an automaton Aunf without edge costs, with corresponding state (l(0) , x), and a formula ϕunf such that A, (l, x) |= ϕ iff Aunf , (l(0) , x) |= ϕunf . Aunf is constructed by creating c+1 copies of the locations of A; each location in the ith copy is labeled with the atomic proposition copyi . The idea is to keep track of the total edge cost that would have been accumulated in z during a run of A, by the copy number during the corresponding run of Aunf . In copy number c + 1, the exact total edge cost is abstracted away and only the fact that the the total edge cost is greater than c, is retained. For each edge of A that had a cost k, edges are added in Aunf between the same locations but from copy i to  copy i + k. ϕunf is proposed to be i≤c+1 Eϕ1 Uz∼c−i (ϕ2 ∧ copyi ). Note that we could have easily extended this approach to solve our problem by creating a “two

Model Checking Logic WCTL with Multi Constrained Modalities

101

dimensional array” of copies of A of size (c1 + 1) × (c2 + 1). But we believe there is a problem in the approach suggested in [10]. The problem with this approach is that ϕ1 and ϕ2 might as well be of the form EΦUz∼c Φ or AΦUz∼c Φ. Hence it is necessary to somehow process the constants in the “inner” modalities as well, to take care of the fact that the contributions of locations and edges to the cost are handled differently. We illustrate this with a concrete counterexample.

m

x=1

l

(1) (0); {b}

x=1

n

(1) (0); {a}

(0); {c}

Fig. 3. The automaton A as a counterexample

Consider the automaton A shown in figure 3. The numbers in parantheses indicate location as well as edge costs. Let ϕ = E(EaUz=1 b)Uz=1 c. Clearly A, (l, 1) |= EaUz=1 b and hence A, (l, 1) |= ϕ. Let Aunf be the unfolded automaton according to the proposed construction in [10] and  ϕunf = E(EaUz=1 b)Uz=1−i (c ∧ copyi ) i≤2

(Refer [1] for a diagram showing Aunf ) However, Aunf , (l(0) , 1)  (EaUz=1 b) since neither locations nor edges have cost, and Aunf , (l(0) , 1)  (c ∧ copyi ) for any i. Thus Aunf , (l(0) , 1)  E(EaUz=1 b)Uz=1−i (c ∧ copyi ) for any i; which means Aunf , (l(0) , 1)  ϕunf . This serves as a counterexample for the claim that A, (l, x) |= ϕ iff Aunf , (l(0) , x) |= ϕunf .

7

Future Work, Remarks and Conclusion

We have thus established the decidability of model checking 1 clock STA with two stopwatches and no edge costs against EW CT Lmc formulae. For the case when we have more than two stopwatch costs, we conjecture that model checking against EW CT Lmc formulae would be decidable. Note that in the absence of edge costs, almost the whole proof of decidability would go through except that we will have to prove a bound on the size of the binary matrix, whose determinant value determines the upper bound on the granularity. Finally, for the cases when the stopwatch costs are replaced by arbitrary costs, and for W CT Lmc formulae, the problem is open.

References 1. Chiplunkar, A., Krishna, S., Jain, C.: Model Checking logic WCTL with multiconstrained modalities on One Clock Priced Timed Automata, TR-09-30, Technical Report, IIT Bombay (2009), http://www.cse.iitb.ac.in/~ krishnas/TR-09-30.pdf

102

A. Chiplunkar, S.N. Krishna, and C. Jain

2. Strzebonski, A.: Solving Systems of Strict Polynomial Inequalities. Journal of Symbolic Computation 29, 471–480 (2000) 3. Alur, R., Dill, D.L.: A Theory of Timed Automata. Theoretical Computer Science 126(2), 183–235 (1994) 4. Abdeddaim, Y., Asarin, E., Mailer, O.: Scheduling with timed automata. Theoretical Computer Science 354(2), 272–300 (2006) 5. Alur, R., Bernadsky, M., Madhusudan, P.: Optimal reachability for weighted timed games. In: D´ıaz, J., Karhum¨ aki, J., Lepist¨ o, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 122–133. Springer, Heidelberg (2004) 6. Alur, R., La Torre, S., Pappas, G.J.: Optimal paths in weighted timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 49–62. Springer, Heidelberg (2001) 7. Behrmann, G., Fehnker, A., Hune, T., Larsen, K.G., Pettersson, P., Romijn, J.M.T., Vaandrager, F.W.: Minimum-cost reachability for priced timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, p. 147. Springer, Heidelberg (2001) 8. Bouyer, P., Brinksma, E., Larsen, K.G.: Staying alive as cheaply as possible. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 203–218. Springer, Heidelberg (2004) 9. Bouyer, P., Brinksma, E., Larsen, K.G.: Optimal infinite scheduling for multi priced timed automata. Formal Methods in System Design 31(2), 135–175 (2007) 10. Bouyer, P., Larsen, K.G.: Nicolas Markey. Model-Checking One Clock Priced Timed Automata. Logical Methods in Computer Science 4(2:9), 1–28 (2008) 11. Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On optimal timed strategies. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 49–64. Springer, Heidelberg (2005) 12. Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On model-checking timed automata with stopwatch observers. Info. and Computation 204(3), 408–433 (2006) 13. Larsen, K.G., Rasmussen, J.I.: Optimal conditional reachability for multi-priced timed automata. In: Sassone, V. (ed.) FOSSACS 2005. LNCS, vol. 3441, pp. 234– 249. Springer, Heidelberg (2005) 14. Manasa, L., Krishna, S.N., Jain, C.: Model-Checking Weighted Integer Reset Timed Automata, http://www.cse.iitb.ac.in/~ krishnas/jlc.pdf 15. Rasmussen, J.I., Larsen, K.G., Subramani, K.: Resource-optimal scheduling using priced timed automata. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 220–235. Springer, Heidelberg (2004)

Safe Runtime Verification of Real-Time Properties Christian Colombo1 , Gordon J. Pace1, and Gerardo Schneider2 1

Department of Computer Science, University of Malta, Msida, Malta {christian.colombo,gordon.pace}@um.edu.mt 2 Department of Informatics - University of Oslo, Oslo, Norway [email protected]

Abstract. Introducing a monitor on a system typically changes the system’s behaviour by slowing the system down and increasing memory consumption. This may possibly result in creating new bugs, or possibly even ‘fixing’ bugs, only to reappear as the monitor is removed. Properties written in a real-time logic, such as duration calculus, can be particularly sensitive to such changes induced through monitoring. The same problem occurs in other scenarios such as when a system is ported to a faster machine. In this paper, we identify a class of real-time properties, in duration calculus, which are monotonic under the slowing down (speeding up) of the underlying system. We apply this approach to the real-time runtime monitoring tool Larva, where we use duration calculus as a monitoring property specification language, so we automatically identify properties which can be shown to be monotonic with respect to system re-timing.

1

Introduction

Runtime verification has been steadily gaining popularity, but scepticism still exists regarding its applicability in real-time systems. The introduction of a monitor overseeing a system, normally slows down the system, which may prove to be too detrimental in performance intensive or real-time systems. However, the introduction of monitors also modifies the behaviour of the system, changes which may lead to the creation of new bugs, or the eradication of others.1 Such situations are typically difficult to identify and fix. One important consideration in such situations is the underlying system, and what access it has to the underlying machine. For instance, a program which times its running behaviour and branches accordingly, may exhibit aberrant behaviour under monitoring as time values are affected by the monitor. However, 

1

The research work disclosed in this publication is partially funded by Malta Government Scholarship Scheme grant number ME 367/07/29 and by the Malta National Research and Innovation (R&I) Programme 2008 project number 052. These bugs are known as Heisenbugs, after Heisenberg’s uncertainty principle, related to the observer effect: the act of observing modifies the system.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 103–117, 2009. c Springer-Verlag Berlin Heidelberg 2009 

104

C. Colombo, G.J. Pace, and G. Schneider

the expressivity of the underlying programming model is not the only issue — another factor is the expressivity of the logic used to express properties from which the monitors are synthesised. Not all logics (property languages) are sensitive to such problems. For instance, in single-threaded systems with no references to memory and temporal properties, the order in which methods are invoked are typically invariant under monitoring since such order remains unchanged. On the other hand, other logics (such as real-time logics) are particularly prone to this phenomenon, and thus one must be careful when verifying properties expressed in such formalisms at runtime. There are two sides to monitor-sensitivity: (i) the behaviour of the original system being monitored may depend on the existence of a monitor (e.g., by checking memory usage); and (ii) the properties being monitored may change their truth value depending on the presence of a monitor (e.g., it can slow down the system to such an extent that a reactivity property may be broken). In this paper, we investigate system re-timing insensitivity of the second type — addressing the issue independent of a particular real-time logic, and instantiating the results in duration calculus. In the rest of the paper, we will thus assume that the system is itself monitor-insensitive — the order of the events generated by the system itself is invariant under monitoring. Single-threaded systems, with no branching based on real-time, memory allocation and other machine-centric notions, are instances of such systems. In order to guarantee such monitor-insensitiveness, we need to characterise which real-time properties are monitor-sensitive. Consider the property ‘No more than three resets of a user account may occur within any one hour period’. Clearly, slowing down a system which satisfies this constraint will not break the property. On the other hand, speeding up such a system may result in breaking it. We identify two classes of real-time properties, ones which cannot be broken (if true, they remain true) under slowing down, and ones which cannot be broken under speeding up. One application of this approach is to enable reasoning about the effect of adding, or removing a monitor on the system. The approach can be extended to other applications, such as automatic derivation of temporal correctness of functionally correct optimisations. In this paper, we focus on the application of these techniques for runtimeverification. We integrate the analysis into Larva, a real-time runtime verification framework, which can monitor properties expressed using, amongst other logics, counterexample traces, a subset of duration calculus. The main contribution of the paper is twofold: (i) we define a formal mathematical framework to reason about real-time system retiming; and (ii) study the effect of such retiming for a duration calculus as a real-time logic. The paper is organised into two main parts: a generic theoretical framework till section 3.3, and an application of the theory to a subset of duration calculus from thereon. In section 2 we present background material on duration calculus, followed by section 3, in which we present the principal results on speedup and slowdown invariance. In section 4, we outline how counterexample traces can be

Safe Runtime Verification of Real-Time Properties

105

used to synthesize runtime monitors using Larva, and show an application of the techniques on a small case study in section 5.

2

Background

2.1

Duration Calculus

Duration calculus (DC) [23] is a real-time logic, describing properties which hold over time intervals, and that speaks about boolean states which change over time. The calculus is based on two main concepts: integration (measuring how long a boolean state holds over an interval) and the chop operator (which splits an interval into two parts). Various other operators can be defined in terms of these basic ones together with boolean connectives, to enable the expression of properties such as: (i) 2(Leak  ⇒  < 1), meaning that any subinterval in which Leak is continuously true, should not last longer than 1 time unit — leaks should not last longer than 1 time unit; and (ii) 2(Leak ; ¬Leak ; Leak  ⇒  ≥ 30), meaning that any interval in which there is a falling edge followed by a rising edge on Leak , has to last longer than 30 time units — there are at least 30 time units between consecutive leaks. In DC, time ( ) is modelled as the non-negative real numbers. Although the logic talks about time intervals, the underlying behaviour is modelled using boolean states, functions from the time domain to booleans (BState = → ). Validity of duration formulae is dependant on an underlying interpretation I, fixing the behaviour of the boolean states: I ∈ Bstate → ( → ). It is assumed that over any finite interval, state variables have a finite number of discontinuous points. Boolean states can be combined into boolean expressions using standard boolean operators such as X ∧ ¬Y . An interpretation can be lifted over boolean expressions by applying the interpretation to the constituent boolean states, e.g. I(X ∧ ¬Y )(t) = I(X)(t) ∧ ¬(I(Y )(t)). Duration formulae2 act over time intervals. The basic duration formulae are ∫ P = n (P holds for a total of n time units over a particular time interval), and the chop operator D; E (the time interval can be split into two such that D holds over the first part, E on the second). For a given interpretation I, I [b,e] D means that the formula D holds for the given interval [b, e], as defined below: def

e

I [b,e] ∫ P = n = ∫ I(P )(t)dt = n b def

I [b,e] D; E = for some m ∈ [b, e], I [b,m] D and I [m,e] E As with boolean expressions, boolean operators are also lifted over duration formulae, e.g. I [b,e] D ∧ ¬E holds exactly when I [b,e] D and I [b,e] E. Based on these operators, other operators are defined syntactically. Comparison operators on the duration of boolean expressions are defined, e.g. ∫ P ≥ n is defined as ∫ P = n; true. The other comparators can be similarly defined. 2

By convention we will use X and Y to refer to state variables, P and Q to refer to state expressions, and D and E to refer to duration formulae.

106

C. Colombo, G.J. Pace, and G. Schneider

The length of an interval (written ) is defined as ∫ 1 (where 1 is the constantly true boolean state). The duration formula P , meaning that P holds almost def everywhere3 throughout the given interval, is defined as: P  = ∫ P =  ∧  > 0. State expression invariance over an interval is written as P , defined as:  = 0 ∨ P  ∨ ¬P ). Based on the chop operator one can define the standard 3 and 2 modalities, which in DC read as “there exists a subinterval” and “for any def def subinterval” respectively: 3D = true; D; true, and 2D = ¬3¬D. Various other operators have been defined to simplify the expression of realn time properties. For instance, the leads-to operator P −→ Q, which states that if P holds for at least n time units then Q must hold immediately afterwards, can be expressed as: 2((P  ∧  = n);  > 0 ⇒  = n; Q; true). This can be shown to be equivalent to ¬3((P  ∧  = n); ¬Q) or even ¬3((P  ∧  ≥ n); ¬Q). A duration formula is valid under an interpretation if it holds for all time def prefixes: I  D = ∀t : · I [0,t] D. Finally, a duration formula is said to be a def tautology if it holds under all interpretations:  D = ∀I · I  D. 2.2

Counterexample Traces

In general, DC is known to be too expressive to be monitored with a bounded number of clocks [1]. However, a class of implementable DC formulae (known as the class of implementables) has been identified [20,22]. New operators are added on to DC in counterexample traces [20]. The two operators P and P enable knowing whether a state expression was satisfied just before (or after) a def point in time: I [b,e] P = b = e ∧ ∃m : · m < b ∧ I [m,b] P , and I [b,e] def P = b = e ∧ ∃m : · m > e ∧ I [e,m] P , respectively. Using these operators, one can syntactically define others. For instance,  P identifies whether there is a discontinuity at a point in time: ( ¬P ∧ P ) ∨ ( P ∧ ¬P ). Conversely,  P indicates that P does not change at that point in time: ¬  P ∧  = 0. In counterexample traces, events correspond to a change (or lack of change) of the value of state expressions: event ::=  P | P | event ∨ event | event ∧ event . Similarly, phases consist of a conjunction of three constraints: (i) a state expression which holds uniformly over the interval P , or simply true; (ii) a constraint on the length of the interval of the form  ≤ n,  ≥ n,  < n or  > n; and (iii) a number of state expressions which are invariant over the interval P1 ∧ P2 ∧ . . .  Pn . A counterexample trace is the negation of a chop separated sequence of phases and events: ¬(phase; (phase | event )∗ ; true). We say that a counterexample trace is a lower bound trace if none of the phases refer to  > n or  ≥ n. Similarly it is said to be an upper bound trace if none of the phases refer to  < n or  ≤ n4 . Length independent counterexample trace formulae are ones which include no reference to interval length in the phases. 3

4

It is standard in DC to use the “almost everywhere” since finite (negligible) variability does not affect the duration formulae, as durations are defined as the integral of certain variable over time. Note that counterexample traces are negated.

Safe Runtime Verification of Real-Time Properties

107

normal slowed speeded

Fig. 1. A stretch and compressed interpretation of a state variable

Consider the leads-to operator given in the previous section. The duration forn mula P −→ Q, is equivalent to ¬3((P  ∧  ≥ n); ¬Q), or the counterexample trace ¬(true; (P  ∧  ≥ n); ¬Q; true), which is an upper-bound trace.

3

Stretch and Compress Truth Preservation

In DC, the underlying real-time behaviour of a system is encapsulated in the interpretation of the state variables. A slowed down (or sped up) variant of the behaviour of a system corresponds to a stretching (or compression) transformation on the underlying state variable interpretations. Fig. 1 illustrates a state variable interpretation and its slowed down and sped up variants. In this section, we build a mathematical framework to model time stretches and compressions, independent of the real-time logic being considered. Using this framework, we proceed by characterising the fragment of DC satisfying these (stretch and compress) preservation properties. 3.1

Time Transforms

We start by characterising time transforms, corresponding to monotonic homeomorphisms over the positive real number line. Time transforms can be used to retime real-time variable interpretations in such a way that events are not lost, created, or reordered. Definition 1. A total continuous function s ∈ → is said to be a time transform (s ∈ TT ) if (i) s(0) = 0; (ii) limt→∞ s(t) = ∞; (iii) s is monotonic (t1 < t2 ⇒ s(t1 ) < s(t2 )). The simplest time transform is the identity function id which, given time t, returns t as output: id (t) = t. Also note that the functional composition of two time transforms is also a time transform. Moreover: Lemma 1. Time transforms are bijective functions. A na¨ıve way of defining a time transform to be a time-stretch, is to insist that s(t) ≥ t. However, this would only guarantee that all event timings of an interpretation I occur earlier than those of the Is — this is not what we require, since it does not guarantee that the intervals between events are always longer

108

C. Colombo, G.J. Pace, and G. Schneider

in the slow interpretation than the fast counterpart. Consider the case when the first two changes of a boolean variable X occur at times 5 and 10 under an interpretation I, but at times 9 and 11 under Is . All other events occur at the same time in the two interpretations. Although all events of Is occur later than the events in I, if one looks at the time between the first and second event, it is actually smaller in the case of Is . If causality of events is seen to start building up from the previous event, we need to look at lengthening intervals between events, not at delays in the events on an absolute time line — this requires interval-monotonicity. To formally define concepts related to the notions of slowing down and speeding up a system we need the formalisation of what time-stretching and time-compression mean. ← →

Definition 2. A time transform s ∈ TT is said to be a time-stretch (s ∈ TT ) if it is monotonic on intervals: s(t2 ) − s(t1 ) ≥ t2 − t1 (for t1 < t2 ). Similarly, it →←

is said to be a time-compression (s ∈ TT ) if it is anti-monotonic on intervals: s(t2 ) − s(t1 ) ≤ t2 − t1 (for t1 < t2 ). It can be proved that time-stretches satisfy that s(t) ≥ t. Since time transforms are bijective, one can talk about their inverse, which relates time-stretches and time-compressions. Proposition 1. The inverse of every time-stretch transformation is a timecompress transformation, and vice-versa. Stretching a time interval increases the integral under a (finitely-variable) state expression, and conversely, compressing a time interval decreases it. Proposition 2. Given a time-stretch s and interpretation of state expression α,  s(e) e  f (e) α(t)dt ≥ b α(s(t))dt. Similarly, given a time-compression f , f (b) α(t)dt ≤ s(b) e α(f (t))dt. b 3.2

Duration Calculus and Time Transforms

Through the use of time transforms, we can now define the effect of compression and stretching on an interpretation, and consequently on the validity of duration formulae. Applying a time transformation to an interpretation, yields an interpretation where each point is the output of the time transform function on the corresponding point. Definition 3. Given a time transformation s, and an interpretation I, the transformed interpretation of I w.r.t. s, written Is , is: Is (P )(s(t)) = I(P )(t). Applying the identity function to an interpretation I gives I: Iid = I. Also, applying time transforms f and g in sequence on an interpretation, is equivalent to applying the functional composition g ◦ f : (If )g = Ig◦f .

Safe Runtime Verification of Real-Time Properties

109

Definition 4. A duration formula D is said to be stretch truth-preserving, strt (D), if for any interpretation on which it is valid, it is also valid under any stretching of the interpretation. Similarly for stretch falsity-preserving, strf (D): def

← →

def

← →

strt (D) = ∀s : TT , I · I  D =⇒ Is  D strf (D) = ∀s : TT , I · I  D =⇒ Is  D Similarly, we define the corresponding notions for compression comt (D) and comf (D). A formula D is said to be stretch invariant, stri (D), if it is both stretch truth and falsity truth-preserving. Similarly, we define the notion of compression invariance, comi (D). The above notions consider the validity of a formula — the satisfaction of the formula on all time prefixes under an interpretation. In order to enable reasoning about individual stretched or compressed time intervals, we define the following: Definition 5. A duration formula D is said to be interval-stretch (intervalcompress) truth-preserving istrt (D) (icomt (D)) if, for all interpretations on which D is satisfied on all subintervals, D also holds for all subintervals under any stretching (compression) of the interpretation: def

← →

def

→←

istrt (D) = ∀s : TT , I, (b, e) · I [b,e] D =⇒ Is [s(b),s(e)] D icomt (D) = ∀s : TT , I, (b, e) · I [b,e] D =⇒ Is [s(b),s(e)] D Similarly, we define the notions of istrf (D), icomf (D), istri (D) and icomi (D). Using the surjectivity of time transforms, one can prove that interval truth preservation is a stronger notion than truth preservation. Theorem 1. An interval-stretch truth-preserving duration formula is also stretch truth-preserving: istrt (D) ⇒ strt (D). Similar results follow for the other predicates defined. In the rest of the paper, we will be using the notion of interval truth (falsity) preservation, since we know that this guarantees truth (falsity) preservation. Using the duality of time-stretches and time-compressions (see Proposition 1), and that of truth and falsity preservation, we can show that stretch truth preservation is equivalent to compress falsity preservation: Proposition 3. The class of interval-stretch truth-preserving formulae is equivalent to interval-compress falsity-preserving formulae: istrt (D) ⇔ icomf (D). Similarly: icomt (D) ⇔ istrf (D). It thus directly follows that interval-compress invariance is equivalent to interval-stretch invariance: icomi (D) ⇔ istri (D).

110

3.3

C. Colombo, G.J. Pace, and G. Schneider

Duration Formulae under the Effect of Time Transforms

The proposition just proved can be used to relate truth preservation of a formula and its negation. Theorem 2. A formula is interval-stretch truth-preserving if and only if its negation is interval-stretch false preserving: istrt (D) ⇔ istrf (¬D). Similarly, the negation of a formula which is interval-compress truth-preserving, is intervalcompress false preserving: icomt (D) ⇔ icomf (¬D). Combining the results of Proposition 3 and Theorem 2, we obtain: Corollary 1. A formula is interval-stretch truth-preserving if and only if its negation is interval-compress truth-preserving: istrt (D) ⇔ icomt (¬D). Hence, the truth of interval-compress and interval-stretch invariance does not change under negation: icomi (D) ⇔ icomi (¬D). Similarly, istri (D) ⇔ istri (¬D). Negation switches the parity of the duration formula. On the other hand, a number of other operators preserve it, as shown in what follows. Theorem 3. The duration formulae ∫ P > c and ∫ P ≥ c are interval-stretch truth-preserving duration formulae, while ∫ P < c and ∫ P ≤ c are intervalcompress truth-preserving. Proof. Consider the proof of istrt (∫ P > c): I [b,e] ∫ P > c =⇒ definition of ∫ e I(P )(t)dt > c b =⇒ definition of Is e I (P )(s(t))dt > c b s =⇒ proposition 2  s(e) e I (P )(t)dt ≥ b Is (P )(s(t))dt s(b) s =⇒ transitivity of >  s(e) I (P )(t)dt > c s(b) s =⇒ definition of ∫  Is [s(b),s(e)] P > c The other proofs follow similarly. Theorem 4. If D and E are interval-stretch (interval-compress) truth-preserving duration formulae, then so are the following: (i) true; (ii) false; (iii)  = 0; (iv) P ; (v) D; E; (vi) D ∧ E. Proof. The proofs of (i), (ii) and (iii) follow directly from the definitions. Consider the proof of (iv) istrt (P ):

Safe Runtime Verification of Real-Time Properties

111

I [b,e] P  =⇒ definition of − e b I(P )(t)dt = e − b ∧ e > b =⇒ definition of Is and monotonicity of time transforms e b Is (P )(s(t))dt = e − b ∧ s(e) > s(b) =⇒ basic calculus  s(e) s(b) Is (P )(t)dt = s(e) − s(b) ∧ s(e) > s(b) =⇒ definition of − Is [s(b),s(e)] P  The proof of (v) (istrt (D; E)) is as follows: I [b,e] D; E =⇒ definition of ; ∃m : [b, e] · I [b,m] D ∧ I [m,e] E =⇒ istrt (D) and istrt (E) ∃m : [b, e] · Is [s(b),s(m)] D ∧ I [s(m),s(e)] E =⇒ monotonicity of f ∃m : [s(b), s(e)] · Is [s(b),m ] D ∧ I [m ,s(e)] E =⇒ definition of ; Is [s(b),s(e)] D; E The proof of (vi) follows similarly. Theorem 5. If D and E are interval-stretch (interval-compress) truth-preserving duration formulae, then so are the following formulae: (i) 3D; (ii) 2D; (iii) D∨E; (iv) D. Proof. Using the definition of 3, and Theorem 4, it follows directly that if istrt (D), then istrt (3D), and similarly if icomt (D), then icomt (3D). Recall that 2D is defined to be ¬3¬D. Since istrt (D), it follows from Corollary 1 that icomt (¬D), and thus icomt (3¬D). Using Corollary 1 again, we get istrt (¬3¬D). A similar proof can be used for interval-compresses. Expressing disjunction in terms of negation and conjunction enables a similar proof. The proof of D follows directly from its definition and the other proofs in this section. Example 1. Recall the example given in section 2.1 — a leak may not last  longer than 1 time unit: 2(Leak  ⇒  < 1). This is equivalent to 2(¬Leak ∨ 1 < 1).  Using theorem 3, it follows that 1 < 1 is compress truth-preserving. ¬Leak  is also compress truth-preserving by Theorem 2 and the fact that Leak  is stretch truth-preserving (Theorem 4). Finally, using Theorem 5 for disjunction and the always operator, we can conclude that the original formula is compress truthpreserving. Similarly, one can show that the formula stating that there are at least 30 time units between consecutive leaks: 2(Leak ; ¬Leak ; Leak  ⇒  ≥ 30) is stretch truth-preserving.

112

3.4

C. Colombo, G.J. Pace, and G. Schneider

Counterexample Traces

Similar results as the ones given in the previous section can be proved about the two new counterexample trace operators. Theorem 6. P , P are interval-stretch and interval-compress invariant. From this theorem and Theorem 1, we extend invariance to the operator  P . Corollary 2.  P ,  P are interval-stretch and interval-compress invariant. Theorem 7. Upper bound counterexample trace formulae are compress truthpreserving, while lower bound counterexample traces are stretch truth-preserving. Length independent formulae are compress and stretch invariant. This follows using induction on the structure of the counterexample formulae using the theorems given in this section and the previous one. n

Example 2. Recall the definition of the leads-to operator P −→ Q, transformed into a counterexample trace in section 2.2 — ¬(true; (P  ∧  ≥ n); ¬Q; true). Since the formula is an upper bound counterexample trace, one can conclude by n Theorem 7 that all formulae of the form P −→ Q are compress truth-preserving. All the above theorems enable syntactic analysis of duration formulae to calculate whether they are compress or stretch truth-preserving or invariant. Although, obviously, not a full decision procedure, many useful properties can be proved to fall into one of these categories. 3.5

Summary of Results

A summary of the theorems proved is provided in the table below:5 Property\ Fragment interval-stretch truth preserving interval-stretch false preserving interval-compress truth preserving interval-compress false preserving



>c  × × 




¬    

;    

∧    

∨    

    

    

Note that the preserving fragments for interval-stretch truth preserving are equivalent to those for interval-compress false preserving. Similarly, the preserving fragments for interval-compress truth preserving are equivalent to those for interval-stretch false preserving. These results can be readily extended to other syntactic extensions to DC. 5

 denotes that the fragment preserves the property, × denotes the contrary, while  signifies that the property is inverted (e.g., if a property is interval-stretch truth preserving, its complement is interval-stretch false preserving).

Safe Runtime Verification of Real-Time Properties

4

113

Case Study

In this section, we present a specification of an intrusion detection system in terms of counterexample traces, to show how slowdown and speedup reasoning can be used on a real specification. Although the specification written in terms counterexample traces lacks the readability of one written in full DC, it has the distinct advantage of being automatically implementable as a runtime monitor. It is well known how to translate such formulae into phase event automata (PEAs) [9], which we use, in turn, to produce dynamic automata with timers and events (DATEs) which we have used for runtime verification of real-time properties [6], and are implemented in the tool Larva. The tool implements a transformation from PEAs to DATEs which has been proved to be sound and complete. Full details of the transformation and its proof of correctness can be found in [5]. A number of properties of the network intrusion detection system are expressed as counterexample traces, and used to detect possible malicious activities on a network connection. Each of these properties is stretch truth-preserving, i.e. if the property holds on a system, it will also hold on a slowed-down version of the system. This fact assures us that inserting monitors in the system, will not cause a violation of any of the monitored properties: we will not have false negatives signalled by the monitoring system. In what follows we will give a detailed account of each property of the case-study. Note that some of the variables which are external to the system being monitored are not being considered for the analysis of slowdown and speedup. The section is concluded by a brief account of the runtime verification process as carried out by the tool Larva. Initiating Connections. For strict security concerns, one may wish to disable any incoming TCP packets which do not belong to connections initiated by the host machine being monitored. The initialisation of a TCP connection requires a complete three-way handshake: first a synchronization packet from the client, then a synchronization and acknowledgement packet from the server and another acknowledgement from the client. If the host machine receives a synchronization packet without having sent one beforehand, then an outsider is trying to open a connection. This property may be written as a counterexample trace forbidding and sending of synchronisation packets (sendSYN) before a synchronisation packet is received (receiveSYN): ¬( sendSYN;  receiveSYN; true) Since a TCP connection is a 4-tuple (an address and a port for both the server and the client), this property has to be monitored for each distinct tuple. Redirect Messages. In the case of a machine with a routing table, a lot of ICMP redirect messages can cause the system to slow down. Therefore, there is a need to control the number of such messages. The property, which disallows three redirect messages within less than two time units between subsequent messages, can be written as follows:

114

C. Colombo, G.J. Pace, and G. Schneider

¬(true ;  redirectMsg; 1 ∧  < 2;  redirectMsg; 1 ∧  < 2;  redirectMsg; true) Note that 1 between the events is not redundant because this ensures that the length of the interval is greater than zero (by definition of ·). Allowing an interval with zero length between two events would mean that the events are in fact the same. The property can be modified slightly to monitor against repeated ping messages and other unwanted (malicious) traffic. Connection Failure Retries. A denial-of-service attack can be carried out by initiating an excessive number of connection initialisations to a server and then leaving the handshake incomplete. The server will have to wait for each of these initialisations to timeout. A simple check would be to limit the number of subsequent failed connection retries originating from the same IP address. The property, which prohibits three consecutive connection failures with less than two time units between each subsequent pair of failures, may be written as follows: ¬(true ;  failedConn; 1 ∧  < 2 ∧  successConn;  failedConn; 1 ∧  < 2 ∧  successConn;  failedConn; true) To monitor the above property, we can use two sub-properties which define what it means for a connection to be successful (successConn) or to fail (failedConn). A successful connection consists of a synchronisation packet from a client, the acknowledgement from the server and reciprocating acknowledgement from the client. Similarly, a TCP handshake which is not acknowledged within 5 seconds is considered as a failed connection. A TCP handshake must be monitored at a connection level with the usual four parameters (IP addresses and port numbers) while the monitoring of successive failed connection retries is performed for each individual IP address. Note that these duration formulae inherently quantify over state variables, exploiting the inherent parametrisation over tuples of objects used in Larva — our duration formulae are thus seen as formulae quantified over state variables at the top-level of the formula. In summary, given a property as a counterexample trace, the following steps are required to monitor a Java program to detect any violations of the property: (i) analyse the counterexample trace with the tool to know whether the counterexample trace is slowdown and/or speedup truth preserving or none; (ii) use the tool to automatically convert the counterexample trace into a Larva script; (iii) relate the monitoring events to system events (such as method calls); (iv) if the property is to be monitored for each object of a particular class, modify the Larva script accordingly; (v) add any Java code to be invoked in case of a violation detection; (vi) compile the script to generate the monitoring system; and (vii) run the Java program with the generated monitoring files in place.

Safe Runtime Verification of Real-Time Properties

5

115

Related Work

Monitoring of real-time properties is far from new [4,11,10,16,3,21], but to our knowledge, there is no existing work which identifies classes of properties to ensure invariant behaviour of the monitors under slowing down or speeding up. Our approach differs from other approaches [19,8,7,2] in that our theory revolves around the observed behaviour rather than the semantic or syntactic definition of underlying logic, i.e. we analyse the effect on the observation rather than modifying the semantics of any logic. The main motivation behind the related work discussed here is that real-time logic in dense time allows the definition of properties with arbitrary precision. This is technically impossible to achieve from an engineering point of view. A possible solution to this problem is to use a discrete time model to avoid the problem of arbitrary precision. However, this might not always be desirable. For this reason, a robust interpretation of duration calculus has been suggested [7] where the satisfaction of a neighbourhood of formulae is considered rather than that of a single formula. A similar approach has been applied to timed automata [8] where the language accepted by robust timed automata is a set of tubes rather than individual trajectories where a tube is a set of neighbouring trajectories. A robust reachability analysis for timed automata [19] has been studied such that the analysis is robust with respect to a given maximum drift of the clocks. Rather than a semantic approach, Alur et al. [2], suggest MITL as a solution by allowing the specification of an interval of approximations rather than a constant with arbitrary precision. Also related to our approach, but in a temporal setting without reference to real-time quantities, is the notion of stutter-invariant properties, corresponding to properties invariant under slowdown [13,17,12]. In a discrete time setting, such as LTL and CTL, the family of such properties corresponds to a syntactic restriction on the use of the next operator. As we have seen, the notion of stretching and compression invariance in a real-time setting introduces considerable more challenges. Suggesting a more practical approach, Pohlack et al. [18] deal with slowdown by compensating for the monitoring overheads. The overhead is taken into consideration so that the output of the monitors can be properly adjusted in the case of proliferation. The most common approach to monitoring real-time properties [4,11,10,16,21] is based on simple time constraints where each time constraint compares the timestamps of two event occurrences. Such a constraint can be used to represent a delay or deadline constraint where an event should occur after a particular delay or before a certain deadline. A recurrent problem with a simple treatment of time is that there is typically a lag from the moment an event occurs till the moment it is detected. A solution proposed in [15] is to treat each timestamp as an interval of possible time points at which the event might have occurred. Summapun et al. [21] have integrated these time constraints within the existing MaC framework. The idea of intervals is further investigated in [14] where each time constraint also includes a threshold which the satisfaction probability should exceed. Other approaches to

116

C. Colombo, G.J. Pace, and G. Schneider

monitor real-time properties include the work of Bauer et al. [3] which provides a monitoring procedure for TLTL3 .

6

Conclusions

Real-time properties are notorious for their sensitivity to changes in a system. Inevitably, overheads are induced when introducing monitoring in a system. This unintended change, has to be addressed in order to make the verification of realtime properties more reliable. In our approach, we have identified a class of DC which guarantees that slowing down (or speeding up) the system would not break the validity of a formula. These checks have been incorporated in Larva, together with a sound and complete translation from counterexample traces into DATEs — the notation used in Larva. The case study presented shows how this approach can be useful is real scenarios. Though we have instantiated our definitions and results in DC, the approach could be extended to other real-time logics. Our approach has other applications outside runtime verification. For instance, confidence gained through model-checking or testing of a compress truthpreserving property means that the system may be ported onto a faster machine with full confidence. Moreover, monitors for compress truth-preserving properties ensure that removing a system from its testing environment will not induce it to fail. An underlying assumption in our work, is that all state variables are affected by the same time transform. This may not always be the case. For example, in a distributed real-time system the state variables on different machines may be differently re-timed. This is much more challenging than simply considering the affect of a single global time transform. Another limitation of this work is that the time transforms are allowed to stretch or compress the time-line in an unbounded manner — this is usually required since it is usually difficult (possibly impossible) to identify the maximum overhead induced by a runtime monitor. However, the approach we adopt enables a succinct characterisation of bounded slowdown, speedup, or even bounded retiming (allowing both speedup or slowdown to a limited degree), which would be interesting to explore in more detail. Our approach addresses property invariance under re-timing. An interesting research direction is that of looking into the complementary issue of system analysis to ensure whether a program is also slowdown or speedup insensitive, so it will still produce the same traces (albeit with different timestamps). Together with the property analysis, this would enable full analysis of systems under monitor instrumentation.

References 1. Bouajjani, A., Lakhnech, Y., Robbana, R.: From duration calculus to linear hybrid automata. In: Wolper, P. (ed.) CAV 1995. LNCS, vol. 939, pp. 196–210. Springer, Heidelberg (1995) 2. Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing punctuality. J. ACM 43(1), 116–146 (1996)

Safe Runtime Verification of Real-Time Properties

117

3. Bauer, A., Leucker, M., Schallhart, C.: Monitoring of real-time properties. In: ArunKumar, S., Garg, N. (eds.) FSTTCS 2006. LNCS, vol. 4337, pp. 260–272. Springer, Heidelberg (2006) 4. Chodrow, S.E., Jahanian, F., Donner, M.: Run-time monitoring of real-time systems. In: RTSS 1991, pp. 74–83. IEEE Computer Society Press, Los Alamitos (1991) 5. Colombo, C.: Practical runtime monitoring with impact guarantees of java programs with real-time constraints. Master’s thesis, University of Malta (2008) 6. Colombo, C., Pace, G.J., Schneider, G.: Dynamic event-based runtime monitoring of real-time and contextual properties. In: FMICS 2008. LNCS. Springer, Heidelberg (to appear) (2008) 7. Fr¨ anzle, M., Hansen, M.R.: A robust interpretation of duration calculus. In: Proceedings of NWPT, pp. 83–85 (2004) 8. Gupta, V., Henzinger, T.A., Jagadeesan, R.: Robust timed automata. In: Maler, O. (ed.) HART 1997. LNCS, vol. 1201, pp. 331–345. Springer, Heidelberg (1997) 9. Hoenicke, J.: Combination of Processes, Data, and Time. PhD thesis, University of Oldenburg (July 2006) 10. Jahanian, F.: Run-time monitoring of real-time systems. In: Advances in real-time systems, pp. 435–460. Prentice-Hall, Inc., Englewood Cliffs (1995) 11. Jahanian, F., Rajkumar, R., Raju, S.C.V.: Runtime monitoring of timing constraints in distributed real-time systems. Real-Time Systems 7(3), 247–273 (1994) 12. Kesten, Y., Manna, Z., Pnueli, A.: Temporal verification of simulation and refinement. In: A Decade of Concurrency, Reflections and Perspectives, REX School/Symposium, London, UK, pp. 273–346. Springer, Heidelberg (1994) 13. Lamport, L.: What good is temporal logic? In: Information Processing 1983, pp. 657–668 (1983) 14. Lee, C.-G., Konana, P., Mok, A.K.: Monitoring of timing constraints with confidence threshold requirements. IEEE Trans. Comput. 56(7), 977–991 (2007) 15. Mok, A.K., Lee, C.-G., Woo, H., Konana, P.: The monitoring of timing constraints on time intervals. In: RTSS 2002, p. 191. IEEE Computer Society Press, Los Alamitos (2002) 16. Mok, A.K., Liu, G.: Efficient run-time monitoring of timing constraints. In: RTTAS 1997, pp. 252–262. IEEE Computer Society Press, Los Alamitos (1997) 17. Peled, D., Wilke, T.: Stutter-invariant temporal properties are expressible without the next-time operator. Information Processing Letters 63(5), 243–246 (1997) 18. Pohlack, M., D¨ obel, B., Lackorzy´ nski, A.: Towards runtime monitoring in real-time systems. In: Eighth Real-Time Linux Workshop, Lanzhou, China (2006) 19. Puri, A.: Dynamical properties of timed automata. Discrete Event Dynamic Systems 10(1-2), 87–113 (2000) 20. Ravn, A.P.: Design of Embedded Real-Time Computing Systems. PhD thesis, Technical University of Denmark (October 1995) 21. Sammapun, U., Lee, I., Sokolsky, O.: Checking correctness at runtime using realtime java. In: JTRES 2005 (2005) 22. Schenke, M., Olderog, E.-R.: Transformational design of real-time systems part i: From requirements to program specifications. Acta Informatica 36(1), 1–65 (1999) 23. ChaoChen, Z., Hoare, C.A.R., Ravn, A.P.: A calculus of durations. Information Processing Letters 40(5), 269–276 (1991)

Removing All Silent Transitions from Timed Automata C˘at˘alin Dima1 and Ruggero Lanotte2 1

LACL, Universit´e Paris 12, 61 av. du G´en´eral de Gaulle, 94010 Cr´eteil Cedex, France 2 DSCPI, Universit`a dell’Insubria, Via Carloni 78, 22100, Como, Italy

Abstract. We show that all ε-transitions can be removed from timed automata if we allow transitions to be labeled with periodic clock constraints and with periodic clock updates. This utilizes a representation of the reachability relation in timed automata in a generalization of Difference Logic with periodic constraints. We also show that periodic updates are necessary for the removal of ε-transitions.

1 Introduction Timed automata [1] are a useful tool for modeling real-time systems. A theory of timed automata and timed languages has emerged in the past 15 years, leading more or less to generalizations of the classical results on regular expressions, monadic logics and algebraic characterizations, or to negative results concerning determinization or minimization. The paper [2] accounts for an interesting discussion on challenges that remain in order to provide nice generalizations of some important results from classical automata theory. In this paper we are interested in closing a gap in the theory of timed automata, namely the possibility remove ε-transitions (a.k.a. silent transitions). Previously studied in [6,10], the problem has received upto now negative results in the classical setting of [1] (see [6]), and in a setting in which “periodic” constraints are allowed to label transitions [10]. Some other results were reported in [9] related to the undecidability of the equivalence problem between ε-free timed automata and general timed automata. We show that, if we generalize both clock constraints and resets, by allowing periodic clock constraints and periodic updates, then ε-transitions can be removed from a timed automaton. Our periodic updates extend the generalized updates studied in [7,8]. Our result is based on a technique from [13,15] for representing reachability relations in timed automata. There, we have proved that the reachability relations constructed in the so-called reset semantics of timed automata are representable by a class of finite automata, the so-called n-automata. Results from [11,17] could also be used. We identify here an extension of Difference Logic which is equivalent in expressive power with n-automata, thus identifying also a class of first-order logic properties defining reachability relations. Our extension of Difference Logic contains positive boolean combinations of difference formulas utilizing some generalized form of “ultimate periodicity”. The basic idea in our technique for removing -transitions is to replace a whole maximal subautomaton B composed of -transitions with a finite set of transitions, each one associated with some “entry transition” in B and an “exit point” from B. Such a transition is labeled then with a formula which re-encodes the reachability transition J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 118–132, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Removing All Silent Transitions from Timed Automata

119

defined by B (with the given entry and exit points) into clock valuation semantics. The re-encoding is necessary as the reachability relation is constructed in terms of reset point semantics. Also the formula involves some generalized forms of updates, specifying that some clocks are to be updated, on the exit point, to some values satisfying some formula in our generalization of Difference Logic. We also include a proof of the fact that our generalized form of updates are necessary. The proof adapts an example of [10] and does not rely on the assumption that automata work on infinite timed word as in [10]. We build a timed automaton recognizing a language for which, for each n, the set of accepted timed words is a “region language”, in the sense e.g. of [19,14]. To recognize such a language with only resets to zero, one would need an unbounded number of clocks. It should be noted that the region construction, or a zone propagation algorithm would not suffice for removing the ε-transitions. This not only follows from the results of [6,10], but also as our technique relies essentially on the possibility to express exactly the reachability relation – and it is known that the region construction does not give the possibility for a faithful representation of the reachability construction. The rest of the paper is organized as follows: the next section recalls the reset time semantics of timed automata and presents our technique for removing -transitions. The third section gives some intuitions for the technique for removing ε-transitions, and presents our extension of Difference Logic and the generalized form of constraints and updates that are obtained in timed automata after removing -transitions. The fourth section recalls the results on representing reachability relations with n-automata and gives the proof that our extension of Difference Logic is expressively equivalent with n-automata. The fifth section contains the proof that generalized updates are needed for removing -transitions. Due to space limitations, the proof of this result can be found in the technical report [16]. We end with a section with conclusions and direction for further work.

2 Timed Automata with Reset Point Semantics Behaviors of timed systems can be modeled by timed words over a set of symbols Σ which are finite sequences of nonnegative numbers and symbols from Σ. For example, the sequence 1.3 a 1.2 b denotes a behavior in which an action a occurs 1.3 time units after the beginning of the observation, and after another 1.1 time units action b occurs. A special case occurs when time elapses after the last action – it is the case of the timed word 3 a 1 b 1. We will avoid this for technical reasons, as such behaviors require checking some constraint on a final ε-transition which can never be removed without changing the accepted language of the timed automaton. Hence, we require that each timed word ends with an action name – eventually by inserting a special symbol ⊥ to signal the end of the timed word. For similar reasons, we require that timed words start with a symbol and not a time passage. The untiming of a timed word is the sequence of actions in it, and denoted #(w), hence #(1.3 a 1.2 b) = ab. Finally, note that timepassage quantities are additive and ε is the empty timed word, hence a 3 a 1 ε 1.5 b = a 3 a 1 · 1.5 b = 3 a 2.5 b. A timed automaton [1] is a tuple A = (Q, X , Σ, δ, Q0 , Qf ) where Q is a finite set of locations, X is a finite set of clocks, Σ is a finite set of action symbols, Q0 , Qf ⊆

120

C. Dima and R. Lanotte

Q are sets of initial, resp. final locations, and δ is a finite set of tuples (transitions) C,z,X

q −−−−→ q  where q, q  ∈ Q, X ⊆ X , z ∈ Σ ∪ {ε} and C is a finite conjunction of clock constraints of the form x ∈ I, where x ∈ X and I ⊆ [0, ∞[ is an interval with C,ε,X

integer or infinite bounds. A transition q −−−−→ q  is called an ε-transition. The classical semantics of timed automata works on clock valuations v : X → R≥0 . As usual, for each clock valuation v, subset of clocks X ⊆ X , and real value u ∈ R, we will denote v[X := u] the clock valuation resulting from updating all clocks in X to u, and v + u the clock valuation resulting by incrementing all clocks with u. The semantics of a timed automaton is given in terms of a clock transition system C(A) = (Q, θ, Q0 , Qf ) where Q = Q × [X → R≥0 ], Qf = Qf × [X → R≥0 ], Q0 = Q0 × {0X }, with 0X : X → R≥0 being the zero clock valuation, and   u θ = (q, v) − → (q, v  ) | v  = v + u ∪   C,z,X z (q, v) − → (q  , v  ) | ∃q −−−−→ q  ∈ δ with v |= C and v  = v[X := 0] ξ1

ξ2

ξk

A trajectory in C(A) is a chain (q 0 , v 0 ) −→ (q 1 , v 1 ) −→ . . . −→ (q k , v k ) of transitions from θ, with ξi ∈ R≥0 ∪ Σ ∪ {ε}. The trajectory is associated with the timed word ξ1 . . . ξk . An accepting trajectory in C(A) is a trajectory which starts in Q0 and ends in Qf , and starts and ends with a Σ-transition, that is, a transition labeled with some a ∈ Σ. A timed word is accepted by a timed automaton if it is associated with an accepting trajectory. This means that any accepted timed word ends with an action symbol and not with a time passage. The accepted language of A is the set of timed words which are associated with some accepting trajectory in C(A), and is denoted L(A). Two timed automata are called equivalent iff they have the same language. An example of a timed automaton is provided in Figure 1, which accepts the  language L1reg = t1 a . . . a tn a | ∀1 ≤ i ≤ j ≤ n, i≤k≤j tk ∈ ]j −i, j −i+1[ . x = 1?, ε, x := 0 q2

q3 y ∈]0, 1[, a, y := 0

Fig. 1. An example of a timed automaton

An alternative semantics can be given to timed automata by speaking rather of the points where the clocks were reset and points where they are checked, instead of clock values. This is the reset points semantics, first used in [5]. The idea is to utilize a variable t representing current time, and to record, at each moment t and for each clock xi , the last moment before t when x was reset – denote this by r(x). Then the value of the clock x at t equals t − r(x). Furthermore, time passage in a location amounts to incrementing the “current time” variable, while resetting clock x amounts to the assignment r[x := t]. Formally, if we denote Xt = X ∪ {t}, the reset transition system associated to A is T (A) = (Q × [Xt → R≥0 ], θ, Q × 0Xt , Q × [Xt : R≥0 ]) where

Removing All Silent Transitions from Timed Automata

121

  u θ = (q, r) − → (q, r ) | r = r[t := r(t) + u]  C,z,X z ∪ (q, r) − → (q  , r ) | ∃q −−−−→ q  ∈ δ such that r = r[X := r(t)]  and if we put v = r X − r(t) then v |= C Here, for a function f : A → B and subset C ⊆ A, f C denotes the restriction of f to C. Transitions of the first type are time-passage and those of the second type are disC,z,X

crete, and in this case the transition q −−−−→ q  is said to be associated with the discrete z transition (q, r) − → (q  , r ). Trajectories can be defined then similarly to the clock valuation case, as well as acceptance and accepted language. It is easy to note that the language accepted by a timed automaton, as defined using the clock semantics, is the same as the language accepted by a timed automaton using the reset semantics.

3 Removing a Subautomaton with ε-Transitions C  ,a ,X 

C,a,X

Suppose we are given two transitions, τ = q −−−−→ s and τ  = q  −−−−−→ s , in a timed automaton A, with a, a ∈ Σ, and some subautomaton B = (Q , X , ∅, δ  , {s}, {s}), where Q ⊆ Q and δ  ⊆ δ – hence B contains only εtransitions. We would like to “replace”, in A, the subautomaton B, together with the final transition τ  , with a single transition τ B , labeled with some “generalized” constraint, τ B = (s, C, a , s ). The transition τ B should take place at the same time where τ  takes place when accepting some timed word. The intuitive construction is depicted in Figure 2. q

τ

s

q

τ

τ

q

B

τB

qτBτ 

s

q

Fig. 2. The scheme of removing one subautomaton composed of only ε-transitions

We seek for a formula φB on clock valuations, formula which would ensure that each trajectory that takes the two transitions τ and τ B in the modified automaton can be simulated with a trajectory in the original automaton that takes τ , then passes through B, and leaves this subautomaton through τ  . The aim is that this constraint can be defined in some fragment of first-order logic, defining some generalized forms of updates [8]. It appears that the construction of φB can be done in a simpler way if we focus on the relation between reset times, instead of clock values. The reachability relation B  on reset times defined by τ , τ  , and B, denoted  Rsτ τ  , is composed of  tuples (r, r ) for which there exists some trajectory ρ = reset transition system for A, with r

0

ζi

(qi−1 , ri−1 ) −→ (qi , ri )

= r, r

N



1≤i≤N

, in the

= r and T (A), such that the first

122

C. Dima and R. Lanotte

transition is associated with τ , the last transition is associated with τ  , and all intermediary transitions in ρ are associated with ε-transitions in B. Our aim is to build a formula ψτBτ  (r1 , . . . , rn , t, r1 , . . . , rn , t ) which represents the relation RsB τ τ  , where ri would be the variable denoting the last reset time for clock xi before the moment when τ is taken, t would be the variable denoting the moment where τ is taken, and ri and t would be similarly related with the moment where τ  is taken. (Here we consider that the clocks are numbered X = {x1 , . . . , xn }.) Using results from [13,15], we may show that this formula can be constructed in an extension of the Difference Logic: we will show that ψτBτ  is a finite disjunction of existential quantifications of conjunctions of formulas of the type x − y ∈ D, where D is an arithmetic expression with interval summation, in the form D = [a, b[ +k1 α1 + . . . + kp αp , with α1 , . . . , αp ∈ Z being some constants and k1 , . . . , kp nonnegative integer variables over which the whole formula is existentially quantified. In other words, we will be able to write some formula of the type    ∃k1 . . . ∃kn−1 (ri − rj ∈ Dij ) ∧ (ri − rj ∈ Dij ) ∧ (ri − rj ∈ Dij )∧ i,j  (t − ri ∈ Di ) ∧ (t − ri ∈ Di ) ∧ (t − ri ∈ Di ) ∧ (t − t ∈ D) (1) i

  Dij , Dij , Dij , Di , Di , Di , D

where are “periodic” sets of intervals defined using the variables k1 , . . . , kn−1 . Then we would have to synthesize a formula on clock values from this. To do this, we may first observe the following:   – The constraint ri − rj ∈ Dij is the same as the constraint xi − xj ∈ Dij , with the  clock values referring to the moment when τ is taken. – The constraint ri − t ∈ Di is the same as the constraint xi ∈ Di , with the clock value of xi referring to the moment when τ  is taken. – The constraint ri − rj ∈ Dij is the same as the constraint xi − xj ∈ Dij , computed at τ  , as if the clocks xi and xj were not reset during the passage through the automaton B.  – Similarly, the constraint ri − t ∈ Di is the same as the constraint xi ∈ Dij ,  computed at τ as if xi would have never been reset in B.

Modeling the constraint t −t ∈ D and the rest of the constraints requires the creation of a new clock, xtime , which is reset on τ . Then: – The constraint t − t ∈ D is the same as the constraint xtime ∈ D, checked at τ  . – The constraint ri −t ∈ Di is the same as the update xi :∈ xtime −Di at τ B .   – The constraint ri −rj ∈ Dij is the same as the update xi :∈ xj −Dij at τ B . In the next section we prove that the construction of the formulas φB τ τ  is always possible. But first, we formalize the above construction, and the extension of Difference Logic which is utilized in our generalized constraints. Difference logic (DL) is the first-order logic of formulas that bind differences of variables. One possible presentation of DL is through the following syntax: ϕ ::= x − y ∈ I | ϕ ∧ ϕ | ∃xϕ where I is an interval with integer or infinite bounds.

Removing All Silent Transitions from Timed Automata

123

An extension of DL with regular constraints can be defined as follows: a regular constraint is a constraint of the form ψ : x − y ∈ I + k1 α1 + . . . + kp αp , where ki are integer-valued variables and αi are integer constants. Then formulas in this “regular” extension are of the type ϕ ::= ψ | ∃k1 . . . ∃kp ϕ | ϕ ∧ ϕ | This logic is too strong for our aim: some formulas in this logic cannot specify the reachability relation of some timed automaton. For example, the formula φ∃ : ∃k.(x − y = k) ∧ (y − z = k) cannot represent any reachability relation. Intuitively, if φ∃ represented the reachability   relation, the timed automaton would have to accept Lnonreg = a n b n c | n ∈ N , which is clearly not a timed regular language, a simple pumping argument rejecting it. The logic that we seek for is the ordered regular difference logic (ORDL for short), which is the fragment of the above extension of DL defined as follows: ϕ ::= ϕ ∨ ϕ | [η]ψ ψ ::= ∃k1 . . . ∃kn−1

 1≤i<j≤n

  j−1 xj − xi ∈ Iij + kl αl l=i

(2)

(i.e. with n free real-valued variables and n − 1 quantified integer-valued variables), where: 1. η : {1, . . . , n} → {1, . . . , n} is a bijection and [η]ϕ is the result of changing, in formula ϕ, each index i labeling a variable, a constant or an interval into η(i). That is, we change xi into xη(i) , ki into kη(i) , αi into αη(i) and Iij into Iη(i)η(j) . 2. Iij ⊆ [0, ∞[ is a bounded interval with nonnegative integer bounds and αi is a nonnegative integer constant. A further restriction applies to the semantics of ORDL formulas, as quantifications are supposed to be only over nonnegative integers. The following property shows that formulas in DL can be expressed in ORDL: Proposition 1. For each formula φ in DL there exists a formula φ in ORDL which is equivalent with φ. Proof. The formulas which may pose problems are formulas which contain unbounded intervals. The idea is then to decompose such formulas into a “regular” set of regions [12]. The formalization is the following: first, each interval which contains negative numbers is split in two, that is, we replace each constraint of the form x − y ∈ [−α, β] with x − y ∈ [0, β] ∨ y − x ∈ ]0, α]. Further, each finite and non-point interval occurring in φ is decomposed into unitlength intervals – that is, each subformula of the form x − y ∈ I with inf I = a and b−1 sup I = b, a < b, is rewritten as x − y ∈ I ∩ [l, l + 1]. l=a

124

C. Dima and R. Lanotte

Then we bring the formula into DNF, and transform each conjunct into normal form, as it is done for Difference-Bound Matrices (DBM) [4,13,15]. After these steps, we end with formulas which are obtained, by bijective renamings of indices, from formulas of the type  φ = xj − xi ∈ Iij (3) 1≤i<j≤n

where some of Iij are either infinite intervals, unit length intervals, or point intervals. Remark 1. Recall that a conjunct of the form 3 is in DBM normal form if and only if for each triple of indices i, j, k, Iij ⊆ Iik +Ikj [13,12]. Note then that for all i ≤ j ≤ k ≤ l, if Iil is finite then Ijk is finite too. Denote βi = inf Ii,i+1 , and αi = 1 if Ii,i+1 is infinite and αi = 0 otherwise. Also, for

j−1  each i < j, put Jij = Iij ∩ 0, (βl + 1) . l=i

Then φ is equivalent with the formula 

φ : ∃k1 , . . . , ∃kn−1





xj − xi ∈ Jij +

1≤i<j≤n

j−1 

 αl kl

(4)

l=i

To see that, take a tuple x that satisfies φ , and denote ki = xi+1 − xi  − βi . Denote i−1 y the tuple defined by y i = xi − kl for all i ≤ n. Then y satisfies the formula l=1  φ : y j − y i ∈ Jij . For the reverse implication, note that, by Remark 1, 1≤i<j≤n

whenever we have Iij finite we must also have αl = 0 for all i ≤ l < j, and hence in the formula φ in 4, xj − xi is bound by Jij = Iij .   In the sequel, for a renaming of variables defined by a bijection η : {1, . . . , n} → {1, . . . , n}, and two real-valued variables xi , xj , we abuse notation by denoting η(xi ) < η(xj ) instead of η(i) < η(j). The class of timed automata which utilize as constraints and updates (in the sense of [8]) formulas from ORDL is the following: Definition 1. A timed automaton with generalized constraints/updates is a tuple A = (Q, X , Σ, δ, δ0 , δf ) where Q, X , Σ, bear the same names and properties from timed automata, with X = {x1 , . . . , xn } and [η]ψ,a

1. δ is a finite set of tuples (transitions) q −−−−→ r where ψ is a formula of the form 2 in ORDL whose real-valued variables are in X ∪ X  , with X  being a copy of X . Moreover, η is a variable reordering such that η(x) < η(x ) for all x ∈ X . 2. δ0 ⊆ δ is a set of initial transitions and δf ⊆ δ a set of final transitions. 3. Initial transitions carry only generalized constraint of the form 1≤i≤n xi = 0 ∧ xi := 0. 4. Initial and final transitions are labeled with non-ε symbols. Note that the first condition implies that, in the formulas labeling transitions, if a conjunct of the form xi − xi ∈ Dii occurs, then Dii ⊆ [0, ∞[.

Removing All Silent Transitions from Timed Automata

125

The semantics of these automata is given by the clock transition system C(A) = (Q, θ, Q0 , Qf ) where Q = Q×[X → R≥0 ], Q0 = Q0 ×{0X }, Qf = Qf ×[X → R≥0 ] and   t θ = (q, v) − → (q, v  ) | vi = vi + t, ∀i ∈ [1 . . . n]  ϕ,a a ∪ (q, v) − → (q  , v  ) | ∃q −−→ q  ∈ δ with (v, v  ) |= ϕ, where (v, v  ) is defined as  (v, v  ) : X ∪ X  → R≥0 , (v, v  )(x) = v(x), (v, v  )(x ) = v  (x) Trajectories are then defined similarly to classical timed automata, while acceptance requires a trajectory to start with an initial transition and end with a final transition. Also a reset transition system can be easily constructed for these automata. Note that, at each discrete transition in C(A), (v, v  ) |= ϕ simulates the generalized updating part in the following sense: if we consider that a trajectory is constructed “from left to right”, and we have constructed the trajectory upto some state (q, v), then ϕ,z the extension of this trajectory past transition q −−→ q  is constructed by choosing some values v  = (v1 , . . . , vn ), such that (v, v  ) |= ϕ, and then assigning these values to the respective clocks in X . Of course, if no tuple (v, v  ) can be constructed which satisfies ϕ,z ϕ, then the trajectory cannot be extended past the transition q −−→ q  . We end this section with the formalization of the construction from Figure 2. Given a timed automaton with generalized constraints/updates A = (Q, X , Σ, δ, δ0 , δf ), suppose that there exists a subautomaton B = (Q , X , ∅, δ  , {τ }, {τ  }), where Q ⊆ Q and δ  ⊆ δ is composed only of ε-transitions. Fix further some state in B, s ∈ Q and denote Ts the set of non-ε-transitions of A that enter s, i.e.  ϕ,a  Ts = q −−→ s ∈ δ | a ∈ Σ ϕ ,b

Also take a state in B, q  ∈ Q and some non-ε-transition leaving q  , τ  = q  −−→ s . Suppose further that, for each τ ∈ Ts , there exists a formula in ORDL ψτBτ  = B ψτ τ  (r1 , . . . , rn , t, r1 , . . . , rn , t ) which represents the reachability relation RsB τ τ  . We will call this the ORDL assumption. Then, in each constraint ψτBτ  , apply the following change of variables: ri  → t − xi , ri  → t − xi , t  → t − xtime Hence, the resulting constraint is built as follows:    φB τ τ  (x1 , . . . , xn , xtime , x1 , . . . , xn , xtime ) =

ψτBτ  (t − x1 , . . . , t − xn , t − xtime , t − x1 , . . . , t − xn , t ) (5)  Remark 2. Note that in φB τ τ  the variable t does not occur. This is because all constraints are difference constraints, and therefore t gets canceled everywhere.

Consider then the timed automaton with generalized constraints/updates, A = (Q ∪ {qτBτ  }, X , Σ, δ, δ0 , δf ), in which (recall that τ  ends in s ):

  ϕ∧x :=0,a B  φB ,b ϕ,a τ δ = δ \ Ts ∪ q −−−−time −−−−−→ sτ τ  , sB −τ− −→ s | τ = q −−→ s ∈ Ts , τ   ∈ Ts ττ −  ϕ∧x :=0,a B  φB ,b ϕ,a ττ ∪ q −−−−time −−−−−→ sτ τ  , sB − → sB −→ s ∈ Ts , τ  ∈ Ts  τ τ −−− ττ | τ = q −

126

C. Dima and R. Lanotte

Lemma 1. A is equivalent with A. The proof follows straightforwardly once we prove the ORDL assumption. Note that this lemma removes one “entry point” in the subautomaton B. Therefore, if B is maximal, in the sense that all transitions connecting B with the rest of A are non-ε transitions, then it can be applied iteratively to all the “entry points” in the subautomaton B, until B becomes unreachable from the input states of the resulting timed automaton A. And further, iteratively, to any other maximal subautomaton composed of only εtransitions. Hence, Theorem 1. Any timed automaton with generalized constraints/updates is equivalent with a timed automaton with generalized constraints/updates and with no ε-transition. An example of the application of this procedure for the timed automaton from [10] is given in the technical report [16]. In the following section we prove that the ORDL assumption in the preamble of Lemma 1 holds. To this end, we recall some of the results proved previously on the representation of reachability relations.

4 Representing Reachability Relations on Reset Times in ORDL In [13,15], we have given a characterization of relations of the type Rsτ τ  . We recall here briefly these characterizations, and then prove the ORDL assumption. Definition 2. An n-automaton is a tuple N = (Q, δ, Q∗ , Q1 , . . . , Qn ) in which Q is a finite set of states, δ ⊆ Q × Q is a set of transitions, and for each 1 ≤ i ≤ n, Qi is the accepting component for index i; its elements are called accepting states for index i. Also, Q∗ ⊆ Q is the set of initial states and we assume that for all q∗ ∈ Q∗ , (q∗ , q∗ ) ∈ δ and (q∗ , q) ∈ δ for each q ∈ Qi and each 1 ≤ i ≤ n. An n-automaton accepts a tuple a = (a1 , . . . , an ) ∈ Nn if there exists some run starting in Q∗ for which ai is some index, along the run, where the run passes through some state in Qi . Or, in other words, we put all the components of a on an axis and let the automaton “parse” this axis, unit after unit, signaling when it passes through some set Qi , for some 1 ≤ i ≤ n. More formally, a run is a sequence of states ρ = (qj )j∈{0,...,k} connected by transitions, i.e., (qj−1 , qj ) ∈ δ for all j ∈ {1, . . . , k}, and with q0 ∈ Q∗ . The run is accepting if for each i ∈ {1, . . . , n} there exists some j ∈ {0, . . . , k} such that qj ∈ Qi . Given a = (a1 , . . . an ) ∈ Nn we say that a is accepted by ρ iff qai ∈ Qi for all i ∈ {1, . . . , n}. The accepted language of N is the set of points in Nn accepted by N . For example, consider the following 3-automaton N0

q∗

q1

1

2

q2

q3

q4

1, 2

3

Removing All Silent Transitions from Timed Automata

127

in which Q1 = {q∗ , q3 }, Q2 = {q1 , q3 }, Q3 = {q4 } as suggested by the indices below the respective states. This automaton accepts the 3-tuple (1, 4, 5): the accepting run for it is q∗ → q∗ → q1 → q2 → q3 → q4 . The same run accepts (4, 2, 5) too. These automata represent only tuples of integers, with integers represented in unary. They can be converted to representing sets of real numbers which occur from reachability relations in timed automata with the aid of regions. n An n-region is a nonempty subset R of R≥0 which can be represented with the aid of a constraint of the form 1≤i≤n xi − xj ∈ Iij , where Iij is either a point interval or an open unit interval ]a, a + 1[ with a ∈ Z. We will abuse notation and utilize R both for the region and for its representing constraint. We will denote in the sequel the set of regions in Rn≥0 by Regn . Usually, extra constraints of the form xi − x0 ∈ Ii occur as the part of the conjunct, with the convention that x0 = 0. In this section we will not consider this type of regions, as we are interested in representing only difference constraints and not one-variable constraints – recall that the reset-time semantics of transitions in a timed automaton does not involve one-variable constraints. We will recall our representation of (some) sets of real numbers by n-automata on an example, and then give the general framework. Consider the region R : x = y ∧ x − y  ∈ ]2, 3[ ∧y  − x ∈ ]1, 2[ ∧ x − x ∈ ]3, 4[ We will represent this region with the point dR = (x = 0, y = 0, x = 4, y  = 2), which is one of the vertices of the polyhedron R ∩ (x = 0). But this edge is also an edge in 15 other polyhedra, so, when representing R, the set of points dR needs to be accompanied by some extra information, identifying R among all polyhedra which have dR as an edge. This information is a matrix whose elements are relational symbols in the set {<, =, >}. The idea is that we associate to each pair of variables x1 , x2 , the relational symbol which relates the difference x1 − x2 with the R R difference dR 1 − d2 between the respective components of d .   R R In our case, in R we have x − y ∈ ]2, 3[ and in d we have dR x − dy  = 2, which R means that x − y  > dR x − dy  = 2, which will be the relational symbol corresponding   to row x and column y in the matrix associated with dR is >. Hence, one of our representations of the region R is the tuple (dR , M ) with ⎛ ⎞ | x y x y  ⎜ x | ‘ = ‘ ‘ = ‘ ‘ > ‘ ‘ > ‘⎟ ⎜ ⎟ R   ⎟ d = (x = 0, y = 0, x = 4, y = 2), M = ⎜ ⎜ y | ‘ = ‘ ‘ = ‘ ‘ > ‘ ‘ > ‘⎟ ⎝x | ‘ < ‘ ‘ < ‘ ‘ = ‘ ‘ > ‘⎠ y | ‘ < ‘ ‘ < ‘ ‘ < ‘ ‘ = ‘ In general, we represent a region R = 1≤i≤n xi − xj ∈ Iij with a pair (d, M ) with: 1. d = (d1 , . . . , dn ) ∈ Rn≥0 is one of the vertices of the polyhedron cl(R) ∩ Rn≥0 – here cl(Z) represents the closure of a set of reals.

128

C. Dima and R. Lanotte

2. M is the matrix of relational symbols in {<, =, >}, for which – Mij is ‘ < ‘ if xi − xj < di − dj , – Mij is ‘ = ‘ if xi − xj = di − dj , – Mij is ‘ > ‘ if xi − xj > di − dj . It should be noted that not all matrices of relational symbols are consistent – see [13,15] for details. In the sequel we denote Γn the set of matrices of relational symbols (which introduce consistent constraints). Given a pair (d, M ) like above, the reconstruction of the region represented by (d, M ) is straightforward: ⎧ ⎪{dij } iff Mij is ‘ = ‘ ⎨ Rij = ]dij −1, dij [ iff Mij is ‘ < ‘ (6) ⎪ ⎩ ]dij , dij +1[ iff Mij is ‘ > ‘. We denote [d, M ] the region R constructed as above, and  if D is a set of n-dimensional points with integer coordinates, we denote [D, M ] = {[d, M ] | d ∈ D}. So what remains to do is to extend n-automata such that they accept tuples of the form (d, M ) consisting of a point in Rn≥0 and a matrix of relational symbols. This gives the following definition: Definition 3. An n-region automaton is a tuple R = (Q, δ, Q∗, Q1 , . . . Qn , λ) where Q, δ, Q∗ and Q1 , . . . , Qn bear the same meaning and properties as in n-automata, while λ : Q → Γn is a labeling function, associating with each state a matrix of relational symbols. Additionally, it is required that if (q, q  ) ∈ δ then λ(q) = λ(q  ), and that, for all q∗ ∈ Q∗ , (q∗ , q∗ ) ∈ δ. The notions of run and acceptance are defined as in n-automata. Observe that, by definition, all the states in a run must be labeled with the same n-relation. An accepting run ρ = (qj )0≤j≤k accepts a pair (d, M ) consisting of a tuple d ∈ Rn≥0 and a matrix of relational symbols M ∈ Γn if d is accepted by the underlying n-automaton and λ(qj ) = M for all 0 ≤ j ≤ k. We then say that an n-region automaton R represents some relation on real numbers R ⊆ Rn≥0 if   R= [d, M ] | (d, M ) accepted by R We also denote Reg(R) the union of the regions represented by the n-region automaton. In [13,15], we have proved the following property: Theorem 2. For any timed automaton A, any pair of transitions τ, τ  and any subautomaton B, the reachability relation RsB τ τ  is representable with a (2n + 2)-region automaton, where n is the number of clocks in the given timed automaton. The following result ensures that the ORDL assumption in the preamble of Lemma 1 holds, hence completing the proof of Theorem 1: Theorem 3. Any relation which is representable with some n-region automaton is expressible in the logic ORDL, and the reverse also holds.

Removing All Silent Transitions from Timed Automata

129

Proof. For the direct implication, take R = (Q, δ, Q∗ , Q1 , . . . Qn , λ). Since Reg(R) is closed under union of automata, it suffices to consider the case when each Qi is a singleton, Qi = {qi } for some qi ∈ Q. We will show that for each matrix of relational symbols M ∈ Γn and each reordering η of the first n integers – i.e. bijection η : {1, . . . , n} → {1, . . . , n} – the set of regions represented by accepting runs labeled M and passing through the accepting indices in the order given by η can be represented in ORDL. First, some notation: for a bijection η as above and a tuple of integers d ∈ Nn , by abusing notation, we denote η(d) the tuple η(d) = (dη(1) , . . . , dη(n) ). On the other hand, we say that d respects η if whenever di < dj we must also have η(i) < η(j). Denote then   Dη,M = d ∈ Nm | (η −1 (d), M ) ∈ L(R) and d respects η Remark 3. We may prove that there exist some integer constants αi , βi ∈ N for all 0 ≤ i ≤ n − 1 such that reg Dη,M = D0 ∪ Dη,M where D0 is a finite set of regions and (7)  reg Dη,M = (k0 , k0 + k1 α1 + β1 , . . . , k0 + k1 α1 + β1 + . . . + kn−1 αn−1 + βn−1 )  | k0 , k1 , . . . , kn−1 ∈ N (8)

This remark follows as a corollary of the well-known fact that the set of lengths of words accepted by a finite automaton is an ultimately periodic sequence. Note first that, by definition, (q∗ , q∗ ) ∈ δ for any q∗ ∈ Q∗ , and (q∗ , q) ∈ δ for any q ∈ Q, and therefore the lengths of words connecting states in Q∗ with any other states form a reg periodic sequence with period 1 – this is the reason why, in Dη,M , d1 = k0 for some k0 ∈ N. Then we apply this ultimately-periodic result to the finite automaton R1 which copies the transition relation of R but with initial states q1 and final states q2 , and reg get constants α1 and β1 such that, in Dη,M , d2 − d1 = k1 α1 + β1 for some k1 ∈ N. Then we apply this result further to R2 which is the finite automaton resulting from R with initial states q2 and final states q3 , to get α2 and β2 , and so on. Let us then further observe that, in 8 above, [D0 , M ] can be easily expressed in DL, since it’s a finite disjunction of constraints of the form 1≤i<j≤n (xj − xi ∈ Rij ), where Rij are the intervals defined in Identity 6 above. reg Then Dη,M can be expressed in ORDL as follows: denote first dreg the tuple dreg = (β0 , β0 + β1 , . . . , β0 + β1 + . . . + βn−1 ) Denote Iij the intervals defined as in Identity 6 by the tuple dreg , i.e. Iij = {dij reg } if ij ij ij Mij is ‘ = ‘, Iij =]dij −1, d [ if M is ‘ < ‘ and I =]d , d +1[ if M is ‘ > ‘. ij ij ij reg reg reg reg reg Then the following constraint in ORDL represents Dϕ,M : Φ : ∃k1 ∃k2 . . . ∃kn−1

 1≤i<j≤n



xj − xi ∈ Iij +

j−1  l=i

 kl αl

(9)

130

C. Dima and R. Lanotte

It remains to apply the change of variables η to formula Φ. Since Reg(R) is a finite union of sets of the form [Dη,M , M ], this ends the proof of the direct implication. For the reverse implication, consider some formula Φ in the form 9 as above. Consider some decomposition into regions of the n-dimensional set P0 defined by the formula: 

 Φ0 : xj − xi ∈ Iij 1≤i<j≤n−1

R Observe that, if we denote φR = 1≤i<j≤n−1 (xj − xi ) ∈ Jij the formula defining some region R, then Φ is equivalent, by distributivity, with the following formula: R⊆P0

∃k1 . . . ∃kn−1



 1≤i<j≤n−1

R xj − xi ∈ Jij +

j 

 kl αl

l=i

Recall that, in any ORDL formula, each Iij is bounded. Hence there exist only finitely many distinct regions R ⊆ P0 , which means that the above formula is an ORDL formula. Therefore we only need to treat the case where Φ0 defines an n-dimensional region. So then for each representation (d, M ) of the region Φ0 we need to build an n-automaton for the set of tuples n−1   D = (d1 + k0 , d2 + k0 + k1 α1 , . . . , dn + k0 + kl αl ) | k0 , . . . , kn−1 ∈ N l=1

which is intuitively drawn in Figure 3. α1 −2 intermediary states

q∗

α2 −2 intermediary states

1 2 3 d1 − 1intermediary d2 −d1 −1intermediary states states

αn−1 −2 intermediary states

n

Fig. 3. Representing the set of tuples D with an n-automaton

In Figure 3, the number of arrows between a state labeled i and a state labeled i + 1 must equal di+1 − di . In some cases we might have di+1 − di = 0 – then we put an ε-transition between the state labeled i and the state labeled i + 1. In [13,15,12] we have shown that n-automata with ε-transitions are equivalent with n-automata without ε-transitions. On the other hand, if αi = 0 then we do not draw any circuit on the state labeled i − 1. This ends the proof of the reverse implication of Theorem 3.  

5 Impossibility of Removing ε-Transitions without Generalized Updates In this section we prove that the ε-transitions cannot be removed unless utilizing the generalized constraints and updates we presented in the third section. To this end,

Removing All Silent Transitions from Timed Automata

131

we adapt an example of Choffrut & Goldwurm form [10], where it is proved that εtransitions cannot be removed by using “periodic” constraints. The proof in [10] relies essentially on the hypothesis that timed automata of [10] work on infinite timed words. We show here that this assumption is not necessary, as with ε-transitions we may define a “very thin” language (in the sense of [3]), which cannot be defined without any ε-transition. The working example is from Figure 1; recall that the language of that   automaton is L1reg = t1 a . . . a tn a | ∀1 ≤ i ≤ j ≤ n, i≤k≤j tk ∈ ]j −i, j −i+1[ . For a timed word w = a t1 a . . . a tn a ∈ L1reg , denote pw the point pw = (t1 , t1 + t2 , . . . , t1 + t2 + . . . + tn ) ∈ Rn≥0 . Also denote Rw the n-dimensional region to which pw belongs. Remark 4. For any n ∈ N and any timed word w ∈ L1reg , Rw is characterized1 by the constraint: φ : xj − xi ∈ ]j −i−1, j −i[ with x0 = 0 In other words, for each n ∈ N, L1reg ∩ {w | (w) = n} consists of timed words w whose associated n-dimensional points pw all lie in a single region Rw . Given a timed automaton with generalized constraints/updates, we say that a transition τ resets clocks to 0 if, for any state transition in C(A), (q, v) → (q  , v  ), which is associated with τ , we have that if v  (x)  = v(x) then v  (x) = 0. Proposition 2. The language L1reg cannot be accepted by any timed automaton with generalized constraints, containing transitions only which reset clocks to 0 and without ε-transitions. Proof. The proof idea is that, in any timed automaton (even with generalized constraints), if all clock updates are resets to zero and occur only at the times where the action symbols occur, then there exist two timed words w1 , w2 ∈ L(A) with the same untiming aN , and such that the regions Rw1 and Rw2 are distinct. It would then follow n that RL(A) cannot be a single region, which is the case for L1reg . The main ingredient in this proof is again the normal form of DBMs [4,13,15]. The complete proof can be found in the technical report [16].  

6 Conclusions We have proved that ε-transitions can be removed timed automata if one allows a generalized form of constraints which include also generalized updates to clock values. The result relies on ORDL, a generalization of Difference Logic which captures exactly the reachability relations defined in timed automata. As our extension of Difference Logic is quite restrictive in syntax, we would be interested in results on checking whether “periodic” DL formulas are expressible in ORDL. Another path for research could be to generalize forward and backward propagation algorithms to timed automata using generalized constraints/updates. 1

Here we employ the usual notion of region, involving also the constraint x0 = 0.

132

C. Dima and R. Lanotte

References 1. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science 126, 183–235 (1994) 2. Asarin, E.: Challenges in timed languages. Bulletin of EATCS 83 (2004) 3. Asarin, E., Degorre, A.: Volume and entropy of regular timed languages. HAL Archive no. hal-00369812 (2009) 4. Bellmann, R.: Dynamic Programming. Princeton University Press, Princeton (1957) 5. Bengtsson, J.E., Jonsson, B., Lilius, J., Yi, W.: Partial order reductions for timed systems. In: Sangiorgi, D., de Simone, R. (eds.) CONCUR 1998. LNCS, vol. 1466, pp. 485–500. Springer, Heidelberg (1998) 6. B´erard, B., Diekert, V., Gastin, P., Petit, A.: Characterization of the expressive power of silent transitions in timed automata. Fundamenta Informaticae 36, 145–182 (1998) 7. Bouyer, P., Dufourd, C., Fleury, E., Petit, A.: Are timed automata updatable? In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 464–479. Springer, Heidelberg (2000) ´ Petit, A.: Expressiveness of updatable timed automata. 8. Bouyer, P., Dufourd, C., Fleury, E., In: Nielsen, M., Rovan, B. (eds.) MFCS 2000. LNCS, vol. 1893, pp. 232–242. Springer, Heidelberg (2000) 9. Bouyer, P., Haddad, S., Reynier, P.-A.: Undecidability results for timed automata with silent transitions. Fundamenta Informaticae 92, 1–25 (2009) 10. Choffrut, C., Goldwurm, M.: Timed automata with periodic clock constraints. Journal of Automata, Languages and Combinatorics 5, 371–404 (2000) 11. Comon, H., Jurski, Y.: Timed automata and the theory of real numbers. In: Baeten, J.C.M., Mauw, S. (eds.) CONCUR 1999. LNCS, vol. 1664, pp. 242–257. Springer, Heidelberg (1999) 12. Dima, C.: An algebraic theory of real-time formal languages. PhD thesis, Universit´e Joseph Fourier Grenoble, France (2001) 13. Dima, C.: Computing reachability relations in timed automata. In: Proceedings of the 17th IEEE Symposium on Logic in Computer Science (LICS 2002), pp. 177–186 (2002) 14. Dima, C.: A nonarchimedian discretization for timed languages. In: Larsen, K.G., Niebert, P. (eds.) FORMATS 2003. LNCS, vol. 2791, pp. 161–181. Springer, Heidelberg (2004) 15. Dima, C.: A class of automata for computing reachability relations in timed systems. In: Clarke, E., Tiplea, F.L. (eds.) Proceedings of the NATO Advanced Research Workshop on Verification of Infinite State Systems with Applications to Security (VISSAS 2005). NATO ARW Series (to appear, 2005) 16. Dima, C., Lanotte, R.: Removing all silent transitions from timed automata. Technical Report TR-LACL-2009-6, LACL (2009) 17. Jurski, Y.: Expression de la relation binaire d’accessibilit´e pour les automates a` compteurs ´ plats et les automates temporis´es. PhD thesis, Ecole Normale Sup´erieure de Cachan, France (1999) 18. Mahfoudh, M., Niebert, P., Asarin, E., Maler, O.: A satisfiability checker for difference logic. In: Proceedings of SAT 2002, pp. 222–230 (2002) 19. Ouaknine, J., Worrell, J.: Revisiting digitization, robustness, and decidability for timed automata. In: Proceedings of LICS 2003, pp. 198–207. IEEE Computer Society Press, Los Alamitos (2003)

Realizability of Real-Time Logics Laurent Doyen1 , Gilles Geeraerts1 , Jean-Francois Raskin1 , and Julien Reichert2 1

D´epartement d’Informatique, Universit´e Libre de Bruxelles (U.L.B.) {ldoyen,gigeerae,jraskin}@ulb.ac.be 2 ´ Ecole Normale Sup´erieure de Cachan [email protected]

Abstract. We study the realizability problem for specifications of reactive systems expressed in real-time linear temporal logics. The logics we consider are subsets of MITL (Metric Interval Temporal Logic), a logic for which the satisfiability and validity problems are decidable, a necessary condition for the realizability problem to be decidable. On the positive side, we show that the realizability of LTL extended with past real-time formulas is decidable in 2EXPTIME, with a matching lower bound. On the negative side, we show that a simple extension of this decidable fragment with future real-time formulas leads to undecidability. In particular, our results imply that the realizability problem is undecidable for ECL (Event Clock Logic), and therefore also for MITL.

1 Introduction The satisfiability and model-checking problems for real-time temporal logics have been widely studied since the nineties [4,13]. The main application of these problems is the verification of reactive systems: given a model of the system and of its environment, one can check whether the parallel composition of the two models satisfies a specification given by a real-time logic formula. This well-established procedure applies to closed models obtained when both the system and the environment are fully specified. However, in the design of real-time reactive systems, such a precise model of the reactive system is usually difficult to construct manually; and on the other hand, the environment may be only partially known, especially in the early stages of development. Therefore, it is natural to consider the problem of the automatic synthesis of a behavior policy for the reactive system that would be correct by construction with respect to the specification. This problem is usually formalized as a two-players game, in which Player 1 controls the execution of the system, and Player 2 controls the execution of environment. The specification is encoded as the winning condition for Player 1 in the game. Roughly speaking, the behaviors of Player 1 represent all possible models for the system, and computing a winning strategy for Player 1 amounts to selecting one model which is guaranteed to be correct whatever the environment does. 

Work supported by the projects: (i) Quasimodo: “Quantitative System Properties in Model-Driven-Design of Embedded”, http://www.quasimodo.aau.dk/, (ii) Gasics: “Games for Analysis and Synthesis of Interactive Computational Systems”, http://www.ulb.ac.be/di/gasics/, and (iii) Moves: “Fundamental Issues in Modelling, Verification and Evolution of Software”, http://moves.ulb.ac.be, a PAI program funded by the Federal Belgian Gouvernment.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 133–148, 2009. c Springer-Verlag Berlin Heidelberg 2009 

134

L. Doyen et al.

In the setting of timed systems, most of the previous works1 have considered games played on deterministic timed automata, whose set of edges is partitioned into those controlled by Player 1 and those controlled by Player 2. The winning condition is a simple safety objective (some set of locations should be avoided, no matter what the environment does), or more generally, an ω-regular objective defined as a parity condition over the locations of the automaton. In this paper, we consider an abstract definition of two-players timed games with a winning condition expressed by a real-time temporal logic formula. Consider a finite set Σ1 of actions controlled by Player 1, and a finite set Σ2 of actions controlled by Player 2. Let ϕ be a real-time temporal logic formula defining a set of timed words over Σ = Σ1 ∪ Σ2 . The timed game is played for infinitely many rounds as follows. In each round, the players announce (simultaneously and independently of each other) a pair (Δ, α) consisting of a delay Δ ∈ R≥0 and an action α from their set of controllable actions. The player who has announced the shortest delay is allowed to play its action after the corresponding delay, and then the next round starts. The outcome of the game is an infinite timed word. Player 1 wins the game if the outcome satisfies the formula ϕ. Note that no game graph needs to be provided in this abstract definition. The problem to decide whether Player 1 has a strategy to win the game regardless of the choices of Player 2 is called the realizability problem, borrowing the terminology introduced for LTL (Linear Temporal Logic) [24]. In a variant of this problem [9], one asks that Player 1 wins without announcing a converging sequence of delays (thus without blocking time), i.e., the outcome has to be either time-diverging and then belong to ϕ, or time-converging and then Player 1 has announced the shortest delay only finitely often. All results in this paper hold for both variants of the realizability problem. As it is easy to show that the realizability problem for a logic is at least as hard as both the satisfiability problem and the validity problem for that logic, we need to consider specifications that are expressible in real-time logics for which these two problems are decidable. One of the most natural way to obtain a real-time logic is to equip the modalities of LTL [23] with real-time constraints. For instance, ♦[a,b] ϕ holds in some position p iff there is a future position p in which ϕ holds, and the time elapsed between p and p is between a and b time units. This extension of LTL is the Metric Temporal Logic (MTL) introduced by Koymans [14]. Unfortunately, it has been shown that the satisfiability problem is undecidable for MTL [5] when interpreted over infinite timed words. However, when prohibiting singular time intervals of the form [a, a], this logic becomes decidable (and is then called Metric Interval Temporal Logic, or MITL) [2]. Another way of obtaining a decidable real-time logic is to extend LTL with new realtime operators, as in the Event Clock Logic (ECL) [26,25,13]. Note that here punctual intervals are allowed. In ECL, the operators I and I are introduced, allowing to speak about the next (resp. last) time a formula will be (was) true. For instance, [a,b] ϕ holds in a position p if there exists a future position p where ϕ holds, the time elapsed between p and p is in [a, b], and ϕ has been false in all positions between p and p . This is to be contrasted with the intuitive meaning of the MTL formula ♦[a,b] ϕ which does not constrain the truth value of ϕ in the interval [0, a). It is known that the expressivity of ECL is subsumed by that of MITL and therefore the satisfiability problem for ECL is decidable [26,25]. Thus, both MITL and ECL are good candidates for the realizability problem. It is a long-standing open question whether realizability is decidable for MITL. 1

With the notable exception of [18] see the ‘related works’ paragraph.

Realizability of Real-Time Logics

135

Surprisingly however, a consequence of our results is that the realizability problem for both ECL and MITL is undecidable. Contributions. This paper provides two main theoretical results about the realizability problem for ECL. First, we show that the realizability problem for ECL is undecidable. This result is surprising as this logic can be translated to recursive event-clock automata [26,25,3], a determinizable class of timed automata. Unfortunately, those automata are only deterministic in a weak sense, as already noted in [17]: while every infinite word has indeed a unique run in an event-clock automaton, it may be that two timed words with a common prefix (say up to position i) have runs with different prefixes (up to position i). This is due to the fact that runs in event-clock automata constrain their future by using prophecy clocks. While weak determinism is sufficient to ensure closure under complement for example, our undecidability result formally shows that this notion of determinism is not sufficient to obtain an algorithm for the realizability problem. As ECL is a subset of MITL, this result immediately entails the undecidability of the realizability problem for MITL. Second, we show that LTL extended with the past fragments of ECL (called henceforth LTL ), has a decidable realizability problem. We provide a translation of this real-time extension of LTL to classical Alur-Dill deterministic timed automata [1]. Using this translation, we obtain a 2EXPTIME algorithm for the realizability problem, and a matching lower bound since the problem is already 2EXPTIME-hard for LTL. Related Works. As already mentioned, there have been several previous works about timed games, see for instance [20,7]. In those works, the objectives are specified by deterministic timed automata. We focus here on related works where real-time logics have been used to define the objective of the timed game. In [18], a decidability result is obtained for the realizability problem of bounded-response properties which are expressible a fragment of MTL with future operators. The result holds under the a bounded-variability semantics, i.e., the number of events per time unit is bounded by a constant. In our case, we do not need this hypothesis. Note that under boundedvariability semantics, the full MITL can be translated to deterministic timed automata. In [17], the past fragment of MITL is translated into deterministic timed automata. The logics there are interpreted over finite signals for the purpose of monitoring while our logics are interpreted over infinite timed words for the purpose of realizability. The past fragment of MITL is incomparable with the logic LTL for which we have the decidability result. Note that over finite words, the satisfiability problem for MTL is decidable [21]. Unfortunately, the synthesis problem is in general undecidable even on finite words, but becomes decidable when the resources of the controller are bounded [6]. Remark. Due to lack of space, the proofs are omitted but can be found in the full version of the paper [11].

2 Preliminaries An interval is a nonempty convex subset of the set R≥0 of nonnegative real numbers. Intervals may be left-open or left-closed; right-open or right-closed; bounded or unbounded. An interval has one of the following forms: [a, b], [a, b), [a, ∞), (a, b], (a, b),

136

L. Doyen et al.

(a, ∞), with endpoints a, b ∈ N and a ≤ b. A word over a finite alphabet Σ is a (finite or infinite) sequence w = w0 w1 . . . of symbols wi ∈ Σ. We denote by |w| the length of w, i.e., the number of symbols in w. A timed word over Σ is a pair θ = (w, τ ) where w is a word over Σ, and τ = τ0 τ1 . . . is a sequence of length |w| of time values τi ∈ R≥0 such that τi ≤ τi+1 for all 0 ≤ i < |w|. We often denote a timed word (w, τ ) as a sequence (w0 , τ0 )(w1 , τ1 ) . . . of symbols paired with their time stamp. An infinite timed word θ = (w, τ ) is diverging if for all t ∈ R≥0 , there exists a position i ∈ N such that τi ≥ t. Automata formalisms. We first define automata on (untimed) words. A (nondeterministic) finite automaton over a finite alphabet Σ is a tuple A = (Q, qin , E, α) where Q is a finite set of states, qin ∈ Q is the initial state, E ⊆ Q × Σ × Q is a set of transitions, and α is an acceptance condition on transitions. We consider two kinds of acceptance conditions: the generalized B¨uchi condition when α ⊆ 2E is a set of sets of transitions, and the parity condition with d priorities when α : E → {0, 1, . . . , d}.2 The automaton A is deterministic if for all states q and all symbols σ ∈ Σ, there exists (q, σ, q  ) ∈ E for exactly one q  ∈ Q. A run of a finite automaton A over a word w is a sequence q0 w0 q1 w1 q2 . . . such that q0 = qin and (qi , wi , qi+1 ) ∈ E for all 0 ≤ i < |w|. For finite runs r, we denote by Last(r) the last state in r, and for infinite runs r, we denote by Inf(r) the set of transitions occurring infinitely often in r. An infinite run r is accepting according to the generalized B¨uchi condition α if for all sets of edges F ∈ α, Inf(r) ∩ F

= ∅. An infinite run r is accepting according to the parity condition α if min{α(e) | e ∈ Inf(r)} is even. The language defined by a finite automaton A, noted L(A), is the set of infinite words on which A has an accepting run. We next define timed automata over infinite timed words [1]. Let X be a finite set {x1 , x2 , . . . , xn } of variables called clocks. An atomic clock constraint is a formula of the form x ∈ I where I is an interval with integer endpoints (and possibly unbounded). A guard is a boolean combination of atomic clock constraint. We denote by Guards(X) the set of all guards on X. A valuation for the clocks in X is a function v : X → R≥0 . We write v |= g whenever the valuation v satisfies the guard g. For R ⊆ X, we write v[R := 0] for the valuation that assigns 0 to all clocks x ∈ R, and v(x) to all clocks x

∈ R. For t ∈ R≥0 , we write v + t for the valuation that assigns the value v(x) + t to each clock x ∈ X. A timed automaton over alphabet Σ and clocks X is a tuple A = (Q, qin , E, α) where Q is a finite set of states, qin ∈ Q is the initial state, E ⊆ Q × Σ × Guards(X) × 2X × Q is a set of transitions, and α is an acceptance condition, either a generalized B¨uchi condition if α ⊆ 2E , or a parity condition with d priorities if α : E → {0, 1, . . . , d}. The timed automaton A is deterministic if for every state q and valuation v, for all σ ∈ Σ, there exists at most one transition (q, σ, g, R, q  ) ∈ E such that v |= g. A timed run r of a timed automaton A over a timed word (w, τ ) is an infinite sequence (q0 , v0 )(w0 , τ0 )e0 (q1 , v1 )(w1 , τ1 )e1 . . . such that (i) q0 = qin , (ii) v0 (x) = 0 for all x ∈ X, and (iii) for all positions i ≥ 0, ei = (qi , wi , g, R, qi+1 ) ∈ E is such that vi + τi − τi−1 |= g and vi+1 = (vi + τi − τi−1 )[R := 0] (assuming τ−1 = 0). The definition of accepting timed run is adapted from the untimed case. The timed language 2

Acceptance conditions on transitions can be easily transformed into acceptance conditions over states by doubling the state space of the automaton for the generalized B¨uchi condition and by taking d copies of the state space for the parity condition.

Realizability of Real-Time Logics

137

of a timed automaton A, is the set L(A) of timed words on which A has an accepting timed run. Real-time logics. We consider the logic ECL (Event Clock Logic) and some of its fragments [25,26,13]. ECL is an extension of LTL with two real-time operators: the history operator I ϕ expressing that ϕ was true for the last time t time units ago for some t ∈ I, and the prediction operator I ϕ expressing that the next time ϕ will be true is in t time units for some t ∈ I. Given a finite alphabet Σ, the syntax of ECL is the following: ϕ ∈ ECL ::= a | ¬ϕ | ϕ ∨ ϕ | ϕ S ϕ | ϕ U ϕ | I ϕ | I ϕ where a ∈ Σ and I is an interval. The models of an ECL formula are infinite timed words. A timed word θ = (w, τ ) satisfies a formula ϕ ∈ ECL at position i ∈ N, written θ, i |= ϕ, according to the following rules: if ϕ = a, then wi = a; if ϕ = ¬ϕ , then θ, i

|= ϕ ; if ϕ = ϕ1 ∨ ϕ2 , then θ, i |= ϕ1 or θ, i |= ϕ2 ; if ϕ = ϕ1 S ϕ2 , then there exists 0 ≤ j < i such that θ, j |= ϕ2 and for all j < k < i, θ, k |= ϕ1 ; – if ϕ = ϕ1 U ϕ2 , then there exists j > i such that θ, j |= ϕ2 and for all i < k < j, θ, k |= ϕ1 ; – if ϕ = I ϕ , then there exists 0 ≤ j < i such that θ, j |= ϕ , τi − τj ∈ I, and for all j < k < i, θ, k

|= ϕ ; – if ϕ = I ϕ , then there exists j > i such that θ, j |= ϕ , τj − τi ∈ I, and for all i < k < j, θ, k

|= ϕ ;

– – – –

When θ, 0 |= ϕ, we simply write θ |= ϕ and we say that θ satisfies ϕ. We denote by [[ϕ]] the set {θ | θ |= ϕ} of models of ϕ. Finally, we define the following shortcuts: true ≡ a ∨ ¬a with a ∈ Σ, false ≡ ¬true, ϕ1 ∧ ϕ2 ≡ ¬(¬ϕ1 ∨ ¬ϕ2 ), ϕ1 → ϕ2 ≡ ¬ϕ1 ∨ ϕ2 , ♦ϕ ≡ true U ϕ,  ϕ ≡ ϕ ∧ ¬♦(¬ϕ),  ϕ ≡ false U ϕ,  ϕ ≡ false S ϕ, and ♦- ϕ ≡ true S ϕ. We also freely use notations like ≥ x to denote the interval [x, ∞), or < x for [0, x), etc. in the  and  operators. Then, we define two fragments of ECL. PastECL is the fragment of ECL where the temporal operators speak about the past only. A formula ϕ of ECL is in PastECL if there is no occurrence of I ϕ1 and ϕ1 U ϕ2 in the subformulas of ϕ. LTL is an extension of LTL [23] with the I operator from ECL, with the restriction that only formulas of PastECL appear under the scope of a I . A formula ψ of ECL is in LTL if (i) when I ϕ1 is a subformula of ψ, then ϕ1 ∈ PastECL, and (ii) there is no I ϕ1 in the subformulas of ψ. Formally, ϕ ∈ PastECL ::= a | ¬ϕ | ϕ ∨ ϕ | ϕ S ϕ | I ϕ ψ ∈ LTL ::= a | ¬ψ | ψ ∨ ψ | ψ S ψ | ψ U ψ | I ϕ The truth value of a formula ϕ of PastECL at a position i in a timed word θ depends only on the events of θ at positions j, with 0 ≤ j ≤ i. On the other hand, a formula of LTL may speak about the future of a word, but not in an timed fashion, i.e., only using the (untimed) U operators.

138

L. Doyen et al.

Example 1. – ϕ1 ≡ (c → (2,3) a) is a formula of ECL (but neither of LTL , nor of PastECL), saying that  every c is followedby an a, between 2 and 3 time units. – ϕ2 ≡  c → (2,3) (a ∧  b) is a formula of LTL (but not of PastECL) saying that every c has to be preceded, between 2 and 3 time units before, by an a directly precede by a b. – ϕ3 ≡ a ∧ (2,3) c is a PastECL formula that holds in all positions where an a occurs preceded, between 2 and 3 time units before, by a c. Timed games and realizability. A timed game is a tuple G = Σ1 , Σ2 , W  where Σj is the finite alphabet of Player j (j = 1, 2), Σ1 ∩ Σ2 = ∅, and W is a set of timed words over Σ1 ∪ Σ2 , called the winning condition for Player 1. Timed games are played as in [9] but with a trivial game structure. A timed game is played for infinitely many rounds as follows. In round i (i ≥ 0), Player 1 chooses a time delay Δi1 ∈ R≥0 and an action αi1 ∈ Σ1 , while independently and simultaneously, Player 2 chooses a time delay Δi2 ∈ R≥0 and an action αi2 ∈ Σ2 . Then, a play in G is a timed word (w0 , τ0 )(w1 , τ1 ) . . . over Σ1 ∪ Σ2 such that for all i ≥ 0 (assuming τ−1 = 0), τi = τi−1 + min{Δi1 , Δi2 } and either wi = αi1 and Δi1 ≤ Δi2 , or wi = αi2 and Δi2 ≤ Δi1 . Note that there can be several plays produced by a given sequence of choices of the players, namely if Δi1 = Δi2 for some i. We say that Player j plays first in round i if αi = αij , and we denote by Blameless 1 the set of timed words over Σ1 ∪ Σ2 that contain only finitely many letters from Σ1 . A timed word θ is winning for Player 1 if θ ∈ W . Let td be the set of diverging timed words on Σ1 ∪ Σ2 . A timed word θ is td-winning for Player 1 if θ ∈ WC1 (W ) = (W ∩ td ) ∪ (Blameless 1 \ td ), i.e., Player 1 wins because the word is diverging and belongs to W , or because Player 2 is responsible for the convergence of time. A strategy for player j is a function π that maps every finite timed word θ = (w0 , τ0 )(w1 , τ1 ) · · · (wn , τn ) to a pair (Δj , αj ), where Δj ∈ R≥0 and αj ∈ Σj . A play (w0 , τ0 )(w1 , τ1 ) . . . is consistent with π (for player j) if for all i ≥ 0, either π((w0 , τ0 )(w1 , τ1 ) · · · (wi , τi )) = (wi+1 , τi+1 − τi ), or wi+1 ∈ Σ3−j and Δj ≥ τi+1 − τi where (Δj , ·) = π((w0 , τ0 )(w1 , τ1 ) · · · (wi , τi )). We denote by Outcomej (G, π) the set of all plays in G that are consistent with π. A strategy π for player 1 is winning (resp. td-winning) for player 1 if Outcome1 (G, π) contains only winning (resp. td-winning) plays. Finally, given a strategy π1 for Player 1 and a strategy π2 for Player 2, let Outcome (G, π1 , π2 ) denote the set of all possible plays in G that are consistent with π1 and π2 . Note that Outcome (G, π1 , π2 ) is not necessarily a singleton since there is nondeterminism in the game when the same delay is proposed by the two players. The realizability problem (resp. td-realizability problem) for a logic L is to decide, given two finite sets Σ1 , Σ2 and a formula ϕ ∈ L over Σ1 ∪ Σ2 , whether Player 1 has a winning (resp. td-winning) strategy in the timed game Σ1 , Σ2 , [[ϕ]]. Example 2. Consider the game Ge = Σ1 , Σ2, [[ϕe ]], where Σ1 = {a, b}, Σ 2 =   {c, d} and ϕe ≡ ϕH → ϕC where ϕH ≡  c → ( ¬c) ∨ (¬c) U a and     ϕC ≡  c → ♦a ∧ a → (¬ ♦- c ∨ (2,3) c) . In this game, Player 2 makes

Realizability of Real-Time Logics

139

requests by playing c’s, and Player 1 has to acknowledge the request by outputting a’s. The assumption ϕH prevents Player 2 to issue a second request before the first one has been acknowledged. On the other hand, the condition ϕC forces Player 1 to acknowledge every request within 2 to 3 time units. Moreover, Player 1 can play b’s and Player 2 can play d’s freely. In this game, Player 1 has a td-winning strategy but no winning strategy: every time a c is played at time tc , Player 1 proposes to play (a, 2.5 − (t − tc )) at every time stamp t until an a has been played. More precisely, for a prefix θ = (w, τ ) of length : π(θ) = (a, 2.5 − (τ ( − 1) − τ (i))) if there exists i < − 1 such that w(i) = c and w(j)

= a for all i < j ≤ − 1. Otherwise, π(θ) = (b, 1). Thus, either Player 1 eventually plays first and an a is played 2.5 time units after the c. Or Player 1 never plays first again, and Player 2 is blocking the time. In both case, this is a td-winning play for Player 1. However, this is not a winning play, and there cannot be any winning play for Player 1, since she cannot prevent Player 2 from blocking the time after a c has been played. Lossy 3–counter machines. A deterministic lossy 3–counter machine (3CM) [16] is a tuple M = c1 , c2 , c3 , Q, qin , δ where c1 , c2 , and c3 are three nonnegative counters, Q is a finite set of states, qin ∈ Q is the initial state, and δ : Q → I is the transition function where I is a finite set of instructions of the form ci ++; goto q or if ci

= 0 then ci −−; goto q else goto q  or halt, for i ∈ {1, 2, 3} and q, q  ∈ Q. A configuration of a 3CM M is a tuple γ = (q, ν 1 , ν 2 , ν 3 ) where q ∈ Q and ν 1 , ν 2 , ν 3 ∈ N are the valuations of the counters. Let size (γ) = ν 1 +ν 2 +ν 3 . A configuration γ2 = (q2 , ν21 , ν22 , ν23 ) is a lossy successor of a configuration γ1 = (q1 , ν11 , ν12 , ν13 ), written γ1 →M γ2 , if: either (i) δ(q1 ) = ci ++; goto q2 , 0 ≤ ν2i ≤ ν1i + 1 and for all j ∈ {1, 2, 3} \ {i}: ν2j ≤ ν1j : or (ii) δ(q1 ) = if ci

= 0 then ci −−; goto q2 else goto q, ν1i

= 0, 0 ≤ ν2i ≤ ν1i − 1 and for all j ∈ {1, 2, 3} \ {i}: 0 ≤ ν2j ≤ ν1j ; or (iii) δ(q1 ) = if ci

= 0 then ci −−; goto q else goto q2 , ν1i = ν2i = 0 and for all j ∈ {1, 2, 3} \ {i}: 0 ≤ ν2j ≤ ν1j . In particular, for δ(q) = halt, the configurations with location q have no successor. An infinite run of a 3CM M is an infinite sequence ρ = γ0 , γ1 , . . . , γi , . . . of configurations of M such that γ0 = (qin , 0, 0, 0) is the initial configuration and γi →M γi+1 for all i ≥ 0. We say that ρ is space-bounded if there exists k ∈ N such that for all j ≥ 0, size (γj ) ≤ k. For a bounded run ρ, we denote the smallest such k by bound (ρ). We denote by runs∞ B (M ) the set of infinite spacebounded runs of M . The repeated reachability problem is to decide if runs∞ B (M ) = ∅ for a given 3CM M , and it is undecidable. Theorem 1 ([16]). The repeated reachability problem for 3CM is undecidable.

3 ECL Realizability Is Undecidable We present a reduction of the repeated reachability problem of 3CM to ECL realizability, showing that the realizability problem for ECL is undecidable. To present our  reduction,  consider a 3CM M = c1 , c2 , c3 , Q, qin , δ, and a configuration γ = q, ν 1 , ν 2 , ν 3 of M . We encode runs and configurations as timed words over the

140

L. Doyen et al.

alphabet ΣEnc = {a, b1 , b2 , b3 , tick} ∪ Q. The configuration γ is encoded as a word 1 2 3 of the form tick q aν b1 a∗ tick aν b2 a∗ tick aν b3 a∗ (time stamps omitted). The number of a’s occurring between a tick and the bi encodes the value of the ith counter (note that the a’s after bi have no influence on the value of the counters). An infinite bounded run ρ of M is encoded as an infinite sequence of such words, one for each configuration of the run. We require that the total number of a’s in each encoding of a configuration does not increase along the run ρ. This requirement is sound since we consider only bounded runs. For instance, if we encode the initial configuration by having bound (ρ) a’s after each bi , then we are sure to be able to encode the whole run. Moreover, decreasing the total number of a’s can only decrease the counter values which corresponds to the lossy semantics of the machine. Finally, the operations on the counters can be implemented as follows: decrementing (resp. incrementing) counter ci can be done by switching bi with the first a on its left (resp. right). If there is no such a, then the counter cannot be decremented (resp. incremented). We give the conditions that an infinite timed θ = (w, τ ) word has to satisfy to encode a run γ0 , γ1 , . . . , γi , . . . of M . In the sequel, we denote wi by w(i) and τi by τ (i). The first condition constrains w, the untimed part of θ: ω

C1 w ∈ (tick · Q · a∗ · b1 · a∗ · tick · a∗ · b2 · a∗ · tick · a∗ · b3 · a∗ )

For θ = (w, τ ) satisfying C1, for k ≥ 0 and i ∈ {1, 2, 3}, let ptki be the position of the 3k + ith tick in w and pbki is the position of the k + 1st bi in w. Thus, ptk1 is the first position in the encoding of γk . Then, C2 and C3 constrain the time stamps of the letters: C2 The first tick appears as the first event: pt01 = 0, and a tick corresponds to one time unit: for every k ≥ 0, for i ∈ {1, 2, 3}: τ (ptki ) = τ (0) + 3k + (i − 1). C3 The states of M appear 0 time units after the preceding tick: for any j ≥ 0: w(j) ∈ Q implies that τ (j) = τ (j − 1). Then, for all k ≥ 0, the subword of θ with time stamps in the interval [τ (0)+3k, τ (0)+ ∗ ∗ ∗ ∗ 3k + 3) is of the form a∗ b3 a∗ and encodes  tick Q a bt11 a tick1 a bb21 a tick t1 1 2 3 γk = qk , νk , νk , νk with qk = w(pk + 1), νk = pk − pk − 2, νk2 = pbk2 − ptk2 − 1 and νk3 = pbk3 − ptk3 − 1. Thus, θ encodes the infinite sequence γ0 , γ1 , . . . , γi , . . . of configurations, yet this sequence is not necessarily a run of M , as we need to enforce the semantics of M . This is the purpose of conditions C4 through C7 given below. Condition C4 ensures that the first encoding corresponds to the initial configuration of M . Conditions C5, C6 and C7 encode the lossy semantics of the machine. In particular, it is important to observe how the relation between two successive values of a given i counter, say νki and νk+1 can be encoded as a relation between the time stamps of the bi ’s that appear in the encodings of γk and γk+1 . More precisely, conditions C6 and C7 ensure that for every k ≥ 1, every a or bi in the encoding of γk is matched by one a or bi exactly three time units before in the encoding of γk−1 . As a consequence, i the total number of a’s does not increase along the run, and the values νki and νk+1 of counter i in two successive configurations can be related by comparing the time stamps i of the bi ’s. For instance, if we want νk+1 ≤ νki , then the bi in the k + 1st configuration

Realizability of Real-Time Logics

141

must appear at most three time units later than the bi in the kth configuration, i.e., i τ (pbk+1 ) ≤ τ (pbki ) + 3, and so forth. C4 The first portion of the word corresponds to the encoding of the initial configuration of M : w(0) = tick, w(1) = qin , and ν01 = ν02 = ν03 = 0. C5 The time stamps of bi are chosen according to the semantics of the machine. For all i k ≥ 0: δ(qk )

= halt and: (i) δ(qk ) = ci ++; goto q  implies that τ (pbk+1 − 1) ≤ bi   τ (pk ) + 3 and qk+1 = q ; (ii) δ(qk ) = if ci

= 0 then ci −−; goto q else goto q  bi i  and νk = 0 implies that qk+1 = q and τ (pk+1 ) ≤ τ (pbki ) + 3; and (iii) δ(q) = if ci

= 0 then ci −−; goto q  else goto q  and νki

= 0 implies that qk+1 = q  and bi bi τ (pk+1 ) < τ (pk ) + 3. C6 All a’s and b’s are separated by a strictly positive time delay: for all j ≥ 1, w(j) ∈ {a, b1 , b2 , b3 } implies that τ (j − 1) < τ (j). C7 Every a or bi that appears in θ after time stamp τ (0) + 3, i.e., in the encoding of γk with k ≥ 1, is matched by an a or bi exactly three time units before, i.e., in γk−1 . For all j ≥ 1, if w(j) ∈ {a, b1 , b2 , b3 } and τ (j) ≥ τ (0) + 3, then there exists i < j such that w(i) ∈ {a, b1, b2 , b3 } and τ (i) = τ (j) − 3. It is straightforward to see that a word θ satisfying conditions C1-C7 encodes a run ρθ ∈ runs∞ B (M ). Lemma 1. Let M be a 3CM and θ be an infinite timed word that satisfies C1-C7. Then, θ encodes a run γ0 , γ1 , . . . , γi , . . . ∈ runs∞ B (M ). On the other hand, a run ρ of M can be encoded by a timed word EncComp (ρ) that satisfies C1-C7. Let κ = bound (ρ). For t ∈ R≥0 and v ∈ N with v ≤ κ, let EncVal (v, κ, t) = (a, t1 ) · · · (a, tv ) (b, tv+1 ) (a, tv+2 ) · · · (a, tκ+1 ) where, any γ =  1 for  1 ≤ i ≤ κ + 1: ti = i/(κ + 2). For a configuration  1 q, ν , ν 2 , ν 3 , let EncConf (γ, b, t) = (tick, t)(q, t) · EncVal ν , κ, t · (tick, t+   3  1 1) · EncVal ν , κ, t + 1 · (tick, t + 2) · EncVal ν , κ, t + 2 . Finally, for ρ = γ0 , γ1 , . . . , γj , . . . ∈ runs∞ B (M ), let EncComp (ρ) be the infinite concatenation of the EncConf (γj , bound (ρ) , 3j) for j ≥ 0. Lemma 2. Let M be a 3CM. For all ρ ∈ runs∞ B (M ), the timed word EncComp (ρ) satisfies C1-C7. Corollary 1. Let M be a 3CM. There exists a timed word θ satisfying C1-C7 if and only if runs∞ = ∅. B (M )

We have thus reduced the repeated reachability problem for 3CM to the satisfiability of conditions C1-C7. Since the satisfiability problem for ECL is decidable, it is not possible to construct an ECL formula whose semantics is equivalent to conditions C1-C7. In fact, only C7 cannot be expressed in ECL. For the other conditions, we propose the Encoding  formula given below, where AB denotes (a ∨ b1 ∨ b2 ∨ b3 ), and Q denotes q∈Q q .

142

L. Doyen et al.

Encoding ≡

  tick ∧ =0 q0 ∧  b1   ∧ =1 tick ∧  b2   ∧ =2 tick ∧  b3 ∧  (tick → =1 tick) ∧  (Q → ( tick ∧ =0 tick ∧ =3 Q))   ∧  (b1 ∨ b2 ∨ b3 ) → (¬b1 ∧ ¬b2 ∧ ¬b3 ) U tick   ∧  b1 → (¬b1 ∧ ¬b3 ) U b2   ∧  b2 → (¬b1 ∧ ¬b2 ) U b3   ∧  b3 → (¬b2 ∧ ¬b3 ) U b1 ∧  ((AB ∨ Q ∨ tick) → >0 (AB ∨ tick)) ∧  instr (q)

(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11)

q∈Q

where, for q ∈ Q, the formula instr (q) is defined as follows: 1. If δ(q) = i++; goto q  , then: ⎛⎛ instr (q) ≡ q → =3 q  ∧ ⎝⎝inci ∧



⎞

⎛

keepj ⎠ ∨ ⎝



⎞⎞ keepj ⎠⎠

2. If δ(q) = if i

= 0 then i−−; goto q  else goto q  , then: ⎛ ⎞ instr (q) ≡ (q ∧ isnulli ) → ⎝=3 q  ∧ keepj ⎠ j

⎛

(12)

j

j =i

∧ (q ∧ ¬isnulli ) → ⎝=3 q  ∧ deci ∧



(13) ⎞ keepj ⎠

(14)

j =i

3. If δ(q) = halt, then: ⎛ instr (q) ≡  ⎝



⎞ ¬q ⎠

(15)

q∈Q

The formulas deci, inci and keep   i are defined as follows. For  i ∈ {1, 2, 3}: dec i ≡ <3 bi ∧ <3 bi ; inci ≡ <3 bi ∧  a ∧ ≤3 (a ∧  bi ) ; and keepi ≡ <3 bi ∧ ≤3 bi . Finally, isnull1 ≡ (¬a) U b1 and for i = 2, 3: isnulli ≡ =i-1 (¬a) U bi . It is easy to see that Encoding corresponds to conditions C1-C6: Lemma 3. For all timed words θ, θ ∈ [[Encoding]] if and only if θ satisfies C1-C6. Corollary 2. Let M be a 3CM. There exists a timed word θ ∈ [[Encoding]] satisfying C7 if and only if runs∞ = ∅. B (M )

Realizability of Real-Time Logics

143

To conclude the proof that ECL realizability is undecidable, we show how timed games can be exploited to check whether there exists a timed word θ that satisfies Encoding and C7, and hence whether runs∞ = ∅. The game we consider is B (M )

GM = ΣEnc , {c}, [ ϕM ]], and we show that Player 1 has a winning strategy in GM iff runs∞ = ∅. Before we formally define ϕM , we give some intuition. In this B (M )

game, we use the winning condition ϕM to force Player 1 to faithfully simulate M by satisfying conditions C1-C7. Note that Player 1 controls the full alphabet of the configuration’s encoding. However, by Lemma 3 defining ϕM = Encoding is not sufficient: Player 1 could cheat by inserting extra a’s in the play, in order to increase the values of the counters. We use the game interaction with Player 2 to force condition C7. Using action c, Player 2 will be given the possibility to check that Player 1 does not increase the counters as follows. First, Player 2 is allowed to play at most one c, and only exactly 0 time unit after an a or a bi . In this case, we say that Player 2 performs a check, and the meaning of this c is to pinpoint a particular a or bi in the word that should correspond to a previous a or bi three time units before, as stated in C7. If it is not the case, then we say that Player 2 has detected an error, and thus C7 is violated. Hence, the second ingredient is to let Player 1 loose whenever an error is detected, i.e. when a c appears right after an a or a bi that is not preceded exactly three time units before by a corresponding a or bi . These constraints on the number and positions of the c’s and on the detection of the errors turn out to be expressible in ECL. By combining these constraints with Encoding, we obtain ϕM ≡ Hyp → Goal where:         Hyp ≡  c → =0 AB ∧ ¬c ∧ ≥3 c ∨  ¬c ∧  c → (¬c) ensures that Player 2 performs the checks right after an a or a bi has been produced, not in the first configuration, and at most once. Moreover we let Goal ≡ Encoding ∧Check, with Check ≡ ♦c → ♦ (AB ∧ =3 c). Goal ensures that Player 1 generates a word that satisfies conditions C1-C6, and that she loses whenever she cheats: whenever she plays an a or a bi that is not preceded by a corresponding a or bi exactly three time units before, Player 2 can play a c (provided that she hasn’t played a c before) that will falsify Check, and thus ϕM . Let us show there is a winning strategy in GM = ΣEnc , {c}, [ Hyp → Goal]] for Player 1 iff runs∞ = ∅. The ‘if’ direction is easy, since Player 1 can play acB (M )

cording to EncComp (ρ), for any ρ ∈ runs∞ B (M ). Indeed, since EncComp (ρ) satisfies condition C7, Player 2 will never detect an error. Proposition 1. Let M be a 3CM. If runs∞ = ∅, then Player 1 has a winning B (M )

strategy in the timed game GM = ΣEnc , {c}, [ Hyp → Goal]]. Let us finally show that, if Player 1 has a winning strategy, then runs∞ = ∅. The B (M )

idea of the proof is as follows. We first observe that, by definition of ϕM , Player 1 can win the game if Player 2 does not satisfy Hyp or if she decides to check an a or a bi which is preceded by an a or a bi three time units before (then Player 2 cannot make further checks, which leaves to Player 1 the ability to cheat in the rest of the play). In this case Player 1 wins without having to faithfully simulate M . Of course, Player 2 has a better strategy to choose the action c exactly 0 time unit after the first wrong a or bi has been issued. Since Player 1 has to win when Player 2 plays in this way, a

144

L. Doyen et al.

winning strategy for Player 1 has to ensure that Goal holds, i.e. that Encoding and C7 are satisfied, thus faithfully simulating an infinite run of M . In other words, we consider a strategy StratEnc for Player 2 that forces Player 1 to play according to Encoding and C7. Given a strategy π1 for Player 1, define StratEnc as follows: for every finite prefix θ = (w, τ ) of length , let StratEnc(θ) = (c, 0) (i.e., Player 2 is detecting an error) if and only if (i) w( − 1) ∈ {a, b1 , b2 , b3 }, (ii) τ ( − 1) ≥ 3, (iii) there is no k < − 1 such that τ ( − 1) − τ (k) = 3 and w(k) ∈ {a, b1 , b2 , b2 }, and (iv) there is no k  < such that w(k  ) = c; otherwise, we let StratEnc(θ) = (c, Δ + 1) where Δ is the time delay proposed by Player 1 when she plays according to π1 , i.e., π1 (θ) = (α, Δ) for some α ∈ ΣEnc . The next lemma says that, against strategy StratEnc for Player 2, a winning strategy of Player 1 produces a play satisfying Goal and C7. Lemma 4. Let π1 be a winning strategy for Player 1 in GM . Then, for all plays θ ∈ Outcome (GM , π1 , StratEnc): θ |= Goal and θ satisfies C7. Proposition 2. Let M be a 3CM. If Player 1 has a winning strategy in GM , then runs∞ = ∅. B (M )

By Theorem 1 and Proposition 1 and 2 we obtain the following result. Theorem 2. The realizability problem for ECL is undecidable. It is easy to extend this undecidability result to the td-realizability problem for ECL, since the winning strategy presented in the proof of Proposition 1 is also winning for WC1 ([[φM ]]), and against strategy StratEnc for Player 2, a winning strategy of Player 1 for WC1 ([[φM ]]) also produces plays that satisfy C7. Theorem 3. The td-realizability problem for ECL is undecidable.

4 Positive Result on LTL In this section we show that the realizability problem is decidable for the syntactic fragment LTL . More precisely, we present an algorithm to solve the realizability and td-realizability problems for LTL . Given a timed game G = Σ1 , Σ2 , [[ψ]] for ψ ∈ LTL , the main idea of the algorithm consists in building a deterministic timed automaton with parity condition Dψ that accepts exactly the winning words for Player 1, i.e., L(Dψ ) = WC1 ([[ψ]]). This automaton can then be used to build a winning strategy for Player 1 (if it exists), using the techniques of [9]. First observe that we do not need to remember the exact time stamps of every event in a timed word to evaluate the truth value of a formula ψ of LTL . Indeed, there are only finitely many subformulas of the form I ϕ in ψ, and these are the only real-time formulas. Intuitively, we can thus consider ψ as an LTL formula over the augmented alphabet Σ × 2P where P is a set of proposition that tracks the truth values of the I ϕ subformulas. Such untimed words are called Hintikka sequences of ψ, and we first show that we can build a nondeterministic finite automaton Aψ with generalized B¨uchi condition that accepts those Hintikka sequences. After determinization of Aψ (giving Bψ ), we translate Bψ into a deterministic timed automaton Cψ with parity condition,

Realizability of Real-Time Logics

145

by relating the truth value of the propositions that track the subformulas I ϕ with the value of clocks of the automaton. We get L(Cψ ) = [[ψ]]. For td-realizability, we use the construction of [9] to construct a deterministic timed automaton Dψ that accounts the time-diverging condition on timed words. Thus, L(Dψ ) = WC1 ([[Ψ ]]). The automaton Dψ can be used to extract a td-winning strategy for Player 1, and the automaton Cψ to extract a winning strategy for Player 1 [9]. The automaton Cϕe of the formula ϕe of Example 2 is given in Fig. 1. a, b, c, d a, b, c, d

4 a, x

∈ (2, 3)

a, b, d 1

5 c

c x := 0

a, x

∈ (2, 3) a, x ∈ (2, 3)

2 b, d

3

c x := 0

b, d

a, x ∈ (2, 3)

Fig. 1. A deterministic parity timed automaton for ϕe . States 1, 3, 4 have priority 0, and states 2, 5 have priority 1.

An Hintikka sequence of a formula ψ is an (untimed) word h over the alphabet Σ × 2P where P = {pϕ | ϕ ≡ I ϕ1 is a subformula of ψ}. The semantics of h is the set [[h]] of timed words (w, τ ) over Σ such that h(i) = (w(i), Ωi ) where Ωi = {pϕ ∈ P | (w, τ ), i |= ϕ}, for all i ≥ 0. Note that for all Hintikka sequences h

= h , we have  [[h]] ∩ [[h ]] = ∅. Therefore, given a timed word θ = (w, τ ), we denote by Hs(θ) the unique Hintikka sequence h such that θ ∈ [[h]], and given a language L of timed words, we denote by Hs(L) the set {Hs(θ) | θ ∈ L}. Lemma 5. For all LTL formula ψ, we have [[Hs([[ψ]])]] = [[ψ]]. Given an LTL formula ψ, we denote by Sub(ψ) the set containing the formulas ϕ and ♦- ϕ for all subformulas ϕ of ψ. From ψ, we construct the following nondeterministic (untimed) finite automaton with generalized B¨uchi condition on edges, Aψ = Q, qin , E, α over the alphabet Σ ×2P (P = {pϕ | ϕ ≡ I ϕ1 is a subformula of ψ}). – Q contains qin and all the q ⊆ Sub(ψ) that are consistent. A subset q is consistent iff: (i) there exists a unique a ∈ Σ such that a ∈ q; (ii) for all subformulas ϕ1 , ϕ2 of ψ, if ϕ2 ≡ ¬ϕ1 , then ϕ1 ∈ q iff ϕ2

∈ q; and (iii) for all subformulas ϕ1 ∨ ϕ2 of ψ, ϕ1 ∨ ϕ2 ∈ q iff ϕ1 ∈ q or ϕ2 ∈ q. – E ⊆ Q × (Σ × 2P ) × Q contains all edges (q, σ, q  ) such that σ = (a, {pϕ ∈ P | ϕ ∈ q  } where {a} = Σ ∩ q  and, either (i) q = qin , ψ ∈ q  and ϕ1 S ϕ2

∈ q  for all formulas ϕ1 S ϕ2 ∈ Sub(ψ), or (ii) q

= qin , for all subformula ϕ1 U ϕ2 of ψ, we have ϕ1 U ϕ2 ∈ q iff either (a) ϕ2 ∈ q  , or (b) ϕ1 ∈ q  and ϕ1 U ϕ2 ∈ q  ; and for all subformula ϕ1 S ϕ2 of ψ, we have ϕ1 S ϕ2 ∈ q  iff either (a) ϕ2 ∈ q, or (b) ϕ1 ∈ q and ϕ1 S ϕ2 ∈ q. – α is a set of accepting sets of edges, containing for each subformula ϕ1 U ϕ2 of ψ the set {(q, σ, q  ) ∈ E | ϕ1 U ϕ2

∈ q or ϕ2 ∈ q  }.

146

L. Doyen et al.

Lemma 6. For all LTL formula ψ, we have [[L(Aψ )]] = [[ψ]]. The next lemma is crucial to translate Bψ (the deterministic version of Aψ ) into a timed automaton Cψ . Indeed, in the time automaton Cψ , we use one clock for each formula of the form I ϕ to remember the last time ϕ has been true. Lemma 7 shows that only the information about the past of the word is relevant to know when these clocks have to be reset. Lemma 7. For all nonempty (untimed) finite words w over the set of propositions Σ, for all runs r1 , r2 of Aψ over w, the states Last(r1 ) and Last(r2 ) contain exactly the same PastECL formulas. From Aψ , we obtain a deterministic (untimed) automaton Bψ with parity condition such that L(Bψ ) = L(Aψ ) by Piterman’s determinization procedure [22]. The states of Bψ are Safra trees s, whose root root(s) tracks the standard subset construction. Therefore, by Lemma 7, for every transition (s, σ, s ) of Bψ , all states q ∈ roots agree on the PastECL subformulas of ψ. So, we can define a (deterministic) timed automaton Cψ over alphabet Σ and clocks {xϕ | I ϕ is a subformula of ψ} as follows: the state space of Cψ is a copy of the state space of Bψ , and for each transition (s, (a, Ω), s ) in Bψ , if for all pϕ ∈ Ω with ϕ ≡ I ϕ1 , we have ♦- ϕ1 ∈ root(s), then there is a transition (s, g, a, R, s ) in Cψ such that: R = {xϕ | pϕ ∈ Ω} and g is the conjunction of (i) all constraints xϕ1 ∈ I s.t. pϕ ∈ Ω and ϕ ≡ I ϕ1 is a subformula of ψ, and (ii) all constraints xϕ

∈ I s.t. pϕ

∈ Ω, ϕ ≡ I ϕ1 is a subformula of ψ, and ♦- ϕ1 ∈ root(s). Proposition 3. For all PastECL formula ψ, the timed automaton Cψ with parity condition is deterministic and L(Cψ ) = [[ψ]]. Using the results of [9], a deterministic timed automaton Dψ with parity condition can be constructed from Cψ such that L(Dψ ) = WC1 ([[ψ]]). The number of locations of D is O(|C| · d) where d is the number of priorities in Cψ , and the number of priorities in D is d + 2. To decide if Player 1 has a winning strategy for WC1 ([[ψ]]), we evaluate a μ-calculus fixpoint formula [10] that computes the set of winning states of Player 1 for the winning condition WC1 ([[ψ]]). The μ-calculus formula uses a controllable predecessor operator CPre(Z) that computes the set of states in which Player 1 can force the game to Z in one move. The controllable predecessor operator preserves the regions of the timed automaton Dψ , i.e., if Z is a union of regions, CPre(Z) is also a union of regions. Therefore, the winning states of Player 1 can be computed in time O((|Dψ | · m! · 2m · (2c + 1)m )d ) where |Dψ | is the number of locations in Dψ , m is the number of clocks, c is the largest constant, and d is the maximal priority in Dψ [9]. If we let n = |Aψ |, we get d = 2 + 2 · n · O(|ψ|), c = cψ is the largest constant that occurs as an integer endpoint of an interval I in a subformula I ϕ of ψ, m is the number of subformula I ϕ of ψ, and |Dψ | = 2d · nn · n! [9,22]. This is at most O(|ψ|) O(|ψ|) ) 2O(2 · (2cψ + 1)2 where |ψ| is the length of ψ. Theorem 4. For ψ ∈ LTL over alphabet Σ1  Σ2 , deciding whether Player 1 is O(|ψ|) O(|ψ|) ) td-winning the game Σ1 , Σ2 , [[ψ]] can be done in time 2O(2 · (2cψ + 1)2 . The realizability problem for LTL can be solved by the same technique as in Theorem 4, using the automaton Cψ instead of Dψ .

Realizability of Real-Time Logics

147

Theorem 5. For ψ ∈ LTL over alphabet Σ1  Σ2 , deciding whether Player 1 is O(|ψ|) O(|ψ|) ) winning the game Σ1 , Σ2 , [[ψ]] can be done in time 2O(2 · (2cψ + 1)2 . Since the realizability problem for LTL is 2EXPTIME-hard, we get the following corollary. Corollary 3. The realizability and td-realizability problems for LTL are 2EXPTIMEcomplete.

5 Discussion We close the paper by mentioning several open problems for future works. First, several semantical models have been proposed for real-time behaviors [4]. We conjecture that our proofs of (un)decidability extend to the case where the real-time models are timed state sequences, i.e. finite variable functions from R≥0 to Σ, and that our decidability result extends to LTL with the past formulas of MITL (the intuition is that the formulas of past MITL can be translated to deterministic timed automata [17]). Second, the realizability problem for ECL remains open in the case of finite words (the reachability problem is decidable for 3CM). It is our belief that techniques based on well-quasi orderings [21] should be investigated. Then, one could consider restricted classes of strategies (such as strategies with imperfect information [8], or with bounded resources [6]) to recover decidability. Finally, our positive result relies on the Safra construction for determinization. A Safraless procedure [15,12] should be investigated.

References 1. Alur, R., Dill, D.L.: A Theory of Timed Automata. TCS 126(2) (1994) 2. Alur, R., Feder, T., Henzinger, T.: The benefits of relaxing punctuality. J. ACM 43(1) (1996) 3. Alur, R., Fix, L., Henzinger, T.: Event-clock automata: a determinizable class of timed automata. TCS 211(1-2) (1999) 4. Alur, R., Henzinger, T.: Logics and models of real time: A survey. In: Proc. REX Workshop. Springer, Heidelberg (1992) 5. Alur, R., Henzinger, T.: A really temporal logic. J. ACM 41(1) (1994) 6. Bouyer, P., Bozzelli, L., Chevalier, F.: Controller synthesis for MTL specifications. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 450–464. Springer, Heidelberg (2006) 7. Cassez, F., David, A., Fleury, E., Larsen, K.G., Lime, D.: Efficient on-the-fly algorithms for the analysis of timed games. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 66–80. Springer, Heidelberg (2005) 8. Cassez, F., David, A., Fleury, E., Larsen, K.G., Lime, D., Raskin, J.F.: Timed control with observation based and stuttering invariant strategies. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds.) ATVA 2007. LNCS, vol. 4762, pp. 192–206. Springer, Heidelberg (2007) 9. de Alfaro, L., Faella, M., Henzinger, T., Majumdar, R., Stoelinga, M.: The element of surprise in timed games. In: Amadio, R.M., Lugiez, D. (eds.) CONCUR 2003. LNCS, vol. 2761, pp. 144–158. Springer, Heidelberg (2003) 10. de Alfaro, L., Henzinger, T., Majumdar, R.: From verification to control: Dynamic programs for omega-regular objectives. In: Proc. LICS 2001. IEEE Computer Society Press, Los Alamitos (2001)

148

L. Doyen et al.

11. Doyen, L., Geeraerts, G., Rasking, J.F., Reichert, J.: Realizability, J.: of real-time logics. Technical report CFV 2009.120 (2009), http://www.ulb.ac/be/di/ssd/cfv 12. Filliot, E., Jin, N., Raskin, J.F.: An Antichain Algorithm for LTL Realizability. In: Proc. CAV 2009 (to appear, 2009) 13. Henzinger, T.A., Raskin, J.-F., Schobbens, P.-Y.: The regular real-time languages. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, p. 580. Springer, Heidelberg (1998) 14. Koymans, R.: Specifying real-time properties with metric temporal logic. RT Syst. 2(4) (1990) 15. Kupferman, O., Vardi, M.: Safraless decision procedures. In: Proc. FOCS 2005. IEEE Computer Society Press, Los Alamitos (2005) 16. Mayr, R.: Undecidable problems in unreliable computations. TCS 297(1-3) (2003) 17. Maler, O., Nickovic, D., Pnueli, A.: Real time temporal logic: Past, present, future. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 2–16. Springer, Heidelberg (2005) 18. Maler, O., Nickovic, D., Pnueli, A.: On synthesizing controllers from bounded-response properties. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 95–107. Springer, Heidelberg (2007) 19. Manna, Z., Pnueli, A.: Temporal verification of reactive systems: safety. Springer, Heidelberg (1995) 20. Maler, O., Pnueli, A., Sifakis, J.: On the synthesis of discrete controllers for timed systems. In: Mayr, E.W., Puech, C. (eds.) STACS 1995. LNCS, vol. 900. Springer, Heidelberg (1995) 21. Ouaknine, J., Worrell, J.: On the decidability of metric temporal logic. In: Proc LICS 2005. IEEE Computer Society Press, Los Alamitos (2005) 22. Piterman, N.: From nondeterministic B¨uchi and Streett automata to deterministic parity automata. LMCS 3(3) (2007) 23. Pnueli, A.: The temporal logic of programs. In: Proc. SFCS 1977. IEEE Computer Society Press, Los Alamitos (1977) 24. Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: Proc. POPL 1989. ACM Press, New York (1989) 25. Raskin, J.-F.: Logics, Automata and Classical Theories for Deciding Real Time. PhD thesis, FUNDP, Belgium (1999) 26. Raskin, J.-F., Schobbens, P.-Y.: The logic of event clocks: decidability, complexity and expressiveness. Automatica, 34(3) (1998) 27. Wolper, P.: The tableau method for temporal logic: An overview. Logique et Analyse, 110– 111 (1985)

Revisiting Decidability and Optimum Reachability for Multi-Priced Timed Automata Martin Fr¨ anzle and Mani Swaminathan University of Oldenburg {fraenzle,mani.swaminathan}@informatik.uni-oldenburg.de

Abstract. We investigate the optimum reachability problem for MultiPriced Timed Automata (MPTA) that admit both positive and negative costs on edges and locations, thus bridging the gap between the results of Bouyer et al. (2007) and of Larsen and Rasmussen (2008). Our contributions are the following: (1) We show that even the location reachability problem is undecidable for MPTA equipped with both positive and negative costs, provided the costs are subject to a bounded budget, in the sense that paths of the underlying Multi-Priced Transition System (MPTS) that operationally exceed the budget are considered as not being viable. This undecidability result follows from an encoding of StopWatch Automata using such MPTA, and applies to MPTA with as few as two cost variables, and even when no costs are incurred upon taking edges. (2) We then restrict the MPTA such that each viable quasi-cyclic path of the underlying MPTS incurs a minimum absolute cost. Under such a condition, the location reachability problem is shown to be decidable and the optimum cost is shown to be computable for MPTA with positive and negative costs and a bounded budget. These results follow from a reduction of the optimum reachability problem to the solution of a linear constraint system representing the path conditions over a finite number of viable paths of bounded length.

1

Introduction and Related Work

Formal models for hard real-time systems, paired with automatic analysis procedures determining their dynamic properties, are being considered as a means for rigorously ensuring that such systems function as desired. The classical Timed Automaton (TA) [1] has emerged as a well-studied model in this context. The (un-)decidability frontier between TA, for which location reachability and related properties are decidable, and Linear Hybrid Automata (LHA) [2], for which these properties happen to be undecidable, has been investigated through analysis of various moderate extensions of the original TA framework. Some of these extensions are interesting in their own right, as they provide valuable enhancements 

This work has been partially funded by the German Research Council (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS, www.avacs.org).

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 149–163, 2009. c Springer-Verlag Berlin Heidelberg 2009 

150

M. Fr¨ anzle and M. Swaminathan

to the expressiveness of the TA framework, thus enabling the analysis and optimization of phenomena such as scheduling, which are beyond the scope of TA. One such extension is that of Linear Priced Timed Automata ((L)PTA) or, synonymously, Weighted Timed Automata [3,4,5] for modelling real-time systems subject to some budgetary constraints on resource consumption. LPTA have -in addition to the real-valued clocks of classical TA - a cost-function mapping locations and edges to non-negative integers, whereupon a certain cost is incurred by staying in a location, or by taking an edge. The minimum (infimum) cost reachability problem for LPTA computes the minimum (infimum) cost of reaching a given goal-location. The minimum / infimum cost reachability problem for LPTA has been shown to be decidable and computable [3,4,5], leading to efficient tool-support through UPPAAL CORA along with applications to real-time scheduling [6]. A key factor for the decidability of location reachability in LPTA is that the cost variable is a monotonically increasing observer in the following sense: the cost variable cannot be reset, and testing the cost is forbidden in both guards of edges and invariants of locations, thereby restricting the expressive power of the model wrt. LHA, or equivalently, wrt. Stop-Watch Automata (SWA) [7]. This preservation of decidability has attracted an immense amount of research on (L)PTA in recent years (see [8] and Chapter 5 of [9] for surveys), among which we take a closer look at the following enhancements to the original LPTA model: – The optimum reachability problem is considered in [10] for LPTA having a single cost variable, with both positive and negative integer costs being allowed on edges and locations. The optimality here refers to the computation of both infimum and supremum cost, which is shown to be PSPACECOMPLETE, with optimum paths of the underlying transition system consisting of time-transitions occurring at time instants arbitrarily close to integers. – The optimum (conditional) reachability problem for Multi-Priced Timed Automata (MPTA) with multiple cost variables is considered in [11], with only non-negative costs being allowed on edges and locations. The decidability of the minimum- and maximum- cost reachability problems is shown through exact symbolic (zone-based) algorithms that are guaranteed to terminate. Termination of the symbolic algorithm for computing the maximum cost reachability is subject to a divergence condition on costs, where the accumulation of each of the costs diverges along all infinite paths of the underlying Multi-Priced Transition System (MPTS). – MPTA with both positive and negative costs are considered in [12]. More specifically, [12] investigates Dual-Priced Timed Automata (DPTA) with two observers (one observer termed as cost and the other as reward) in the context of optimum infinite scheduling, where the reward takes on only non-negative rates and is “strongly diverging” in the following sense: the accumulated reward diverges along every infinite path in the underlying transition system of the equivalent closed DPTA (obtained as usual by

Decidability and Optimum Reachability of MPTA

151

making all inequalities in guards and invariants non-strict). There are no such restrictions on the cost observer, which can take on both positive and negative values. Optimum infinite schedules (that minimize or maximize the cost/reward ratio) are shown to be computable for such DPTA via cornerpoint abstractions. Nevertheless, an exact characterization of the conditions for (un-)decidability and computation of the optimum reachability problems for MPTA having both positive and negative costs remains - to the best of our knowledge - unclear. We therefore attempt here to bridge the gap between the results of [10] and [11] by formulating conditions for (un-)decidability and computatibility wrt. the optimum reachability problems for such MPTA, through the following contributions: 1. We first show that Stopwatch Automata (SWA) [13,14] can be encoded using MPTA with two cost variables per stopwatch, allowing both positive and negative costs on edges and locations, with each of the costs being subject to individual upper and lower bounds that are to be respected along all viable paths of the underlying transition system. Since location reachability is undecidable in SWA with just one stop-watch, an immediate consequence of such an encoding is that even location reachability becomes undecidable for DPTA with two cost variables, admitting both postive and negative costs in locations and edges. Moreover, this undecidability result holds even when no costs are charged upon taking edges. 2. We then consider MPTA with both positive and negative costs on locations and edges, with individual bounds on each cost variable, and restrict the underlying MPTS such that a minimum absolute cost is incurred along all quasi-cyclic viable paths. Under such a restriction, we show that the reachability problem is decidable and that the optimum cost is computable for such MPTA. These results are derived from a reduction of the optimum reachability problem to the solution of a linear constraint system representing the path conditions over a finite number of viable paths, with the finiteness here being obtained from the boundedness and the (quasi-)cycle conditions on the costs. Our contributions may thus be viewed as an additional step towards the precise characterization of the (un-)decidability frontiers between various semantic models for richer classes of real-time systems. The remainder of this paper is organized as follows: Section 2 introduces MPTA and MPTS. Section 3 illustrates the encoding of SWA through MPTA admitting both positive and negative (bounded) costs in locations / edges, thereby demonstrating that even location reachability is undecidable for such MPTA with as few as two cost variables. Section 4 describes the computation of optimum cost for MPTA with both positive and negative costs in locations and edges, but subject to the cost boundedness and (quasi-)cycle conditions mentioned above. Section 5 concludes the paper along with directions for future research.

152

2

M. Fr¨ anzle and M. Swaminathan

Multi- Priced Timed Automata (MPTA)

The notation and definitions used in this section partly mirror those in [11,12]. Given a finite set C of clocks, a clock valuation over C is a map v : C → R≥0 that assigns a non-negative real value to each clock in C. If n is the number of clocks, a clock valuation is basically a point in Rn≥0 , which we henceforth denote by u, v etc. Definition 1. A zone over a set of clocks C is a system of constraints defined by the grammar g ::= x  d | x − y  d | g ∧ g, where x, y ∈ C, d ∈ N, and  ∈ {<, ≤, >, ≥}. The set of zones over C is denoted Z(C). A closed zone is one in which  ∈ {≤, ≥}, and we denote the set of closed zones over C by Zc (C). A zone with no bounds on clock differences (i.e., with no constraint of the form x − y  d) is said to be diagonal-free, and we denote the corresponding set of zones by Zd (C). The set Zcd (C) denotes zones that are both closed and diagonal-free. The set ZcdU (C) denotes the set of closed, diagonal-free zones having only upper bounds on the clocks. Definition 2. An MPTA is a tuple A = (L, C, (l0 , 0), E, I, P ), with – a finite set L of locations and a finite set C of clocks, with |C| = n. – An initial location l0 ∈ L together with the initial clock-valuation 0 where all clocks are set to 0. – a set E ⊆ L × Zcd (C) × 2C × L of possible edges between locations. An edge e e = (l, g, Y, l ) between two locations l and l is denoted l −→ l , and involves a guard g = G(e) ∈ Zcd (C), a reset set Y = Rese ⊆ C. – I : L → ZcdU (C) assigns invariants to locations – P is an indexed set of prices {p1 , . . . , pn } where each pi : (L ∪ E) → Z assigns price-rates to locations and prices (or costs) to edges In the sequel, we will denote by m the clock ceiling of the MPTA A under investigation, which is the largest constant among the clock constraints of A. For ease of presentation, we assume that the guards and invariants of the automaton are closed and diagonal-free zones. We further assume that the clock-values are upper-bounded by m through the invariants at each location. These are not real restrictions, as every (P)TA can be transformed into an equivalent bounded and diagonal-free one (as in Section 5.3 of [10]). Boundedness likewise does not confine the expressiveness of Stop-Watch Automata discussed in the next section. The concrete semantics of such an MPTA is given by a corresponding MultiPriced Transition System (MPTS) with states (l, u) ∈ (L, Rn≥0 ) where u |= I(l), with initial state (l0 , 0), and a transition relation → defined as follows: δ,c

– Time-transitions: (l, u) −→ (l, v) if c = P (l) · δ and ∀0 ≤ t ≤ δ : u + t |= I(l) where u + t denotes the addition of t to each component of u. e,c – Switch-Transitions: (l, u) −→ (l , v) if ∃e = (l, g, Y, l) ∈ E : u |= g, v =  [Y ← 0]u , v |= I(l ), c = P (e)

Decidability and Optimum Reachability of MPTA

153

Definition 3. A canonical initialized path [10] π of an MPTS is a (possibly infinite) sequence of states si (each state si being a location-plus-clock-valuation pair of the form (l, u)), which hich starts from the initial state and alternates δ,c0

e1 ,c1

between time- and switch-transitions π = s0 −→ s1 −→ s2 . . .. The set of all possible canonical initialized paths is denoted Π. For a finite path πinΠ k−1of length |π| = k, its accumulated cost-vector is defined as: Cost(π) = i=0 ci , with the summation here being performed component-wise for each cost-vector ci , with k−1 Costj (π) = i=0 cij for each cost-component. For π ∈ Π, let πk denote its finite prefix of length k. Then the corresponding accumulated cost along π is given by Cost(π) = limk→∞ Cost(πk ), if the latter exists. The accumulated cost of π ∈ Π wrt. a (set of ) goal state(s) G is defined as:  ∞ if ∀i ≥ 0 : si ∈ /G , CostG (π) = k i if ∃k ≥ 0 : (sk ∈ G ∧ ∀i < k : si ∈ / G) . i=0 c CostG (π) for π ∈ Π therefore yields the accumulated cost-vector along the shortest prefix of π ending in a goal state. Cost-Boundedness Constraint. We assume in this paper that the permissible cost charging is bounded by budgetary constraints, in the sense that paths of the MPTS exceeding this budget (e.g., exhausting the battery capacity) are considered unviable and thus irrelevant to the optimization problem, even if the budget is exceeded only temporarily. The budgetary constraint is given formally as follows: For each cost variable, there is a lower bound Lj ∈ Z≤0 and an upper bound Uj ∈ Z≥0 which all viable paths have to obey throughout. Thus, a path π is called viable iff ∀π  non-empty canonical prefix of π : ∀j ∈ {1, . . . , n } : Lj ≤ Costj (π  ) ≤ Uj holds. We further designate Ω as the linear objective function that we wish to optimize wrt. reaching a set of goal locations under such budgetary constraints. Ω can be an arbitrary linear combination of prices drawn from P . The objective of this paper is to formulate the conditions for (un-)decidability of reaching G under the budgetary constraints and for computatibility of the minimum value of Ω when viably reaching G. We call the latter the optimum-cost reachability problem, formally given below. Problem 1. Given an MPTA A = (L, C, (l0 , 0), E, I, P ) having a set Π of canonical initialized paths in its corresponding MPTS, and given a set G ⊆ L of goal locations plus a linear objective function Ω, as well as budgetary constraints (Lj , Uj ) for the accumulation of each cost function pj along all viable paths in Π, the optimum-cost reachability problem is to compute min{Ω(CostG (π)) | π ∈ Π, π viable} .

154

M. Fr¨ anzle and M. Swaminathan

Note that as Ω is an arbitrary linear combination of the prices accumulated in A, this problem — despite being formulated as a minimization problem — incorporates maximum-cost reachability also. MPTA having two cost variables only are termed Dual-Priced Timed Automata (DPTA) in the remainder. We now proceed to show in Section 3 that DPTA with a boundedness condition on costs as above can be used to encode Stop-Watch Automata (SWA) with one stopwatch, for which even location reachability is undecidable [14]. It therefore follows that Problem 1 is undecidable for such cases. We however show in Section 4 that Problem 1 is decidable and computable even for MPTA when one imposes suitable conditions on viable quasi-cyclic paths of the corresponding MPTS.

3

Encoding of Stop-Watch Automata Using Bounded MPTA

Stopwatch automata (SWA) are an extension of timed automata where advance of individual clocks can be stopped in selected locations. It has been shown in [13,14] that location reachability is undecidable even for simple SWA (in the sense of all clock constraints being diagonal-free), and even when both the clocks and the stopwatches are confined to bounded range. The result, which is based on encoding two-counter machines, applies to SWA as small as a single stopwatch and four clocks. In the sequel, we will provide an encoding of stopwatch automata with n bounded clocks and n bounded stopwatches by MPTA with n + 1 clocks and 2n cost variables. This shows that location reachability is undecidable for bounded dually priced 5-clock MPTA. As it suffices for our undecidability result, and as the generalization is straightforward, we demonstrate our reduction on 1-stopwatch SWA only. Let m ∈ N be a common upper bound on all clocks C = {x1 , . . . , xn } and the single stopwatch sw occurring in the SWA A, i.e. m dominates the individual range bounds on clocks and sw . We construct an MPTA with two cost variables s and S, both with bounded range [0, 2m], and n + 1 (bounded) clocks C ∪ {h}, where h is a fresh helper clock. W.l.o.g, we assume that the SWA A to be encoded does not contain guard conditions on its stopwatch, as these can always be replaced by invariants imposed in urgent transient states. The central idea of the encoding is that s watches the lower bounds while S watches the upper bounds imposed on sw . Therefore, 1. the prices s and S do generally evolve with the same rate as the stopwatch sw they simulate, 2. s ≤ S holds throughout, 3. when sw is subject to an invariant imposing a lower bound of l ≥ 0 then s = sw − l,1 1

Note that whenever there is no explicit invariant enforcing a stronger lower bound, sw still is subject to the invariant sw ≥ 0. Moreover, sw is always subject to an upper bound as it is generally confined to the range [0, m]. The invariants s ≥ 0 (uniform over all locations) and sw ≥ l mutually reinforce each other.

Decidability and Optimum Reachability of MPTA (sw , x1 , . . . , xn ) = 0

(s, S, x1 , . . . , xn ) = 0

l0 inv c ∧ sw ∈ [l, u] dsw =a dt

155

l0 h=0

true/∅ ps = −l, pS = 2m − u

inv c ps = a pS = a

s = −l, S = 2m − u (x1 , . . . , xn ) = 0 Fig. 1. Initializing the cost variables s and S simulating the stopwatch such that they enforce the invariant on the stopwatch sw . Here and in the remainder, inv c (as well as inv c ) refers to the parts of the invariant not dealing with the stopwatch. a is the slope of the stopwatch in l0 , which can be 0 or 1. Here and in all subsequent figures, formulae in shaded boxes are not part of the automaton, but collect invariant properties of the MPTS guaranteed along simulating runs.

(sw , x1 , . . . , xn ) = (t0 , . . . , tn )

s = t0 − l S = t0 + 2m − u (x1 , . . . , xn ) = (t1 , . . . , tn )

li inv c ∧ sw ∈ [l, u] dsw =a dt g/R, with sw  ∈R 

sw = sw = t0 + aδ ≤ u (x1 , . . . , xn ) = Rδ (t1 , . . . , tn )

inv c ∧ sw ∈ [l , u ] dsw = a dt

lj

li inv c ps = a pS = a g/R, ps = l − l , pS = u − u 

s = t0 − l + aδ s= t0 − l + aδ S = t0 + 2m − u + aδ S = t0 + 2m − u + aδ (x1 , . . . , xn ) = Rδ (t1 , . . . , tn ) inv c ps = a pS = a

lj

Fig. 2. Implementing change of invariant on the stopwatch in case the stopwatch is not reset by the switch transition. W.l.o.g., we assume that the guard g does not mention  the stopwatch, as the pertinent conditions can be moved to invariants. x denotes the value of x before the transition while x denotes its value thereafter. δ represents the time spent in li and Rδ (t1 , . . . , tn ) abbreviates the result of applying the reset R to (x1 , . . . , , xn ) = (t1 + δ, . . . , tn + δ).

156

M. Fr¨ anzle and M. Swaminathan

4. when sw is subject to an invariant imposing an upper bound of u ≤ m then S = sw + 2m − u. Note that maintaining properties 3 and 4 leads to the bound [0, 2m] on s and S enforcing the original invariant on sw , as s = sw − l ∧ s ≥ 0 implies sw ≥ l and S = sw + 2m − u ∧ S ≤ 2m implies sw ≤ u. Thus, the general bounds on s and S enforce the invariants on sw without any need for explicit invariants on s and S. All that has to be done is to, first, initialize s and S such that 3 and 4 hold, which is achieved by replacing the initial state by two states as in Fig. 1 and, second, update them accordingly upon a change of the invariant mediated by a location change in the SWA, which is shown in Fig. 2. Note that in both cases in accordance with property 1, the cost rates ps and pS coincide to the slope a of sw . Resetting the stopwatch requires a slightly more complex construction, as we need to force s to value 0 (assuming that the invariant of the location following the reset does not enforce a lower bound on the just reset stopwatch, which would render the switch transition infeasible) and S to value 2m − u, where u is the upper bound on sw in the target location of the resetting switch transition. To achieve this, we simulate the (instantaneous) switch transition by a run of duration 2m. Within this run, we let s and S run to value m, which we test by substracting −2m in a subsequent switch transition. We then adjust the values as desired. Furthermore, we employ the wrapping automaton construction of [13,14] to preserve the clock values. The complete automaton fragment is depicted in Fig. 3. Glueing together the above MPTA fragments at the like-named locations, one obtains an MPTA which is equivalent to the encoded SWA wrt. location reachability. Due to the undecidability of location reachability for SWA [13,14], this reduction yields the following result: Theorem 1. Location reachability is undecidable for MPTA with n ≥ 1 clocks and max(2, 14 − 2n) bounded cost variables. In particular, it is undecidable for MPTA with 6 clocks and 2 bounded cost variables, as well as for 1 clock and 12 bounded cost variables. Proof. The invariance properties mentioned in the shaded boxes in Figures 1 to 3, which are straightforward to establish based on the semantics of stopwatch automata and MPTA, show that the stopwatch automaton A has a path reaching location li with clock readings (x1 , . . . , xn ) = (t1 , . . . , tn ) and stopwatch reading t0 iff the encoding MPTA M has a viable path reaching location li with the same clock readings (x1 , . . . , xn ) = (t1 , . . . , tn ) and costs s = t0 − l and S = t0 + 2m − u. Hence, A can reach a given target location ltarget iff M can reach the corresponding location. According to [13,14], location reachability is undecidable for simple SWA with bounded clocks and stopwatches. The reduction to two-counter machines used in their proof yields SWA with five clocks and one stopwatch. As clocks are special cases of stopwatches, location reachability is thus undecidable for SWA with n ≥ 0 clocks and max(1, 6 − n) stopwatches. Our reduction encodes such SWA by a bounded MPTA with n ≥ 1 clocks and max(2, 14 − 2n) bounded prices.



Decidability and Optimum Reachability of MPTA

(x1 , . . . , xn ) = wrap(Rδ (t1 , . . . , tn ) + h)  s = s = t0 + aδ − l  S = S = t0 + aδ + 2m − u + h ≤ 2m

s = t0 − l, S = t0 + 2m − u (x1 , . . . , xn ) = (t1 , . . . , tn )

li inv c ps = a pS = a

g/R ∪ {h}, ps = 0, pS = 0

x1 ≤ m∧ . . . xn ≤ m ps = 0 pS = 1

h=0 (x1 , . . . , xn ) = Rδ (t1 , . . . , tn )  s = s = t0 + aδ − l ≥ 0  S = S = t0 + aδ + 2m − u ≤ 2m

li inv c ∧ sw ∈ [l, u] dsw =a dt

(sw , x1 , . . . , xn ) = (t0 , . . . , tn )

g/R ∪ {sw }  sw = t0 + aδ ≤ u   ( x 1 , . . . , x n ) = (t0 + δ, . . . , tn + δ) sw = 0 (x1 , . . . , xn ) = Rδ (t1 , . . . , tn ) inv c ∧ sw ∈ [l , u ] dsw = a dt

inv c ps = a pS = a

lj lj

x1 = m/{x 1} . .. xn = m/{xn } ps = 0, pS = 0

true/∅, ps = 0, pS = −2m (x1 , . . . , xn ) = wrap(Rδ (t1 , . . . , tn ) + h)  s = s = t0 + aδ − l  (∗) S −2m = S ≥ 0, S ≤ 2m

x1 ≤ m∧ . . . xn ≤ m ps = 1 pS = 0

x1 = m/{x 1} . . . xn = m/{xn } ps = 0, pS = 0

true/∅, ps = −2m, pS = 0 (x1 , . . . , xn ) = wrap(Rδ (t1 , . . . , tn ) + h)   s −2m = s ≥ 0, s ≤ 2m (†)  S= S = 0

x1 ≤ m∧ . . . xn ≤ m ps = 0 ps = −l , pS = 2m − u pS = 0

h = 2m/∅,

157

x1 = m/{x 1} . .. xn = m/{xn } ps = 0, pS = 0

h = 2m (x1 , . . . , xn ) = wrap(Rδ (t1 , . . . , tn ) + h) = (t1 , . . . , tn ) s = −l , S = 2m − u

Fig. 3. Resetting the stopwatch, i.e. setting s = −l and S = 2m − u while preserving x the clocks. Here, wrap(x) := x − m m . Note that (∗) and (†) imply S = 0 and s = 0.

An immediate consequence is Corollary 1. Optimum cost is not effectively computable for bounded MPTA. Proof. As the optimum cost is infinite iff the target location is unreachable, computing the optimum cost entails solving the reachability problem, which is undecidable for bounded PTA with more than one price according to Theorem 1.

Note that these results can easily be strengthened wrt. the operations permitted on costs: Corollary 2. Location reachability remains undecidable and optimum cost uncomputable even if no costs can be charged on edges.

158

M. Fr¨ anzle and M. Swaminathan

Proof. It is straightforward to simulate an instantaneous price update by a durational update of fixed duration and slope using the wrapping construction to retain the clock values.

When interpreting the above negative results concerning effectiveness, it should be noted, however, that the encoding relies crucially on closedness as well as on the universally binding character of the budgetary constraints. It is currently unclear whether similar undecidability results hold under an open (in the sense of strict bounds on the cost) budget or the permission to temporarily overdraw the budget by small amounts.

4

Optimum Cost Reachability for MPTA under Cost-Charging Quasi-Cycles

In this section, we investigate the optimum cost problem for bounded MPTA subject to the additional assumption that non-trivial cost is charged upon each quasi-cyclic viable path, where a quasi-cycle is a sequence of states returning close to its origin. This property is captured by the following definition: Definition 4. We call an MPTA cost-charging on quasi-cycles if there exists δ0 ,c0

e1 ,c1

δi ,ci

ε > 0 such that for each canonical viable path π = s0 −→ s1 −→ s2 . . . −→ si with d(s0 , si ) ≤ ε and path-length i ≥ 2, i.e. the path contains at least one jump, it holds that |Costk (π)| ≥ ε for some cost-component. I.e., the MPTA is costcharging on quasi-cycles iff there is no infinitesimally cheap return to a close vicinity of a state once this vicinity has been left. Hereby, we define the distance d((l, u), (l , u )) between two states (l, u) and (l , u) to be  ∞ if l  = l , d((l, u), (l , u )) = ||u − u || if l = l , where || · || is the maximum norm. Note that we neither demand a constant sign for the cost incurred nor fix the cost variable that incurs non-trivial cost upon quasi-return. Hence, some cost variable may well incur cost ε on some path from (l, u) to some (l, u ) in its ε-vicinity and cost −ε on the same or another cost variable when proceeding from (l, u ) to another (l, u ) in the ε-vicinity of (l, u ). Nevertheless, together with compactness of the state space as implied by boundedness, cost-charging on quasi-cycles is strong enough a condition of finiteness on all viable, i.e. bound-respecting, paths. 2 Lemma 1. Let A be a bounded MPTA which is cost-charging on quasi-cycles. Then the length of canonical viable paths in A is finitely bounded. 2

Note that any constant bound δ(ε) > 0 suffices as a minimum lower bound on the absolute cost incurred along quasi-cyclic paths in order to obtain the finiteness condition. We have however chosen a single parameter ε for ease of presentation.

Decidability and Optimum Reachability of MPTA

159

Proof. Let ε > 0 be the constant from Def. 4. Let L be the set of locations and {x1 , . . . , xn } be the set of clocks in A and let Di for i = 1, . . . , n be their respective bounded domains. Let {p1 , . . . , pn } be the set of cost variables in A and let Pi for i = 1, . . . , n be their respective bounded domains. As the domains are bounded, the topological closure V of the combined clock-and-cost space    V = ni=1 Di × nj=1 Pj is compact. Hence, V can only contain finitely many ε-separated points. Let k be an upper bound on the maximum number of ε-separated points in δ0 ,c0

e1 ,c1

δK ,cK

V . Letπ = s0 −→ s1 −→ s2 . . . −→ sK be a viable canonical path and let C i = ij=0 ci be the accumulated costs until step i. As A is cost-charging on quasi-cycles, ||ui − uj || ≥ ε ∨ ||C i − C j || ≥ ε, which is equivalent to ||(ui , C i ) − (uj , C j )|| ≥ ε, for each i, j ≤ K with li = lj . As (ui , C i ) ∈ V for each i ≤ K, it follows that ∀l ∈ L : |{(li , ui , Ci ) | i ≤ K ∧ li = l}| ≤ k. Consequently, K ≤ k · |L| holds for the length K of the canonical viable path π.

Given the fact expressed in Lemma 1 that all canonical viable paths have a uniform finite bound on their lengths, a consequence is that the optimum reachability problem for MPTA becomes an instance of bounded model-checking (BMC) [15] that is solvable for a rich class of hybrid systems. In particular, we encode the optimum bounded reachability problem up to depth k for MPTA as a Mixed Integer Linear Program (MILP). In the remainder of this section, we provide a corresponding algorithm, which is based upon reducing Problem 1 for cost-charging MPTA to a Mixed Integer Linear Program, along the lines of [16] illustrating BMC for acyclic LPTA. This MILP will then be used twofold: First, as it expresses feasibility of a path of length k, versions with increasingly larger k will be used to determine the upper bound K on path length. Once this has been found, a version of depth K equipped with the cost term as an objective function will be used for determining the optimum cost. Given an MPTA A = (L, C, (l0 , 0), E, I, P ), a set G ⊆ L of goal-locations, and an arbitrary linear combination Ω of prices, we generate the following MILP for the BMC problem of depth k: – For each discrete location l ∈ L we take k + 1 zero-one variables li , where each li takes on either of the values 0 or 1, with 0 ≤ i ≤ k. The value of li encodes whether A is in location l in step i as follows: li = 1 iff A is in location l in step i. Thus, for any i ≤ k, there should be exactly one l ∈ L such that li = 1, which can be enforced by requiring l∈L li = 1 in the MILP for each i ∈ {0, . . . , k}. – For each edge e ∈ E we take k zero-one variables ei , with 1 ≤ i ≤ k. The value of ei encodes whether A’s ith move in the run was transition e. Again, one enforces that exactly one transition is taken in each step by adding the constraint e∈E li = 1 in the MILP for each i ∈ {1, . . . , k}. – For each clock c ∈ C we take k real-valued variables ci , with 0 ≤ i ≤ k − 1. The value of ci encodes c’s value immediately after the ith transition in the run.

160

M. Fr¨ anzle and M. Swaminathan

– For each i ≤ k we take one real-valued variable δ i representing the time spent in the ith location along the run. – We add constraints describing the initial state, i.e. enforcing l00 = 1 and c0 = 0 for each c ∈ C. – We add constraints describing the relationship between discrete locations and transitions, i.e. guaranteeing that ei = 1 implies li−1 = 1 and  li = 1 for  (l, l) ∈ e. This can be encoded as a linear constraint via li−1 ≥ ei ∧ li ≥ ei . – We add constraints enforcing the location invariants, i.e. checking for each i ≤ k that li = 1 =⇒ I(li )[ci1 , . . . , cin /c1 , . . . , cn ] and that li = 1 =⇒ I(li )[ci1 + δ i , . . . , cin + δ i /c1 , . . . , cn ], where c1 , . . . , cn are the clocks (i.e., {c1 , . . . , cn } = C) and φ[y/x] denotes substitution of y for x in φ. As all clocks are bounded by m, the implications can be realized using the switch variable encoding. E.g., for an upper bound x ≤ u in the invariant, m · li + xi + δ i ≤ m + u implements the implication li = 1 =⇒ xi + δ i ≤ u. – Using the same encoding, we add constraints enforcing guards, i.e. guaranteeing for each 0 ≤ i ≤ k − 1 that ei+1 = active =⇒ g(e)[ci1 + δ i , . . . , cin + δ i /c1 , . . . , cn ] , where g(e) denotes the guard of edge e. – We add constraints dealing with resets, i.e. enforcing for each 0 ≤ i ≤ k − 1 that  i+1 c = ci + δ i iff c ∈ / Y (e) , i+1 e = active =⇒ ci+1 = 0 iff c ∈ Y (e) , where Y (e) is the reset map associated to edge e. – For each price variable p ∈ P , we define k + 1 auxiliary variables pit recording the step price incurred by p in step i ≤ k and k + 1 auxiliary variables pid recording the price incurred by staying in the location during step i ≤ k. Using the switch variable encoding, we enforce k 

li = 1 =⇒ pid = p(l) · δ i

l∈L i=0

and p0t = 0 ∧

k  

ei = 1 =⇒ pit = p(e) ,

e∈E i=1

where p : E ∪ L → Z is the cost assignment of A. – Adding k further variables pi for each price p ∈ P , we can record the price Costp accumulated so far by defining p0 = 0 , p = pj + pjd + pjt j+1

Decidability and Optimum Reachability of MPTA

161

for each j < k. Viability of the paths is enforced by additionally demanding L p ≤ pj ≤ Up , j j Lp ≤ p + pd ≤ Up for each j ≤ k. This encoding, which is a standard MILP encoding suitable for bounded model-checking, can now be used in two ways: 1. For checking whether viable paths of length k exist, the above system is simply build for the desired depth k and checked for feasibility using an MILP solver. The resulting MILP is feasible iff paths of length ≥ k exist. 2. For determining the minimum cost for reaching the goal states within k steps, we, first, modify the goal states to become sinks by decorating them with cost-free and always enabled loops, second, build the above constraint system to depth k, third, add constraints enforcing the goal-locations to be visited by constraint k   li ≥ 1 i=0 l∈G

and, finally, use the linear expression Ω[P k /P ] as an objective function to be minimized by the MILP solver. The MILP solver will either report the system to be infeasible, in which case the minimum cost of reaching G along canonical initialized paths of length at most k is infinite, or it will report the minimum cost of reaching G along canonical initialized paths of length at most k as the optimum value of its objective function. An optimum path can then be retrieved from the variables in the MILP that represent the MPTA state at the various steps. Combining these two steps, we can solve Problem 1, i.e. the optimum-cost reachability problem, effectively by iteratively performing step 1 for increasing k until no viable path of length k ∗ exists and then performing step 2 for k ∗ − 1. Based on this procedure, we obtain the following positive result concerning effectiveness of cost optimal reachability in MPTA: Theorem 2. For bounded MPTA A which are cost-charging on quasi-cycles, the following two properties hold: 1. It is decidable whether A has a viable (i.e. obedient to the budgetary constraints) initialized path to some goal state. 2. The optimum cost for A reaching a goal state via a viable initialized path is computable for any linear cost function.



162

5

M. Fr¨ anzle and M. Swaminathan

Conclusion and Future Research

We have investigated conditions for (un-)decidability and computability of the optimum reachability problem for MPTA admitting both positive and negative costs on locations and edges. Our encoding of SWA using cost-bounded MPTA however critically depends on the fact that the bounds on the cost variables are closed (i.e., non-strict), and that these bounds are to be respected for each cost variable along all viable paths of the underlying transition system. The question of whether this undecidability result holds even when cost bounds are strict, or when some path is allowed to temporarily overshoot the budget wrt. a cost variable, or when subject to other forms of budgetary constraints (as motivated, for instance, in [17]) remains currently open. Moreover, given that the undecidability result for cost-bounded MPTA holds for n ≥ 1 clocks and max(2, 14−2n) bounded cost variables (cf. Theorem 1), another natural question would be the validity of this result when one correspondingly restricts the number of clocks and bounded cost variables. The cost-charging (quasi-)cycle assumption used to validate the BMC procedure of Section 4 is related to the divergence assumptions made in [11,12]. Due to the limited ability of TA to discriminate between states, as apparent from the region graph construction, it however seems that a few other cycle conditions may be equivalent to the above-mentioned condition on quasi-cycles, thus providing a potentially fruitful line of attack. The presently proposed procedure of iteratively increasing the depth (for which BMC is performed) is not efficient, particularly for a small bound ε on the minimum cost incurred along quasi-cyclic viable paths. We therefore also plan to investigate efficient (symbolic) algorithms that exploit other realistic path conditions, and apply them to decision problems for the Duration Calculus [18], thereby fully implementing the decision procedure for a rich fragment of DC from [19] and extending it to an even richer subset, accommodating arbitrary linear combinations of durations. The latter requires algorithms for deciding budget-constrained reachability in MPTA with positive and negative cost rates, as negatively weighted durations map to prices with negative rates when extending the construction of [19]. Acknowledgements. We wish to thank Ernst-R¨ udiger Olderog and the reviewers for useful comments that helped in improving the presentation of this paper.

References 1. Alur, R., Dill, D.: A Theory of Timed Automata. Theoretical Computer Science 126(2), 183–235 (1994) 2. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T.A., Ho, P.-H., Nicollin, X., Olivero, A., Sifakis, J., Yovine, S.: The Algorithmic Analysis of Hybrid Systems. Theoretical Computer Science 138(1), 3–34 (1995) 3. Alur, R., La Torre, S., Pappas, G.J.: Optimal paths in weighted timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 49–62. Springer, Heidelberg (2001)

Decidability and Optimum Reachability of MPTA

163

4. Behrmann, G., Fehnker, A., Hune, T., Larsen, K.G., Pettersson, P., Romijn, J.M.T., Vaandrager, F.W.: Minimum-cost reachability for priced timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 147–161. Springer, Heidelberg (2001) 5. Larsen, K.G., Behrmann, G., Brinksma, E., Fehnker, A., Hune, T., Pettersson, P., Romijn, J.M.T.: As cheap as possible: Efficient cost-optimal reachability for priced timed automata. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 493–505. Springer, Heidelberg (2001) 6. Behrmann, G., Larsen, K.G., Rasmussen, J.I.: Optimal Scheduling using Priced Timed Automata. SIGMETRICS Performance Evaluation Review 32(4), 34–40 (2005) 7. Cassez, F., Larsen, K.G.: The impressive power of stopwatches. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 138–152. Springer, Heidelberg (2000) 8. Bouyer, P.: Weighted Timed Automata: Model-Checking and Games. In: Proc. of MFPS 2006. ENTCS, vol. 158, pp. 3–17. Elsevier, Amsterdam (2006) 9. Bouyer, P.: From Qualitative to Quantitative Analysis of Timed Systems. M´emoire d’habilitation, Universit´e Paris 7 (2009) 10. Bouyer, P., Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On the Optimal Reachability Problem of Weighted Timed Automata. Formal Methods in System Design 31(2), 135–175 (2007) 11. Larsen, K.G., Rasmussen, J.I.: Optimal Reachability for Multi-Priced Timed Automata. Theoretical Computer Science 390(2–3), 197–213 (2008) 12. Bouyer, P., Brinksma, E., Larsen, K.G.: Optimal Infinite Scheduling for MultiPriced Timed Automata. Formal Methods in System Design 32(1), 3–23 (2008) ˇ ans, K.: Algorithmic Problems in Analysis of Real Time System Specifications. 13. Cer¯ PhD thesis, University of Latvia (1992) 14. Henzinger, T., Kopke, P., Puri, A., Varaiya, P.: What’s Decidable about Hybrid Automata. Journal of Computer and System Sciences 57(1), 94–124 (1998) 15. Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Bounded Model Checking. Advances in Computers 58, 118–149 (2003) 16. Panek, S., Stursberg, O., Engell, S.: Optimization of Timed Automata Models Using Mixed-Integer Programming. In: Larsen, K.G., Niebert, P. (eds.) FORMATS 2003. LNCS, vol. 2791, pp. 73–87. Springer, Heidelberg (2004) 17. Bouyer, P., Fahrenberg, U., Larsen, K.G., Markey, N., Srba, J.: Infinite runs in weighted timed automata with energy constraints. In: Cassez, F., Jard, C. (eds.) FORMATS 2008. LNCS, vol. 5215, pp. 33–47. Springer, Heidelberg (2008) 18. Chaochen, Z., Hoare, C.A.R., Ravn, A.P.: A Calculus of Durations. Information Processing Letters 40(5), 269–276 (1991) 19. Fr¨ anzle, M., Hansen, M.R.: Deciding an interval logic with accumulated durations. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 201–215. Springer, Heidelberg (2007)

Analyzing Real-Time Event-Driven Programs Pierre Ganty1,2 and Rupak Majumdar2 1

CS Department, University of California, Los Angeles, CA, USA {pganty,rupak}@cs.ucla.edu 2 IMDEA Software, Spain

Abstract. Embedded real-time systems are typically programmed in low-level languages which provide support for event-driven task processing and real-time interrupts. We show that the model checking problem for real-time event-driven Boolean programs for safety properties is undecidable. In contrast, the model checking problem is decidable for languages such as Giotto which statically limit the creation of tasks. This gives a technical reason (static analyzability) to prefer higher-level programming models for real-time programming, in addition to the usual readability and maintainability arguments.

1

Introduction

Real-time event-driven software is the basis of many safety-critical systems, ranging from automotive and avionics control units to large scale supervisory control and data acquisition (SCADA) systems. These systems are often programmed in low-level imperative programming languages which offer the programmer an access to a real-time clock and an interface for posting and executing tasks based on external or internal events. The basic programming model is as follows. The program is written as a set P of procedures called handlers that share a finite global state. In addition to core imperative language constructs, there is a statement future. The future statement takes a pair (p, t) (called an asynchronous call ) in argument, where p ∈ P is a handler, and t ≥ 0 is an integer time step. Intuitively, future (p, t) schedules, or posts, the task implemented by the handler p to be executed t time steps from now. The posted asynchronous calls are stored in a (timed) task buffer for later execution. Each element in the task buffer is a pair (p, t), where p is a handler, and t is the remaining number of time steps in the future when p should be executed. Each such call in the buffer is called a pending call. Execution of the program is controlled by the ticks of a logical clock. Each task is assumed to execute in logical zero time. Initially, the task buffer contains exactly one pending call: (main, 0). In each time step, a scheduler picks and removes an arbitrary pending call (p, 0) (if one exists) from the task buffer and executes the code p to completion, in logical zero time. Below we call this 

This research was sponsored by the NSF grants CCF-0546170, CCF-0702743, and CNS-0720881.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 164–178, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Analyzing Real-Time Event-Driven Programs

165

operation a dispatch. The execution of a handler can cause new asynchronous calls to be posted to the task buffer (through the execution of future statements in the code). If there is no pending call of the form (p, 0) in the task buffer, time advances by one tick. This causes every (p, t) pair in the task buffer to be replaced by (p, t − 1), and the scheduler runs again. The future construct is a powerful mechanism to express event-driven and time-triggered actions in an embedded system, and this style of programming has been used to implement sophisticated real-time control systems such as autonomous helicopter flight control [7]. However, writing correct real-time eventdriven programs is hard, as the control flow of the program is obscured by the loose coupling between the handlers provided by future. Therefore, it would be useful to provide algorithmic tools to check for correctness properties of these programs. For non-real time event-driven programs, in which every asynchronous call is of the form future (p, 0) for some p ∈ P , checking safety and liveness properties is indeed decidable [12,8,3], essentially by reduction to Petri nets. In fact, the safety verification problem is decidable for more general models, such as event-driven programs where handlers can be recursive and in which handlers have priorities [2]. The decidability results are non-trivial as the programs are not finite-state: the task buffer as well as the call stack can grow unboundedly large in the course of the execution. We show in this paper that checking safety properties for real-time eventdriven programs is undecidable. We work in the simplified setting where (1) each future statement is either future (p, 0), scheduling the handler p to be executed in this time step, or future (p, 1), scheduling the handler p to be executed one time step from now and (2) we do not allow recursion. This simplified setting is powerful enough to show undecidability. Our undecidability proof for the safety checking problem uses a careful encoding of the execution of a 2-counter machine [10] as a real-time event-driven program. Intuitively, there are two handlers h1 and h2 for the two counters c1 and c2 , and the value of counter c1 (resp. c2 ) is maintained by the number of pending calls (h1 , 0) (resp. (h2 , 0)). Increment and decrement of counter ci can be respectively simulated by posting and dispatching (hi , 0) for i = 1, 2. The problem is in simulating zero tests. This is not possible in the non real-time case. The technical part of our proof is to use the ability to “postpone” tasks to the next time step to simulate zero tests. In order to simulate a zero test for ci , we guess the outcome of the test. If ci is guessed to be zero, then the state of the machine (its control location as well as the value of the other counter) is copied to the next time step (i.e., dispatching the pending call (hi , 0) posts (hi , 1)). However, if during this process, a pending call (hi , 0) is found, then the guess is incorrect, and the current branch of the simulation “dies” by setting an error bit. Additional book-keeping is performed to separate machine simulation steps from checking steps. Overall, the effect is that each run of the 2-counter machine can be simulated by a run of the real-time event-driven program (where in each time step, the program simulates machine instructions up to the next zero test

166

P. Ganty and R. Majumdar

guessed positive), and conversely, any run of the real-time event-driven program which does not set the error bit corresponds to a run of the 2-counter machine. While our result is negative, we consider a more positive interpretation. The E-machine was proposed in [6] as a low-level virtual machine with a clean logical model for real-time programming. It is intended as a target language for a realtime compiler, and direct programming at the E-machine level was discouraged. Instead, they proposed the use of higher-level languages such as Giotto [5] or xGiotto [4] to write code at the programmer level. (More recently, languages like Virgil [13] has been proposed with similar intent.) By restricting the ability to post tasks arbitrarily, these higher-level languages ensure that for any Giotto or xGiotto program, at any point of the execution, there is at most a bounded, statically determined, number of pending calls. In this case, just by finiteness of the state space, all verification problems are decidable. Our result can be interpreted as an argument for using higher-level programming languages: programs written in the higher-level languages can come with tool support for precise model checking, programs written in lower-level languages can not.

2

The Computational Models

We start with some preliminary definitions. Let Σ be a finite and non-empty set. A multiset M : Σ  → N over Σ is a function that maps each symbol of Σ to a natural value (N denotes the set of all natural numbers). Let us denote by M[Σ] the set of all multisets over Σ. Given two multisets M, M  ∈ M[Σ] we define M ⊕M  ∈ M[Σ] to be multiset such that ∀a ∈ Σ : (M ⊕ M  )(a) = M (a) + M  (a). We sometimes use the following notation for multisets M = q1 , (q2 )c , q3  (where c ∈ N) for the multiset M ∈ M[{q1 , q2 , q3 , q4 }] such that M (q1 ) = 1, M (q2 ) = c, M (q3 ) = 1, and M (q4 ) = 0. Also as for sets we use the symbol ∅ to denote an empty multiset. We now define a formal model for real-time event-driven programs. 2.1

Programming Model

We represent imperative programs using a generalization of control flow graphs [1], that includes special edges corresponding to asynchronous calls. Let P be a finite set of procedure names (or handler ) and X a finite set of Boolean variables. An asynchronous control flow graph (ACFG) Gp for a procedure p ∈ P is a pair (Vp , Ep ) where Vp is the set of control nodes of the procedure p, including a unique start node vps and a unique exit node vpe , and Ep is a set of directed edges between the control nodes Vp . The edges in Ep are partitioned as follows: – the operation edges corresponding to an assignment of variables in X, or a conditional predicate over X; – the post edges to a procedure q ∈ P labelled by a statement future (q, 0) or future (q, 1). A program G comprises a set of pairwise disjoint ACFGsGp for each procedure in p ∈ P . The control nodes of G are given by V  = p∈P Vp : the union

Analyzing Real-Time Event-Driven Programs

167

of the control nodes of the individual procedures. The edges of G are given by   E = p∈P Ep , the union of the edges of the individual procedures. A real-time asynchronous program, or RTAP for short, A = (P, X, G , main) consists of a set of procedure names P , a set of variables X, a program G , and an initial procedure main ∈ P that is not referenced by any post edge. Semantics. Fix a RTAP A = (P, X, G , main). A valuation is a mapping that associates a Boolean value to each variable in X. For each operation edge (v, v  ), we assume a binary update relation Up(v,v ) on valuations such that (d, d ) ∈ Up(v,v ) if d is the valuation obtained by executing the operation on edge (v, v  ). This is defined in the usual way (see, e.g., [11]) for assignments (which updates the valuation to the assigned variable) and conditionals (which ensures the conditional is true at d and d = d). We now define the abstract semantics of A. The abstract semantics of A is given by a transition system where each state ((v, d), M1 , M2 ) consists in: the abstract state (v, d) given by a control node v ∈ V  and a valuation d of X; and two multisets M1 , M2 ∈ M[P \ {main}] called the multisets of current and next pending calls that stores pending calls of the form (p, 0) and (p, 1), respectively. s The initial state is ((vmain , d0 ), ∅, ∅) in which the multisets of pending calls are s empty and the abstract state (vmain , d0 ) consists in the starting node of the main procedure together with an initial valuation of the program’s Boolean variables. The transitions are defined as follows. Internal operation. There is a transition from a state ((v, d), M1 , M2 ) to the state ((v  , d ), M1 , M2 ) if there is an operation edge (v, v  ) and (d, d ) ∈ Up(v,v ) . Asynchronous call. There is a transition from ((v, d), M1 , M2 ) to ((v  , d), M1 ⊕ q, M2 ) (resp. ((v  , d), M1 , M2 ⊕ q)) if there is a post edge (v, v  ) labeled future (q, 0) (resp. labeled future (q, 1)). There is a transition from e ((vmain , d), M1 ⊕ q, M2 ) to ((vqs , d), M1 , M2 ) which we refer to as a dispatch. e Also, there is a transition from ((vqe , d), M1 , M2 ) to ((vmain , d), M1 , M2 ) provided q ∈ P \ {main}. e Time transition. There is a transition from ((vmain , d), ∅, M2 ) to e ((vmain , d), M2 , ∅). e We now give some intuition about the control node vmain which plays a special role in the above semantics. If the current state is such that the control node e e is vmain (i.e., ((vmain , d), M1 , M2 ) for some multisets M1 , M2 and valuation d), then a pending call from M1 , if any, is dispatched. Otherwise, if M1 is empty, we go to the next time step (following a time transition). After firing the time e transition the multiset of current pending calls is now given by M2 . Thus vmain models a special “dispatch loop”. Our programming model and semantics is a generalization (with timed asynchronous calls) of the asynchronous programs studied in [12,8]. A run in the transition system of a RTAP is a finite path in the transition system that starts with the initial state. A state s is reachable in a RTAP if there exists a run whose last state is s.

168

P. Ganty and R. Majumdar

Abstract state reachability. Given a RTAP A = (P, X, G , main) and an abstract state (v, d) of A, the abstract state reachability problem asks if there exists two multisets M1 , M2 ∈ M[P \ {main}] such that the state ((v, d), M1 , M2 ) is reachable in A. If so we say the abstract state (v, d) is reachable in A. In this paper, we will show that abstract state reachability is undecidable. Our proof shows that if we can solve the above problem then we can solve the reachability problem for two counter machines, a Turing powerful model. The next section recalls the definition of two counter machines and the associated reachability problem. 2.2

Two Counter Machines

A 2-counter machine C (2CM for short), is a tuple {c1 , c2 }, L, Instr where: – c1 , c2 are counters taking values in N; – L = {l1 , . . . , lu } is a finite non-empty set of u locations; – Instr is a function that labels each location l ∈ L with an instruction that has one of the following forms: • l : cj := cj + 1; goto l where j ∈ {1, 2} and l ∈ L, this is called an increment, and we define TypeInst(l) = incj ; • l : cj := cj − 1; goto l where j ∈ {1, 2} and l ∈ L, this is called a decrement, and we define TypeInst(l) = decj ; • l : if cj = 0 then goto l else goto l where j ∈ {1, 2} and l , l ∈ L, this is called a zero-test, and we define TypeInst(l) = zerotestj ; Semantics. The instructions have their usual obvious semantics, in particular, decrement can only be done if the value of the counter is positive. A configuration of a 2CM {c1 , c2 }, L, Instr is a tuple loc, n1 , n2 where loc ∈ L is the value of the program counter and n1 , n2 ∈ N give the values of counters c1 and c2 , respectively. A computation γ of a 2CM {c1 , c2 }, L, Instr is a finite non-empty sequence of configurations loc 1 , n11 , n21 , loc 2 , n12 , n22 , . . . , loc r , n1r , n2r such that (i) “initialization”: loc 1 = l1 , n11 = 0, and n21 = 0, i.e., a computation starts in l1 and the two counters are set initially to 0; (ii) “consecution”: for each i ∈ {1, . . . , r − 1} we have that loc i+1 , n1i+1 , n2i+1 is the configuration obtained from loc i , n1i , n2i

by applying instruction Instr(loc i ). Control location reachability. Given a 2CM C = {c1 , c2 }, L, Instr and a control location l ∈ L, the control location reachability problem asks if there exists a computation γ whose last configuration is l, n1 , n2 for some n1 , n2 ∈ N. If so we say that control location l is reachable in C. Theorem 1 ([10]). The control location reachability problem for 2CM is undecidable.

Analyzing Real-Time Event-Driven Programs

169

global error, timer, Oc1, Oc2, c_1_eq_0, c_2_eq_0, cloc, dest; main() { error = false; timer = off; Oc1 = Oc2 = false; c_1_eq_0 = c_2_eq_0 = false; cloc = dest = l_1; future (timeron,0); } Fig. 1. main(), and Boolean variables declaration

3

The Reduction

We are given an instance of the control location reachability problem: a 2CM C = {c1 , c2 }, L, Instr and a control location lx ∈ L. We will show the abstract state reachability for real-time asynchronous programs is undecidable by encoding a 2CM as a real-time asynchronous program. In what follows, we use a C-like notation to represent RTAP for readability, and we also use variables that range over a finite set of values instead of only Booleans. Each piece of handler code can be converted to our formal model using standard compiler algorithms [1]. Precisely, we reduce the 2CM control location reachability to the following abstract state reachability on real-time asynchronous program. Let the RTAP e given by the code of Fig. 1–6, is there an abstract state (vmain , d) where d maps cloc to lx , error to false that is reachable? Also in the above reachable state, d maps Oc1, Oc2 c1 eq 0 and c2 eq 0 to false, and timer to on. The procedures. Besides main, which starts the simulation, the program has 5 procedures: c 1, c 2, machine, timeron, timeroff whose details are given below. c 1, c 2: implements operations on counters c 1 and c 2, respectively, as well as book-keeping to ensure the simulation is valid. The number of pending calls to each of these procedures reflects the value of the corresponding counter; machine: simulates the instructions of the counter machine. The following procedures implement book-keeping operations that ensure the simulation is valid. timeron: starts a time step for simulation; timeroff: terminates a time step, resetting all the “book-keeping” state, and spawns the next one by posting timeron for the next time step. The variables Oc1, Oc2: read Oc1 as “next c 1” (like in the LTL notation). This variable is such that if Oc1 is true, the next dispatch yields error is set to true unless this dispatch is c 1(); (same for Oc2)

170

P. Ganty and R. Majumdar

c1 eq 0, c2 eq 0: c1 eq 0 is set to true whenever a zerotest1 has been simulated and the if branch has been followed (that should happen whenever there are no pending call to c 1()) (same for c2 eq 0); error: is set to true whenever the simulation is unfaithful. Once set, error remains set forever. This forces every subsequent reachable state to be such that error valuates to true; timer: it is supposed to be switched from off to on at the beginning of a time step and from on to off at the end of a time step. A faithful simulation of the machine occurs while timer is on, and any attempt to simulate the machine while timer is off results in error being set; cloc: points to the current location of the 2CM; dest: is used in some cases to store a location of the 2CM such that if the 2CM is faithfully simulated cloc will be assigned to that location. Let us now get more intuition on the behavior of the RTAP given at Fig. 1– 6 by studying a possible execution that is graphically depicted at Fig. 2 and discussed below. The diagram gives, for the first time step, the sequence of procedures that are executed in a valid simulation (the double arrows above the dashed and dotted line) and for each of those the calls it posts (the dots underneath each running procedure). The program starts with the execution of main. It will initialize the variables and post a call to timeron. So the multiset of current pending calls is timeron. Now timeron gets dispatched and posts a call to machine and timeroff (yielding machine, timeroff). Then comes the dispatch of machine which performs the actual simulation of the 2CM. First instruction increments counter 1. The dispatch of machine posts a call to c 1 (to simulate the actual increment) and repost itself to continue the simulation (machine, timeroff, c 1). Second instruction is an increment to c 2 which is simulated by the dispatch of machine as given above (machine, timeroff, c 1, c 2). The dispatch of c 2 does not modify the state of the RTAP. To do so the dispatch of c 2 posts one call to c 2. The next instruction is a decrement of counter 1. The dispatch of machine will set Oc1 to true (timeroff, c 1, c 2). If the next dispatch is not c 1 the variable error is set; otherwise the dispatch of c 1 simulates the actual decrement. It also posts machine to resume the simulation (timeroff, c 2, machine). Now follows a dispatch to c 2 that does not modify the state of the RTAP as described above. dispatch

future ( ,0) future ( ,1)

main

timeron machine machine c 2 inc 1 inc 2

machine c 1 c 2 dec 1

c2 timeron timeroff c 1 machine machine machine c 2

machine c2

machine c 2

timeroff

zerotest 1/if

c2 time end of time step 0

start of time step 0

Fig. 2. An execution of the RTAP

Analyzing Real-Time Event-Driven Programs

171

timeron () { if error == true || timer == on || (Oc1||Oc2) == true { error = true; return; } timer = on; future (timeroff,0); future (machine,0); } Fig. 3. timeron() timeroff () { if error == true || timer == off || (Oc1||Oc2) == true { error = true; return; } future (timeron,1); timer=off; c_1_eq_0=c_2_eq_0=false; } Fig. 4. timeroff()

The fourth instruction is a zerotest1 . Since counter one equals 0 (we incremented and decremented it starting from value 0) the zero test should follow the then branch. Doing so in the RTAP, the dispatch of machine will set the variable c1 eq 0 to true (timeroff, c 2). Hence, the dispatch of c 2 will post a call to c 2 in the next time step. So we have timeroff and c 2 for the current and next pending calls, respectively. The dispatch of timeroff will post timeron in the next time step. Now a time transition takes place. The pending calls in the new time step are now given by c 2, timeron.

4

The Proof of Correctness

First, we start with a series of facts about the program given at Fig. 1–6. 1. error is initialized to false by main(), if it is ever set to true, its value never changes back to false. Whenever error is set to true, the dispatch of c 1(), c 2(), machine(), timeron(), timeroff() does not modify the current valuation and does not post any further call. 2. every current pending call will be dispatched before moving to the next time step (i.e., before taking a time transition). This fact holds by semantics of real-time asynchronous programs.

172

P. Ganty and R. Majumdar

c_i () { if error == true || timer == off || Ocj == true || c_i_eq_0 == true { error=true; return; } if Oci == true { Oci = false; if typeinst(cloc) != dec_i future (c_i,0); cloc=dest; future (machine,0); } else if c_j_eq_0 == true future (c_i,1); else future (c_i,0); } Fig. 5. c 1() and c 2() where i ∈ {1, 2} and j = (3 − i) machine() { if error == true || timer == off || (Oc1||Oc2) == true { error=true; return; } switch(typeinst(cloc)) { case inc_i: // instr(cloc) is c_i:=c_i+1 goto l’ future (c_i,0); cloc=l’; future (machine,0); break; case zerotest_i: // instr(cloc) is if c_i=0 then goto l’ else goto l’’ if (*) { // non deterministic choice c_i_eq_0=true; cloc=l’; } else { Oci=true; dest=l’’; } break; case dec_i: // inst(cloc) is c_i:=c_i-1 goto l’ Oci=true; dest=l’; break; } }

Fig. 6. machine()

Analyzing Real-Time Event-Driven Programs

173

3. timer is modified by timeron() and timeroff() only and is initialized by main() to off. 4. only timeroff() can switch c1 eq 0 or c2 eq 0 from true to false and only machine() can switch c1 eq 0 or c2 eq 0 from false to true. 5. in a time step there is at most one post to timeron() and timeroff(). Proof. main(), which is executed only once, posts one call to timeron() in the same time step. When timeron() is executed, it posts at most one call to timeroff() in same time step, which whenever executed, posts at most one call to timeron() in the next time step. Also we have that only main() and timeroff() post timeron(), only timeron() posts timeroff().  6. in step i > 0 if the first dispatch is not timeron() or the last dispatch is not timeroff() then error is set to true in i. The exception is time step 0, in which main() is followed by timeron at the beginning. Proof. (1) In every time step i > 0, if the first dispatch is different from timeron() then error is set to true. This is so because the value of timer is off by Fact 3, main() and induction hypothesis (the last dispatch of step i − 1 is timeroff()) and the first line of c 1(), c 2(), machine(), timeroff() which set error to true when timer is off. (2) In every time step i, if the last dispatch (before the time transition) is different from timeroff() then error is set to true. This is so because, after executing timeroff(), the value of timer is off and by the first line of c 1(), c 2(), machine(), timeroff() we find that error is set to true. For the case of timeron(), we find that it cannot run after timeroff() in the same time step because we have shown above in (1) that the first dispatch of every step is timeron() for otherwise error is set to true.  7. the number of pending calls to machine(), at any point in time, is at most one. Proof. machine() is posted once by timeron(), by itself, c 1() or c 2(). Fact 5 shows that timeron() posts at most one call to machine(). c 1() (resp. c 2()) posts machine() whenever Oc1 (resp. Oc2) is true. Whenever Oc1 and Oc2 are set to true by the dispatch of machine(), it also posts no call to machine().  8. if Oc1 (resp. Oc2) is true, the next dispatch sets error to true unless this dispatch is c 1() (resp. c 2()). Proof. it follows from the conditional of the first line of timeron(), timeroff(), c 2() (resp. c 1()) and machine().  4.1

Proof

The 2CM reaches the state (lx , n1 , n2 ) iff the associated RTAP A reaches a state e ((vmain , d), M1 , M2 ) where d maps cloc to lx , error to false, and M1 , M2 are such that:

174

P. Ganty and R. Majumdar

– M1 (machine) = 1, we are “between” the simulation of two instructions of 2CM, – M1 (c 1) = n1 , M1 (c 2) = n2 , we want counters to coincide with n1 , n2 . In our proof, we will consider each instruction in turn and show how the RTAP simulates it. We will also show that if the RTAP does not faithfully simulate the 2CM then it will set error to true. Initialization: let l1 , 0, 0 be the initial state of the 2CM and let e ((vmain , d), M1 , M2 ) be the state of the RTAP after the execution of main() followed by timeron(). Fact 6 shows that if the first dispatch immediately after executing main() is different from timeron() then error is set to true. So the above state is such that M1 = machine, timeroff, M2 = ∅ and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and l1 , respectively. e Consecution: let lx , n1 , n2 be a state of the 2CM and ((vmain , d), M1 , M2 ) a n1 state of the RTAP where M1 = machine, timeroff, (c 1) , (c 2)n2 , M2 = ∅ and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and lx , respectively. This relationship will serve as our induction hypothesis. Fact 6 says that if the dispatch of machine() or c 1() or c 2() occurs after the dispatch of timeroff() then error is set to true. Since error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0 valuate to false, on, false, false, false, false, respectively, we find that the dispatch of c 1() or c 2() leaves the state unchanged. As we will see below, the update of the current state is given by the dispatch of machine(). So, in the explanations below, machine() is assumed to be the dispatch to take place. The rest of the proof naturally falls into three parts according to the instruction at lx : •TypeInst(lx ) = inc1 and is of the form lx : c1 := c1 + 1; goto l . In that case the state of the 2CM is updated to l , n1 + 1, n2 . In the RTAP, the execution of machine() goes as follows: the conditional of first line fails and the piece of e code for the inc1 case is executed. The state is updated to ((vmain , d), M1 , M2 ) n1 +1 n2 where M1 = machine, timeroff, (c 1) , (c 2)  (machine() posted c 1() and itself), M2 = ∅ and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and l (because cloc is updated), respectively. (the same holds for inc2 ) •TypeInst(lx ) = dec1 and is of the form lx : c1 := c1 −1; goto l . First, we assume that n1 > 0. In that case, the state of the 2CM will be updated to l , n1 − 1, n2 . In the RTAP, the execution of machine() goes as follows: the conditional of the first line fails and the piece of code for the dec1 case is executed. The valuation is updated such that Oc1 is set to true and dest is set to l . A dispatch now takes place. Fact 8 shows that any dispatch but c 1() yields error to be set to true. We conclude from n1 > 0, that M1 (c 1) > 0, hence that there is a pending call e to c 1(). So the dispatch of c 1() updates the state to ((vmain , d), M1 , M2 ) where n1 −1 n2 M1 = machine, timeroff, (c 1) , (c 2)  (machine() has been posted during the dispatch of c 1()), M2 = ∅ and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and l (because cloc has been

Analyzing Real-Time Event-Driven Programs

175

assigned to dest that has been updated to l during the dispatch of machine()), respectively. Let us now assume that n1 = 0. In that case the instruction is not enabled and the 2CM is “stuck” in the state lx , n1 , n2 . In the RTAP, the execution of machine() will set Oc1 to true. Fact 8 shows that any dispatch but c 1() yields error to be set to true which will happen since n1 = 0, hence M1 (c 1) = 0 (there is no pending call to c 1()). (the same holds for dec2 ) •TypeInst(lx ) = zerotest1 and is of the form lx : c1 = 0 then goto l else goto l . We consider two cases: n1 = 0 and n1 = 0. If n1 = 0 then the 2CM updates its state to l , n1 , n2 . In the RTAP, the execution of machine() goes as follows: the conditional of the first line fails and the piece of code for the zerotest1 case is executed. – the then branch is taken. (this is a faithful simulation). The dispatch of machine() sets c1 eq 0 to true and sets cloc to l . We show that a time transition will eventually take place. We conclude from n1 = 0, that M1 (c 1) = 0, hence, at this point, the state of e the RTAP is of the form ((vmain , d), M1 , M2 ) where M1 = timeroff, (c 2)n2  and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, true, false, false and l (because cloc has been assigned to l and c1 eq 0 has been set to true during the dispatch of machine()). By Fact 6 we find that each pending call to c 2(), if any, should be dispatched before timeroff() for otherwise error is set to true. The valuation d given above shows the dispatch of a pending call to c 2 yields the statement future(c 2, 1) to be executed. Eventually, whenever the multiset of current pending calls is timeroff then the dispatch of timeroff() occurs and it resets the c1 eq 0 to false. A time transition now takes place since the multiset of current pending calls is empty. As seen in Fact 6, the first dispatch immediately after the time transition should be timeron() which post machine() and updates e the state to ((vmain , d), M1 , M2 ) where M1 = machine, timeroff, (c 2)n2  (machine() is reposted by timeron() and M1 (c 1) = n1 = 0 because no c 1() has been copied to the new time step, M1 (c 2) = n2 because each call has been copied from the previous step); M2 = ∅ (because of the time transition) and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and l (because cloc has been assigned to l ), respectively. – the else branch is taken. (this is an unfaithful simulation) We conclude from n1 = 0, that M1 (c 1) = 0, hence that there is no pending call to c 1(). The dispatch of machine() sets Oc1 to true and sets dest to l . The next dispatch to occur cannot be c 1() (because there is none to dispatch) and so error is set to true by Fact 8. If n1 = 0 then the 2CM updates its state to l , n1 , n2 . In the RTAP, the execution of machine() goes as follows: the conditional of the first line fails and the piece of code for the zerotest1 case is executed.

176

P. Ganty and R. Majumdar

– the then branch is taken. (this is an unfaithful simulation) The dispatch of machine() sets c1 eq 0 to true and sets cloc to l . Fact 4 shows that the only procedure that can change the value of c1 eq 0 is timeroff() and Fact 6 shows it yields an error if timeroff() is not dispatched last in the current time step. We conclude from n1 = 0, that M1 (c 1) = 0, hence that there is a pending call to c 1(). Its dispatch yields error to be set to true because the valuation at the time of dispatch is such that c1 eq 0 is true. – the else branch is taken. (this is a faithful simulation). We conclude from n1 = 0, that M1 (c 1) = 0, hence that there is a pending call to c 1(). The dispatch of machine() sets Oc1 to true and sets dest to l . Fact 8 shows that if the next dispatch to occur is not c 1() then error is set to e true. The dispatch of c 1() updates the state to ((vmain , d), M1 , M2 ) where n1 n2 M1 = machine, timeroff, (c 1) , (c 2)  (machine() and c 1() are posted in c 1()); M2 = ∅ and d maps error, timer, Oc1, Oc2, c1 eq 0, c2 eq 0, cloc to false, on, false, false, false, false and l (because cloc has been assigned to dest that has been updated to l during the dispatch of machine()), respectively. Our simulation is based on a guess the outcome of the test. Above, the dispatch of c 1() is required to validate the guess was correct. Otherwise error is set to true. (the same holds for zerotest2 ) Notice that the “temporary” location dest is required to hold the next location in cases that require validation through running of c 1 or c 2. This concludes the simulation of the 2CM by the RTAP. Theorem 2. The abstract state reachability for RTAP is undecidable. As an immediate consequence of the above encoding we also find that the boundedness checking problem that asks, given a RTAP, if there exists a finite value that bounds the size of the multisets of pending calls at every point in time is undecidable. It also naturally follows that liveness properties are undecidable for this model. Corollary 1. The boundedness and the liveness checking problem for RTAP are undecidable.

5

Discussion

In the standard “untimed” model for event-driven systems [12,8], timers are abstracted away. This can lead to false alarms in the analysis, as we demonstrate through the example at Fig. 7. The procedure timeout (present in event-driven programming APIs such as libevent [9]) has the following intended semantics: if a particular event occurs before the timer reaches the timeout value (given by the last parameter) then the handler given by the first argument is executed, otherwise if the event does not occur and the timer reaches the timeout value, the handler given by the second argument is posted. The procedures untimed_timeout and

Analyzing Real-Time Event-Driven Programs global b; main() { b=0; timeout(h1,h2,1); timeout(h1,h3,2); } h1() {} h2() { assert(b==0); } h3() { b=1; }

177

untimed_timeout(task h, task h’, int ts) { if(*) future(h,0); else future(h’,0); } timed_timeout(task h, task h’, int ts) { if (*) choose i in {0,...,ts-1} future(h,i); else future(h’,ts); }

Fig. 7. The assertion does not fail if timed timeout implements timeout but can fail if untimed timeout implements timeout

timed_timeout give implementations of timeout in the untimed and timed settings, respectively. We abstract the occurence of the event by a non-deterministic choice (* in the conditional). For this program, there is no assertion violation when timed timeout implements timeout, because there is no execution in which h2 is executed after h3. However, this timing behavior is lost in the implementation untimed timeout, where the scheduler could dispatch h2 before h3 and the assertion can fail. Unfortunately, Theorem 2 shows that safety verification is undecidable if we assign timing constraints to posted calls. Acknowledgments. We thank Tom Henzinger for suggesting this problem.

References 1. Aho, A., Sethi, R., Ullman, J.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (1986) 2. Atig, M.F., Bouajjani, A., Touili, T.: Analyzing asynchronous programs with preemption. In: FSTTCS 2008: Proc. 28th Int. Conf. on Fondation of Software Technology and Theoretical Computer Science (2008) 3. Ganty, P., Majumdar, R., Rybalchenko, A.: Verifying liveness for asynchronous programs. In: POPL 2009: Proc. 36th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages, pp. 102–113. ACM Press, New York (2009) 4. Ghosal, A., Henzinger, T.A., Kirsch, C.M., Sanvido, M.A.A.: Event-driven programming with logical execution times. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 357–371. Springer, Heidelberg (2004) 5. Henzinger, T.A., Horowitz, B., Kirsch, C.M.: Giotto: A time-triggered language for embedded programming. In: Henzinger, T.A., Kirsch, C.M. (eds.) EMSOFT 2001. LNCS, vol. 2211, pp. 166–184. Springer, Heidelberg (2001) 6. Henzinger, T.A., Kirsch, C.M.: The embedded machine: predictable, portable realtime code. In: PLDI 2002: Proc. 23rd Conf. on Programming Language Design and Implementation, pp. 315–326. ACM Press, New York (2002)

178

P. Ganty and R. Majumdar

7. Henzinger, T.A., Kirsch, C.M., Majumdar, R., Matic, S.: Time safety checking for embedded programs. In: Sangiovanni-Vincentelli, A.L., Sifakis, J. (eds.) EMSOFT 2002. LNCS, vol. 2491, pp. 76–92. Springer, Heidelberg (2002) 8. Jhala, R., Majumdar, R.: Interprocedural analysis of asynchronous programs. In: POPL 2007: Proc. 34th ACM SIGACT-SIGPLAN Symp. on Principles of Programming Languages, pp. 339–350. ACM Press, New York (2007) 9. Libevent, http://www.monkey.org/~ provos/libevent/ 10. Minsky, M.: Finite and Infinite Machines. Prentice-Hall, Englewood Cliffs (1967) 11. Mitchell, J.: Foundations for Programming Languages. MIT Press, Cambridge (1996) 12. Sen, K., Viswanathan, M.: Model checking multithreaded programs with asynchronous atomic methods. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 300–314. Springer, Heidelberg (2006) 13. Titzer, B.L.: Virgil: objects on the head of a pin. In: OOPSLA 2006: Proc. 21st ACM-SIGPLAN conference on Object-oriented programming systems, languages, and applications, pp. 191–208. ACM Press, New York (2006)

A Compositional Translation of Timed Automata with Deadlines to Uppaal Timed Automata Rodolfo G´ omez University of Kent, Computing Laboratory, CT2 7NF, Canterbury, Kent, United Kingdom {[email protected]}

Abstract. Timed Automata with Deadlines (TAD) are a form of timed automata that admit a more natural representation of urgent actions, with the additional advantage of avoiding the most common form of timelocks. We offer a compositional translation of a practically useful subset of TAD to timed safety automata (the well-known variant of timed automata where time progress conditions are expressed by invariants). More precisely, we translate networks of TAD to the modeling language of Uppaal, a state-of-the-art verification tool for timed automata. We also describe an implementation of this translation, which allows Uppaal to aid the design and analysis of TAD models. Keywords: Urgent actions, Timed Automata with Deadlines, Uppaal.

1

Introduction

Timed automata (TA) [1] (in particular, timed safety automata [2]) are widely used as a formal language to model real-time systems. They strike a good balance between expressiveness and tractability, and are supported by many verification tools (e.g., Kronos [3] and Uppaal [4]). In this paper, we focus on the representation of urgent actions, i.e., those whose execution cannot be delayed beyond a certain time bound. In TA models of real-time systems, urgent actions are represented indirectly by annotating automata locations with invariants. Invariants are clock constraints that typically impose upper bounds on the delays allowed in a particular location. Hence, when no further delay is allowed, enabled actions (i.e., those which may be executed) become urgent and must be executed. One disadvantage of modeling urgency with invariants is that, the passage of time may be prevented even when no action is enabled at that point, giving rise to timelocks [5,6]. Timelocks are anomalous states where no further execution may pass time beyond a certain bound. In TA networks (i.e., collections of concurrent, asynchronous TA), components synchronize implicitly on the passage 

This research has been supported by the UK Engineering and Physical Sciences Research Council under grant EP/D067197/1.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 179–194, 2009. c Springer-Verlag Berlin Heidelberg 2009 

180

R. G´ omez

of time, i.e., all components must agree in the allowed delays. Hence, timelocks have a global halting effect on executions and may prevent the exploration of interesting (e.g., erroneous) behaviors. Thus, in general, timelocks make the verification of correctness properties unreliable. Another known limitation of invariants is the difficulty to express certain forms of urgent behavior, such as asap-synchronization and other forms of synchronization [7,8], and some forms of timeouts [9]. These limitations motivated the development of Timed Automata with Deadlines (TAD) [7,8,5], where deadlines replace invariants as time progress conditions. Deadlines are clock constraints associated with transitions in the automaton, which determine when the transition must be executed. Importantly, neither internal actions nor synchronization on observable actions are made urgent unless they can be executed (TAD are time-reactive [10]). Hence, TAD avoid the most common form of timelocks occurring in formal models of real-time systems, where neither actions nor delays may occur (time-actionlocks [5]). TAD also allow a natural and concise representation of different urgency conditions, including those for which invariants are not well suited. (Although, there are urgency conditions that can be expressed with invariants but not with deadlines, e.g., actions that must occur in strictly less than n time units.) Unfortunately, there is little tool support for the design and verification of TAD models (with the IF toolset being the notable exception [11]). This paper adds Uppaal [4] to the available tool support. Our contribution. We present (to our knowledge) the first compositional translation from TAD to TA. The translation is applicable to a practically useful subset of TAD, and generates behaviorally equivalent Uppaal TA networks with at most linear (and reasonably small) increase in size. We describe an implementation of this translation, which allows Uppaal to aid the design and automatic verification of TAD models. Thus, TAD modelers will benefit from Uppaal’s user-friendly GUI, rich modeling language, and efficient verification algorithms. Related Work. The IF toolset and Uppaal each offer different modeling and verification environments. For instance, the IF toolset [11] verifies requirements on TAD models that are expressed in the alternation free μ-calculus [12], or are expressed as observers (safety properties). Instead, our translation allows requirements to be expressed in the fragment of TCTL [2] that is supported in Uppaal, and safety properties may also be specified by test automata [13]. MoDeST [14] specifications also admit deadlines. However, as far as we know, there is no tool support for the verification of such specifications (the associated toolset, MOTOR [15], cannot perform exhaustive verification, and assumes maximal progress of actions). Interestingly, this paper may suggest a way to translate (a subset of) MoDeST to Uppaal TA networks. Bornot et al. [8] suggested a way to translate TAD to TA, but the translation is not compositional (it requires a product automaton construction) and assumes a non-standard semantics of invariants.

A Compositional Translation of Timed Automata with Deadlines

181

Barbuti and Tesei [16] proposed an extension of TA with urgent transitions, where a parameter  is used to define an interval of tolerance: urgent transitions cannot be delayed for more than  time units after they become enabled. This provides an interpretation of urgency in left-open intervals, but the right value for  must be determined by the user, depending on the case. Also, as  > 0 is required, the semantics of deadlines can only be approximated. A noncompositional translation to TA is given, based on the region automaton [1]. Uppaal provides urgent channels to model asap-synchronization without timing constraints. Unfortunately, this restriction limits the applicability of urgent channels, and their use may give rise to timelocks due to mismatched synchronization. Nonetheless, we shall see that urgent channels allows us to obtain a compositional translation. Paper Outline. Timed automata with deadlines are introduced in § 2. Timed automata, as supported in Uppaal, are described in § 3. The translation is formalized in § 4 (the associated tool is also described in this section). Conclusions are given in § 5.

2

Timed Automata with Deadlines

This section introduces a common form of Timed Automata with Deadlines [7], where transitions are classified either as lazy actions (non-urgent), eager actions (urgent as soon as they are enabled), or delayable actions (urgent on their upper bounds) [8]. Formally, we will define the model using eager and lazy actions as the only primitives; delayable actions will be derived from these (fig. 1 (right)). Preliminaries. Let CA = {a, b, . . .} and HA = {a?, a! | a ∈ CA} (we define complementary labels, s.t. a! = a? and a? = a!). Let D = {lazy, eager }. Let C be the set of clocks (a clock is variable in the non-negative reals, R+0 ). Let Φ be the set of clock constraints over C, s.t. φ ∈ Φ ::= true | x ∼ c | φ ∧ φ where x ∈ C, ∼ ∈ {<, >, =, ≤, ≥} and c ∈ N. A valuation is a mapping from C to R+0 . Let V be the set of valuations. Let |= denote the satisfiability of clock constraints over valuations. Let v ∈ V, δ ∈ R and r ⊆ C. The valuation v + δ ∈ V is defined s.t. (v + δ)(x) = v(x) + δ if v(x) + δ ≥ 0, and (v + δ)(x) = 0 otherwise, for all x ∈ C. The valuation r(v) ∈ V is defined s.t. r(v)(x) = 0 for all x ∈ r, and r(v)(x) = v(x) for all x ∈ / r. A timed transition system [17] is a tuple (S, s0 , Lab ∪ R+ , T ), where S is a set of states, s0 ∈ S is the initial state, Lab is a set of action labels and T ⊆ S × Lab ∪ R+ × S is a set of transitions. Action transitions are of the form (s, a, s ) ∈ T , a ∈ Lab. Delay transitions are of the form (s, δ, s ) ∈ T , δ ∈ R+ . Syntax and semantics. A timed automaton with deadlines (TAD) is a tuple A = (L, l0 , Lab, T, C), where L is a set of locations; l0 ∈ L is the initial location; Lab ⊆ CA ∪ HA is a set of labels; T ⊆ L × Φ × Lab × D × 2C × L is a set of transitions (edges) and C ∈ C is a set of clocks.

182

R. G´ omez

Given a transition t = (l, a, g, d, r, l ) ∈ T , l is the source location, a is the label; g is the guard; d is the deadline; r is the reset set and l is the target location (resp., src(t), lab(t), g(t), d(t), r(t) and tgt(t)). Transitions labeled with a ∈ CA (resp. a ∈ HA) will be referred to as completed actions (resp. half actions). Transitions with deadline lazy (resp. eager) will be referred to as lazy actions (resp. eager actions). A TAD network is a tuple |A = 1 , . . . , An , where Ai = (Li , li,0 , Lab i , Ti , Ci )  A n is a TAD (i : 1..n). Let C = i=1 Ci (we say that x ∈ C is a shared clock if x ∈ Ci ∪ Cj for some 1 ≤ i  = j ≤ n; otherwise x is a local clock ). The behavior of |A is given by the timed transition (S, s0 , Lab ∪R+ , T ), where  system  n n ¯ ¯ S ⊆ ( i=1 Li ) × V (states are denoted s = l, v , where l ∈ i=1 Li and v ∈ V); s0 = ¯l0 , v0 (s.t. ¯l0 = l1,0 , . . . , ln,0 , ∀ x ∈ C. v0 (x) = 0); Lab ⊆ CA and T is the smallest setof transitions that satisfies the following conditions. (We refer n to elements of i=1 Li as location vectors. We use ¯l[li /li ] to denote substitution of li for li in the location vector ¯l = l1 , . . . , ln .)      1. (completed actions) ¯l, v , a, ¯ l [li /li ], ri (v) ∈ T if (li , a, gi , di , ri , li ) ∈ Ti , a ∈ CA and v |= gi      2. (synchronization) ¯l, v , a, ¯ l [li /li ][lj /lj ], (ri ∪ rj )(v) ∈ T if (li , a!, gi , di , ri , li ) ∈ Ti , (lj , a?, gj , dj , rj , lj ) ∈ Tj and v |= gi ∧ gj (i  = j)     3. (delays) ¯ l, v , δ, ¯ l, v + δ ∈ T if δ ∈ R+ and for all δ  ∈ R+0 , δ  < δ: (1) (v + δ  )  g(t) for all t ∈ Ti (i : 1..n) s.t. lab(t) ∈ CA, src(t) = li and d(t) = eager ; and (2) (v + δ  )  g(ti ) ∧ g(tj ) for all ti ∈ Ti , tj ∈ Tj (i, j : 1..n, i  = j) s.t. lab(ti ) = lab(tj ), src(ti ) = li , src(tj ) = lj and d(ti ) = eager .   where ¯ l, v ∈ S and ¯l = l1 , . . . , ln . A run is a finite or countably infinite sequence of transitions in the timed transition system. We say that an action is enabled (in a given state) if its source location is in the current location vector, and its guard holds true in the current valuation. We use the term matching actions to refer to any pair of half actions, t and t¯, s.t. t and t¯ are in different components of the network and have complementary labels. We say that an action is executable (in a given state) if it is enabled and either is a completed action, or is a half action and there exists an enabled matching action. Matching actions must be executed simultaneously, and half actions cannot be executed autonomously. Time-reactivity. Time-reactivity [10] is a desirable property of timed transition systems. This property holds if, from any state, either time may pass or actions can be executed. The following syntactic restriction guarantees the time-reactivity of TAD networks: For any action t, if either d(t) = eager or there exists t¯ s.t. d(t¯) = eager , then g(t) must be left-closed.1 This restriction 1

A guard g is left-closed if the interval {δ ∈ R | (v + δ) |= g} is either left-closed or left-unbounded, for all v ∈ V. v |= g. For conjunctions of single-clock constraints, g is left-closed if x > c does not occur in g, for any x ∈ C and c ∈ N.

A Compositional Translation of Timed Automata with Deadlines

S0

c1 x:=0 S1

T0

c2

T1

a! x<=1 (eager)

S2

a? (lazy)

T2

S0

a! x<=1 (delayable) x:=0

S1

S0

a! x<1 (lazy) x:=0

183

S1

a! x==1 (eager) x:=0

Fig. 1. A TAD network (left). Delayable actions as eager/lazy actions (right).

guarantees that delays are prevented only when eager actions can be executed (see above the semantic rule for delays). We assume, in this paper, that TAD networks satisfy this requirement. Example. Figure 1 (left) shows a simple TAD network with two components, S and T, where x is a clock, c1 and c2 are completed actions, and a! and a? are half actions. The eager action a! must be executed in S1 asap, but not later than v(x) = 1. This means that a! will wait for a? to be offered, at which point delays will be prevented and synchronization will occur. However, if a? is offered too late (or not at all), the network will forever remain in S1 and a deadlock will occur, but delays will never be prevented. Figure 1 (right) shows how combinations of eager and lazy actions may be used to represent more complex urgency conditions. For instance, so-called delayable actions [8] are considered urgent only when they reach their upper bounds (their guards are assumed to be right-closed). In the figure, delayable action a! (on the left), with guard x<=1 is represented by one lazy action with guard x<1 and one eager action with guard x==1 (on the right).

3

Timed Automata in Uppaal

Uppaal is a well-known model-checker for TA, with a rich modeling language and efficient verification algorithms [4]. We describe below the subset of the language that suffices to represent TAD networks. Urgent and committed locations prevent delays as soon as they are entered. In addition, whenever a committed location is entered, action interleaving is restricted to those components that are currently in committed locations. Automata synchronize on channels. Binary channels model binary and blocking synchronization (as in TAD § 2). Broadcast channels model a kind of asymmetric one-to-many synchronization. If b is a broadcast channel, a transition labeled with b! will be executed simultaneously with all transitions labeled with b? (at most one transition in each component of the network). However, the output transition (b!) may also be executed autonomously if no matching input transitions (b?) can be executed. Urgent channels model asap synchronization, i.e., synchronization on urgent channels cannot be delayed. Urgent channels may be either binary or broadcast. Uppaal disallows clock constraints in transitions

184

R. G´ omez

on urgent channels, and in input transitions on broadcast channels. (Transitions on urgent and broadcast channels are referred to as urgent transitions and broadcast transitions, resp.). Preliminaries. Unless stated otherwise, we will use the notation and definitions introduced in § 2. Let Ch = {a, b, . . .} be a set of channels. SL = {a?, a! | a ∈ Ch} is the set of synchronization labels over Ch (a! = a? and a? = a!). Synchronizing transitions will be labeled with a?, a! ∈ SL and internal transitions will be labeled with τ . Ch bin , Ch brd , Ch urg ⊆ Ch resp. denote binary, broadcast and urgent channels. Syntax and semantics. A timed automaton (TA) is a tuple A = (L, l0 , Lab, T, I, C), where L is the set of locations; l0 ∈ L is the initial location; Lab ⊆ SL ∪ {τ } is the set of labels; T ⊆ L × Lab × Φ × 2C × L is the set of transitions; I : L → Φ is the invariant function; and C ⊆ C is the set of clocks in the automaton. Given t = (l, a, g, r, l ) ∈ T , l is the source location, a is the label; g is the guard; r is the reset set and l is the target location (resp., src(t), lab(t), g(t), r(t) and tgt(t)). We use Lu , Lc ⊆ L to denote the subsets of urgent and committed locations in L (resp.). We assume that invariants are either true or conjunctions of upper bounds (i.e., conjunctions of simple constraints of the form x ∼ c, where x ∈ C, ∼ ∈ {<, ≤}, and c ∈ N). By convention, I(l) = true for all l ∈ Lu ∪ Lc . A TA network is a tuple,|A = A1 , . . . , An , where Ai = (Li , li,0 , Lab i , Ti , Ii , Ci ) n is a TA (i : 1..n). Let C = i=1 Ci (as in TAD networks, we admit shared clocks). + The behaviorof |A is given by the  timed  transition system (S, s0 , Lab ∪ R , T ), n where S ⊆ ( i=1 Li ) × V; s0 = ¯l0 , v0 ; Lab ⊆ {τ } ∪ CA and T nis the smallest set of transitions that satisfies the following conditions. (I(¯l) = i=1 Ii (li ). Lu (¯l) and Lc (¯l) denote the sets of locations in ¯l. Given a set of  urgent and committed  indices J, we define gJ = j∈J gj , rJ = j∈J rj , and we use ¯l[lJ /lJ ] to denote substitution of lj for lj in ¯ l, for each j ∈ J.)      1. (internal transition) ¯l, v , τ, ¯ l [li/li ], ri (v) ∈ T if  (li , τ, gi , ri , li ) ∈ Ti , v |= gi , ri (v) |= I ¯l [li /li ] , and Lc (¯l)  = ∅ ⇒ li ∈ Lc (¯l)      2. (broadcast output) ¯ l, v , a, ¯l [li /li ], ri (v) ∈ T if    (li , a!, gi , ri , li ) ∈ Ti , a ∈ Ch brd , v |= gi , ri (v) |= I ¯l [li /li ] , Lc (¯l)  = ∅ ⇒ li ∈ Lc (¯l) and there is no (lj , a?, gj , rj , lj ) ∈ Tj (i  = j) s.t.   v |= gj and (rj ∪ ri )(v) |= I ¯l [li /li ][lj /lj ]      3. (binary sync.) ¯l, v , a, ¯ l [li /li ][lj /lj ], (ri ∪ rj )(v) ∈ T if (li , a!, gi , ri , li ) ∈ Ti , (lj , a?, gj , rj , lj ) ∈ Tj , a ∈ Ch bin , v |= gi ∧ gj ,   (rj ∪ ri )(v) |= I ¯l [li /li ][lj /lj ] and Lc (¯l)  = ∅ ⇒ {li , lj } ∩ Lc (¯l)  =∅       ¯ ¯ 4. (broadcast sync.) l, v , a, l [li /li ][lJ /lJ ], (ri ∪ rJ )(v) ∈ T iff (li , a!, gi , ri , li ) ∈ Ti , a ∈ Ch brd , and J is the maximal set of indices s.t.

A Compositional Translation of Timed Automata with Deadlines

S0

x:=0 S1

a!

UB

tau! S2

T0

T1

185

a? T2

x<=1

Fig. 2. Urgent channels

J ⊆ [1..n] \ {i}, (lj , a?, gj , rj , lj ) ∈ Tj for all j ∈ J, v |= gi ∧ gJ ,    (ri ∪ rJ ) (v) |= I ¯ l [li /li ][lJ /lJ ] and Lc (¯l)  = ∅ ⇒ ∃ k ∈ J ∪ {i}. lk ∈ Lc (¯l)     5. (delays) ¯ l, v , δ, ¯ l, v + δ ∈ T if δ ∈ R+ , (v + δ) |= I(¯l), Lu (¯l) ∪ Lc (¯l) = ∅, and for all δ  ∈ R+0 , δ  < δ: (1) (v + δ  )  g(t) for all t ∈ Ti (i : 1..n) s.t. lab(t) = b!, b ∈ Ch urg ∩ Ch brd and src(t) = li ; and (2) (v + δ  )  g(ti ) ∧ g(tj ) for all ti ∈ Ti , tj ∈ Tj (i, j : 1..n, i  = j) s.t. lab(ti ) = u!, lab(tj ) = u?, u ∈ Ch urg ∩Ch bin , src(ti ) = li and src(tj ) = lj .   where ¯ l, v ∈ S and ¯l = l1 , . . . , ln . A run is a finite or countably infinite sequence of transitions in the timed transition system. Delays must satisfy all component invariants, and will be prevented in urgent and committed locations, and in states where urgent transitions are enabled (either output transitions on urgent broadcast channels or matching transitions on urgent binary channels). Note that, Uppaal adopts strong invariants: transitions that would otherwise invalidate the invariant of the target state cannot be executed (i.e., states with invalid invariants are unreachable).2 Urgent actions in Uppaal. These can be modeled with invariants, urgent or committed locations, or urgent channels. The latter are the safest primitives, because delays are not prevented unless synchronization is enabled (although, not necessarily executable). However, clock constraints are disallowed in urgent transitions, and timelocks may occur due to mismatched synchronization. By way of example, fig. 2 shows a simple TA network with two components, S and T, where a is an urgent channel, tau is an urgent broadcast channel and x is a clock.3 This TA network attempts to recreate the behavior of the TAD network of fig. 1 (left). The semantics of urgent channels ensure that a! and a? will synchronize asap, but no later than v(x) = 1. This upper bound is expressed by the invariant x<=1 in the auxiliary location UB (relying on Uppaal’s strong invariant semantics). By semantics of urgent broadcast channels, the auxiliary tau! transition is executed as soon as UB is entered (there is no need for a matching tau?-transition). However, a timelock occurs if a? is offered when v(x) > 1; both a! and a? will be simultaneously enabled, but synchronization cannot occur because executing a! would invalidate the invariant in UB. 2 3

In contrast, states with weak invariants are reachable (but delays are prevented) [8]. We omit trivial invariants (true) and τ labels (internal transitions).

186

4

R. G´ omez

Translating TAD Networks to Uppaal TA Networks

In this section, we define the compositional translation of a class of TAD networks to Uppaal TA networks. The class of TAD networks is defined by the following syntactic conditions. 1. Eager actions do not share labels with lazy actions. This simplifies the presentation but does not sacrifice generality, as any TAD network can be brought into this form by a syntactic transformation (this transformation is explained in detail in the full paper [18]). 2. Outgoing transitions in the same location are guarded on the same clock (or are trivially enabled). Different clocks, and diagonal clock constraints, can be dealt with at the expense of more complex translations (see [18]). 3. If a clock x occurs in a lower bound of an eager action in component P , then no other component Q may reset x. Also, if a clock x is reset by an upper-bounded eager action in component P , then x cannot occur in lower bounds of transitions in any other component Q. This restriction is necessary to guarantee the soundness of our translation (see [18]). We believe that, the restrictions enumerated above do not compromise the practical applicability of our translation. The first restriction can be enforced on more general TAD networks by a preprocessing step (in fact, our tool implements such preprocessing § 4.4). Also, in practice (and judging from examples in the literature of timed automata verification) the second and third restrictions are satisfied by (or may be naturally enforced on) a large class of models. 4.1

The Translation in Examples

The translation represents lazy completed actions (in the TAD network) by internal transitions (in the resulting TA network); lazy half actions by transitions on regular channels; eager completed actions by output transitions on urgent broadcast channels; and eager half actions by transitions on urgent channels. Auxiliary locations and transitions will be added to ensure that urgent transitions are enabled only when the corresponding eager actions are enabled. The simplest case, which is illustrated by fig. 3, corresponds to locations where all eager actions are continuously enabled (c1 and c2 are completed actions).4 More interesting is the translation of eager actions with lower and upper bounds, illustrated by fig. 4. Auxiliary locations are introduced to “wait” until the current valuation reaches the action’s lower bound. Then, an equivalent urgent transition is offered. We will refer to such auxiliary locations as lb-locations. For instance, LB1 and LB2 in the TA on the left, guarantee that a! is enabled only when v(x) ≥ 1. 4

The translation uses tau!-transitions to model urgent internal transitions in Uppaal, where tau is a distinguished urgent broadcast channel that does not occur as an action label in the TAD network.

A Compositional Translation of Timed Automata with Deadlines c1 x>0 (lazy)

Q0

R0

Q1

a? x>=1 && x<3 (lazy) R1 x:=0

S0

T0

c2 (eager) y:=0

b! (eager)

S1

T1

Q0

x>0

187

Q1

a? x>=1 && x<3 R1 x:=0

R0

tau! y:=0

S0

T0

S1

T1

b!

where chan a; urgent chan b; urgent broadcast chan tau;

Fig. 3. Translating lazy actions and unbounded eager actions (left: TAD, right: TA) a! x>=1 (eager) R1 x:=0

R0

S0

b! y<=1 (eager) S1 y:=0

c! 1<=z && z<2 (eager) T1 z:=0

T0

R0 x<1

T0 x>=1 x==1

LB2

a! x:=0 R1

S0

b!

tau! UB1 y:=0

LB1 x<=1

y>1 E1

y<=1

z>=1

z<1 S1 LB1

z==1

z<=1

LB2

c!

z>=2

tau! UB1 z:=0 T1 z<2

E1

where urgent chan a,b,c; urgent broadcast chan tau; Fig. 4. Translating bounded eager actions (top: TAD, bottom: TA)

In order to disable urgent transitions after the upper bound is reached, auxiliary locations are introduced as intermediate targets with the upper bounds as invariants. We will refer to such auxiliary locations as ub-locations. For instance, UB1, in the TA in the middle, prevents b! from being executed when v(y) > 1. Upper bounds in eager actions also prompt the generation of escape locations (e-locations, for short). These auxiliary locations are added to disable an urgent transition after its upper bound has been reached, thus avoiding possible timelocks (fig.2). For instance, E1 avoids the timelocks that would occur in S0 if v(y) > 1 and a b?-transition were enabled at that point. Figure 4 (right) shows the translation of eager actions with both lower and upper bounds, which requires (as expected) the use of lb- and ub-locations. Committed locations are used when there are outgoing eager actions with lower bounds, and the source location may be entered with a valuation that satisfies the lower bound. For instance, if R0 is entered when v(x) < 1, the automaton must delay in LB1 until a! can be offered; on the other hand, if R0 is entered when v(x) ≥ 1, the automaton must offer a! immediately at LB2.

188

R. G´ omez x>=3 S0 x<1

a! x>=1 && x<2 (eager) x:=0 S1

LB1 x<=1

b! x>=3 (eager) S0

c! x<2

S2 c! x<2 (lazy)

1<=x && x<3 LB2 x<=3 x==1

S3

S3

x==3

LB3

x>=2 x==3

c! x<2

a! UB1 x<2

tau! x:=0

S1

E1 x<=3

b!

S2

where urgent chan a,b,c; urgent broadcast chan tau; Fig. 5. Translating multiple outgoing actions (left: TAD, right: TA)

Figure 5 shows a more involved example, where there are many outgoing transitions in the same location. The lower bounds of eager actions a! and b! are accounted for by lb-locations LB1 to LB3. The intermediate auxiliary transitions allow the TA to pass time, enabling and disabling actions depending on the current valuation. For instance, the purpose of the e-location E1 is to disable a!, but it must allow the TA to offer b! eventually (hence, the TA may not remain in E1 beyond v(x) = 3). Also, the overlap between the guards of c! and a! is reflected in the TA by offering c! from all lb-locations where it could be enabled (LB1 and LB2). In general, transitions that represent TAD actions have to be offered from all lb-locations and e-locations where they could be enabled. Note that, figs. 4 and 5 show that TAD models can be more concise than behaviorally equivalent TA models. 4.2

The Translation, Formally

Let |A = A1 , . . . , An be a TAD network with lazy and eager actions. We define a compositional translation T , s.t. |B = B1 , . . . , Bn , where Bi = T (Ai ) for all i : 1..n, is an Uppaal TA network whose behavior is equivalent to |A. Preliminaries.|A = A1 , . . . , An ,where Ai = (LA,i , lA,i,0 , Lab A,i , TA,i , CA,i ) n n (i : 1..n). T = i=1 TA,i and L = i=1 LA,i. Tea and Tla are the sets of eager lb ub and lazy actions in |A (resp.). Tea , Tea ⊆ Tea refer to lower-bounded and upperlb ub bounded eager actions. Given l ∈ L, we use T (l), Tea (l), Tla (l), Tea (l) and Tea (l) to restrict the previous sets to the outgoing transitions in l, and we use xl to denote the clock that guards all outgoing transitions in l. Given t ∈ T , we assume g(t) = x ∈ G, with G = [lb, ub) or G = [lb, ub] for eager actions, and G = (lb, ub), G = [lb, ub) or G = [lb, ub] for lazy actions (lb ∈ N, ub ∈ N ∪ {∞}). We use g l (t) = lb and g u (t) = ub to denote lower and upper bounds of t; and x ∈ g(t) to denote that clock x occurs in g(t). We say that t has an upper bound (<, g u (t)) if G = g l (t), g u (t) , g u (t) ∈ N (resp.

A Compositional Translation of Timed Automata with Deadlines

189



(≤, g u (t)) if G = g l (t), g u (t) , g u (t) ∈ N). Given an upper bound u, we define the interval ι(u) s.t. ι(u) = [0, ub) if u = (<, ub) and ι(u) = [0, ub] if u = (≤, ub). We will use the following functions on sets of upper bounds. min(U ) = u ∈ U s.t. ∀ u ∈ U. u ⊆ u next(u, U ) = u ∈ U s.t. u ⊂ u and  u ∈ U. u ⊂ u ⊂ u TA transitions for eager and lazy actions. Action labels in half actions are represented in |B by channels with the same name: labels in lazy actions with non-urgent channels and labels in eager actions with urgent channels. Lazy completed actions are represented by internal transitions. Eager completed actions are represented by tau!-transitions, where tau is a distinguished urgent broadcast channel that does not occur as a label in |A. Let tj = (l, aj , gj , dj , rj , l ) ∈ T (j : 1..|T |), and loc be a location in |B. We define upp(tj , loc) to be the set of TA transitions that represent tj , when offered from loc. ⎧ if tj ∈ Tla ⎨ { (loc, syncj , gj , rj , l ) } ub if tj ∈ Tea \ Tea upp(tj , loc)= { (loc, syncj , true, rj , l ) } ⎩ j j  ub { (loc, syncj , true, ∅, lub), (lub , tau!, true, rj , l ) } if tj ∈ Tea where syncj = tau! if tj is an eager completed action, syncj = τ if tj is a lazy completed action and syncj = aj otherwise. Auxiliary locations and transitions. For any l ∈ L, the lower bounds of eager actions in l partition the reachable valuations of xl in l into intervals: Γ (l) = { [0, lb1), [lb1 , lb2 ), . . . , [lbm , ∞) } lb where (1) lbk < lbk+1 for all k : 1..(m− 1); (2) ∀ k : 1..m. ∃ t ∈ Tea (l). g l (t) = lbk ; lb l and (3) ∀ t ∈ Tea (l). ∃ k : 1..m. g (t) = lbk . Let ιk denote the k-th interval in the sequence, [lbk−1 , lbk ) for k : 1..(m+1) (by convention, lb0 = 0 and lbm+1 = ∞). For any such interval ι, Toffer (l, ι) ⊆ T (l) is the set of transitions in l that are enabled in ι.

Toffer (l, ι) = { t ∈ T (l) | g(t) = xl ∈ G, G ∩ ι  = ∅} ub ub Let Toffer (l, ι) ⊆ Toffer (l, ι) ∩ Tea (l) be the subset of eager actions offered during ι, which have an upper bound in ι. ub ub Toffer (l, ι) = { t ∈ Toffer (l, ι) ∩ Tea (l) | g u (t) ∈ ι } ub Let UB (l, ι) denote the set of all different upper bounds of actions in Toffer (l, ι). Locations in |A will be represented in |B by committed locations with the lb same name (unless Tea (l) = ∅). In addition, for each interval ιk , k : 1..|Γ (l)|, the translation will generate the following auxiliary locations.

190

R. G´ omez

k 1. one lb-location, llb ; j ub 2. one ub-location, lub (for each tj ∈ Tea (l), j : 1..|T |); and k,u 3. one e-location, lesc (for each u ∈ UB (l, ιk )).

The translation will also generate the following auxiliary transitions. 1. 2. 3. 4. 5.

from from from from from

k l to llb , k+1 k llb to llb , k k,u llb to lesc (for u = min(UB (l, ιk ))), k,u k,u lesc to lesc (for u = next(u, UB(l, ιk ))); and k+1 k,u lesc to llb (for each u ∈ UB(l, ιk )).

Finally, from every lb-location and e-location (and from the initial source location, if this is not a committed location), the translation will generate equivalent TA transitions to map the eager and lazy actions that may be enabled in the associated intervals (using the function upp()). Translating components. For each TAD Ai = (LA,i , lA,i,0 , Lab A,i , TA,i , CA,i ) (i : 1..n), the translation generates the TA Bi , which is defined as follows. Bi = T (Ai ) = (LB,i , lB,i,0 , Lab B,i , TB,i , IB,i , CB,i ) where: esc ub – LB,i = LA,i ∪ Llb A,i ∪ LA,i ∪ LA,i , where k Llb A,i = { llb | l ∈ LA,i , k : 1..|Γ (l)| } esc k,u LA,i = { lesc | l ∈ LA,i , k : 1..|Γ (l)|, ιk ∈ Γ (l), u ∈ UB(l, ιk ) } j ub ub LA,i = { lub | l ∈ LA,i, j : 1..|T |, tj ∈ Tea (l) } lb – LuB,i = ∅, LcB,i = {l ∈ LA,i | Tea (l)  = ∅} – lB,i,0 = lA,i,0 – Lab B,i is the smallest set of labels that satisfies the following conditions.

a ∈ Lab B,i ∩ (Ch bin \ Ch urg ) u ∈ Lab B,i ∩ Ch bin ∩ Ch urg tau ∈ Lab B,i ∩ Ch brd ∩ Ch urg τ ∈ Lab B,i

if if if if

∃ t ∈ Tla ∩ HA. lab(t) = a ∃ t ∈ Tea ∩ HA. lab(t) = u Tea ∩ CA  =∅ Tla ∩ CA  =∅

– CB,i = CA,i – IB,i is the invariant function, which is defined as follows. IB,i (l) = true k IB,i (llb ) = xl ≤ lbk k,u k IB,i (lesc ) = IB,i (llb ) j u IB,i (lub ) = xj < gj j IB,i (lub ) = xj ≤ gju

if if if if if

l ∈ LA,i \ LcB,i l ∈ LA,i , k : 1..|Γ (l)|, l ∈ LA,i , k : 1..|Γ (l)|, l ∈ LA,i , j : 1..|T |, gj l ∈ LA,i , j : 1..|T |, gj

[lbk−1 , lbk ) ∈ Γ (l) ιk ∈ Γ (l), u ∈ UB(l, ιk ) = [gjl , gju ), gju ∈ N = [gjl , gju ], gju ∈ N

A Compositional Translation of Timed Automata with Deadlines

191

– TB,i is the smallest set of transitions that satisfies the following conditions. k (l, τ, xl ∈ ιk , ∅, llb ) ∈ TB,i k+1 k (llb , τ, xl = lbk , ∅, llb ) ∈ TB,i k k,u (llb , τ, xl ∈ ιk \ ι(u), ∅, lesc ) ∈ TB,i 

k,u k,u (lesc , τ, xl ∈ ιk \ ι(u), ∅, lesc ) ∈ TB,i

k+1 k,u (lesc , τ, xl = lbk , ∅, llb ) ∈ TB,i k upp(t, llb ) ⊆ TB,i k,u upp(t, lesc ) ⊆ TB,i

upp(t, l) ⊆ TB,i

if l ∈ LA,i , k : 1..|Γ (l)| if l ∈ LA,i , k : 1..(|Γ (l)| − 1) if l ∈ LA,i , k : 1..|Γ (l)|, ιk ∈ Γ (l), u = min(UB (l, ιk )) if l ∈ LA,i , k : 1..|Γ (l)|, ιk ∈ Γ (l), u ∈ UB(l, ιk ), u = next(u, UB(l, ιk )) if l ∈ LA,i , (k : 1..|Γ (l)| − 1), ιk ∈ Γ (l), u ∈ UB(l, ιk ) if l ∈ LA,i , k : 1..|Γ (l)|, ιk ∈ Γ (l), t ∈ Toffer (l, ιk ) if l ∈ LA,i , k : 1..|Γ (l)|, ιk ∈ Γ (l), u ∈ UB(l, ιk ), t ∈ Toffer (l, ιk ), g(t) = xl ∈ G, G ∩ (ιk \ ι(u))  =∅ lb if l ∈ LA,i , t ∈ T (l), Tea (l) = ∅

The following theorems state the correctness and complexity of the translation (detailed proofs can be found in the full paper [18]). Theorem 1. (Bisimulation) Let |A be a TAD network and |B = T (|A) the resulting TA network. There exists a strongly timed bisimulation [19] between |A and |B, which abstracts over auxiliary TA transitions. Theorem 2. (Linear complexity) Let |A be a TAD network and |B = T (|A) the resulting TA network. The size of |B is proportional to the size of |A. 4.3

Verification

Correctness properties on the TAD network can be expressed as queries written in Uppaal’s requirement language [4] (a subset of TCTL [2]). Equivalent properties on the TA network are obtained by substitution of equivalent locations in the original query. This is defined as follows. Let |A = A1 , . . . , An be a TAD network and |B = B1 , . . . , Bn the resulting TA network. Substitution of equivalent locations is given by the function θ, 5  θ(Ai .l) = ( { Bi .l } ∪ k { Bi .llb | k : 0..|Γ (l)| } ∪ k,u { Bi .lesc | k : 1..|Γ (l)|, u ∈ UB(l, ιk ) } ∪ { Bi .loc jub | (loc jub , tau!, true, rj , l) ∈ TB,i , loc ∈ LA,i , j : 1..|T | }) Theorem 3. Let |A be a TAD network and |B = T (|A) the resulting TA network. For any formula F in Uppaal’s requirement language, the following holds. |A |= F iff |B |= F [θ(Ai .l)/Ai .l]Ai .l∈F 5

The state formula Ai .l holds whenever Ai is currently in location l.

192

R. G´ omez

Proof. Follows from strong timed-bisimulation between |A and |B, and preservation of TCTL properties by strong-timed bisimulation [20].   For instance, the property on the TAD network of Fig. 5, is action b! eventually enabled?, can be expressed as F = ∃3 (S0 ∧ x ≥ 3). The equivalent property on the TA network is then F  = ∃3 ((S0 ∨ LB1 ∨ LB2 ∨ LB3 ∨ E1) ∧ x ≥ 3). 4.4

The TAD2TA Tool

We implemented a tool that receives a TAD network and generates the equivalent TA network, which can be displayed, simulated and verified in Uppaal. TAD networks themselves can be built using Uppaal’s GUI and most of its modeling facilities (e.g., parameterized templates and data variables). Correctness properties can be expressed in Uppaal’s requirements language, which the tool then translates to equivalent formulae in terms of the TA network (§ 4.3). Diagnostic traces are presented in terms of the TA network, and the tool generates mappings to identify the original locations and transitions in the TAD network (the integration with Uppaal’s simulator is subject of ongoing work). We tested the tool on a number of TAD models, which we constructed from TA models of academic examples (e.g., Fisher’s mutex protocol and the train-gate problem) and case studies such as [9,3,21,22,23,24]. In general, we obtained TAD models that were conceptually simpler than the originals (with the guarantee of being time-reactive by construction). In same cases, the TAD models were also more faithful to the system (e.g., the behavior of some timeouts constructs, which could only be approximated in the TA model of [9], was represented exactly in the TAD model). On the other hand, the design of TA models may benefit from features of Uppaal that are not supported by our translation. For instance, TAD models cannot easily express the interleaving semantics of committed locations, and our translation disallows variables in clock constraints. Table 1. Translation of TAD models to Uppaal TA networks. |L| (|L |) and |T | (|T  |) denote the number of locations and transitions in the input (output) model (resp.). TAD model gbox tad.xml bocdpFIXED tad.xml csmacd kronos tad.xml fischer tad.xml lipsync tad.xml train-gate-410 tad.xml zeroconffull2007 tad.xml 2doors tad.xml bmp tad.xml windcar tad.xml WSN tad.xml interrupt tad.xml bridge tad.xml

(|L|, |T |) (65, 84) (70, 130) (9, 18) (4, 5) (50, 53) (10, 13) (14, 25) (8, 11) (19, 30) (7, 9) (16, 19) (8, 10) (8, 9)

(|L |, |T  |) (78,102) (126, 189) (27, 46) (4, 5) (82, 97) (15, 21) (37, 66) (11, 16) (27, 51) (7, 9) (18, 26) (8, 10) (8, 11)

(|L |/|L|, |T  |/|T |) (1.20, 1.21) (1.8, 1.45) (3, 2.56) (1, 1) (1.64, 1.83) (1.5, 1.62) (2.64, 2.75) (1.38, 1.45) (1.42, 1.7) (1, 1) (1.13, 1.37) (1, 1) (1, 1.22)

A Compositional Translation of Timed Automata with Deadlines

193

Table 1 compares the size of the TAD models with that of the generated Uppaal TA networks (translation times were negligible). The tool implements a number of optimizations that avoid the generation of redundant auxiliary locations and transitions (e.g., eager actions in location l, which are guarded on clock x, admit simpler translations if x is reset whenever l is entered). In addition, graph layout algorithms were implemented to help the visualization of generated TA networks. More details on the tool’s architecture, its input language, and the models listed in Table 1, can be found in the tool’s website.6

5

Conclusions

We presented a compositional translation of TAD networks to Uppaal TA networks. The generated TA networks are strongly timed-bisimilar to the TAD networks and exhibit a worst-case linear increase in size. We described an implementation that allows Uppaal to aid the design and verification of TAD networks. Compositionality was achieved thanks to the asap-synchronization semantics of Uppaal’s urgent channels. In addition, the strong invariant interpretation adopted in Uppaal proved necessary to faithfully express urgent actions with upper bounds. Asap-synchronization can also be obtained over non-urgent channels, although not as concisely (e.g., urgent channels can be expressed by non-urgent channels with the addition of shared Boolean variables and conditional invariants). Nonetheless, at least in principle, similar compositional translations could be obtained for other model-checkers for TA. Acknowledgements. We are grateful to Howard Bowman, John H˚ akansson, Frits Vaandrager and members of his research group at Radboud University Nijmegen, and Kim Larsen and members of his research group at Aalborg University, for fruitful discussions on this work. We also thank the reviewers, for their helpful comments.

References 1. Alur, R., Dill, D.: A theory of timed automata. Theoretical Computer Science 126, 183–235 (1994) 2. Henzinger, T., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic model checking for real-time systems. Information and Computation 111(2), 193–244 (1994) 3. Yovine, S.: Kronos: A verification tool for real-time systems. International Journal of Software Tools for Technology Transfer 1(1-2), 123–133 (1997) 4. Behrmann, G., David, A., Larsen, K.G.: A tutorial on Uppaal. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 200–236. Springer, Heidelberg (2004) 5. Bowman, H.: Time and action lock freedom properties for timed automata. In: Proceedings of FORTE 2001, pp. 119–134. Kluwer Academic Publishers, Dordrecht (2001) 6

http://www.cs.kent.ac.uk/people/staff/rsg5/TAD2TAtool/TAD2TAwpage.htm

194

R. G´ omez

6. Bowman, H., Gomez, R.: How to stop time stopping. Formal Aspects of Computing 18(4), 459–493 (2006) 7. Sifakis, J., Yovine, S.: Compositional specification of timed systems. In: Puech, C., Reischuk, R. (eds.) STACS 1996. LNCS, vol. 1046, pp. 347–359. Springer, Heidelberg (1996) 8. Bornot, S., Sifakis, J., Tripakis, S.: Modeling urgency in timed systems. In: de Roever, W.-P., Langmaack, H., Pnueli, A. (eds.) COMPOS 1997. LNCS, vol. 1536, pp. 103–129. Springer, Heidelberg (1998) 9. Bowman, H., Faconti, G., Katoen, J.P., Latella, D., Massink, M.: Automatic verification of a lip synchronization protocol using uppaal. Formal Aspects of Computing 10(5-6), 550–575 (1998) 10. Bornot, S., Sifakis, J.: On the composition of hybrid systems. In: Henzinger, T.A., Sastry, S.S. (eds.) HSCC 1998. LNCS, vol. 1386, pp. 49–63. Springer, Heidelberg (1998) 11. Bozga, M., Graf, S., Ober, I., Ober, I., Sifakis, J.: The IF toolset. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 237–267. Springer, Heidelberg (2004) 12. Kozen, D.: Results on the propositional mu-calculus. Theoretical Computer Science 27, 333–354 (1983) 13. Aceto, L., Bouyer, P., Burgue˜ no, A., Larsen, K.: The power of reachability testing for timed automata. Theoretical Computer Science 1-3(300), 411–475 (2003) 14. D’Argenio, P.R., Hermanns, H., Katoen, J.-P., Klaren, R.: MoDeST - a modelling and description language for stochastic timed systems. In: de Luca, L., Gilmore, S. (eds.) PROBMIV 2001, PAPM-PROBMIV 2001, and PAPM 2001. LNCS, vol. 2165, pp. 87–104. Springer, Heidelberg (2001) 15. Bohnenkamp, H.C., Hermanns, H., Katoen, J.-P.: MOTOR: The MODEST tool environment. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 500–504. Springer, Heidelberg (2007) 16. Barbuti, R., Tesei, L.: Timed automata with urgent transitions. Acta Informatica 40(5) (March 2004) 17. Moller, F., Tofts, C.: A temporal calculus of communicating systems. In: Baeten, J.C.M., Klop, J.W. (eds.) CONCUR 1990. LNCS, vol. 458, pp. 401–415. Springer, Heidelberg (1990) 18. Gomez, R.: Verification of Timed Automata with Deadlines in Uppaal. TR 2-082008, Computing Laboratory, University of Kent (2008) 19. Bowman, H., Gomez, R.: Concurrency Theory, Calculi and Automata for Modelling Untimed and Timed Concurrent Systems. Springer, Heidelberg (2006) 20. Tripakis, S., Yovine, S.: The analysis of timed systems using time-abstracting bisimulations. Formal Methods in System Design 18(1), 25–68 (2001) 21. Gebremichael, B., Vaandrager, F., Zhang, M.: Analysis of the zeroconf protocol using Uppaal. In: EMSOFT 2006, pp. 242–251. ACM Press, New York (2006) 22. Vaandrager, F., de Groot, A.: Analysis of a biphase mark protocol with Uppaal and PVS. Formal Aspects of Computing 18(4), 433–458 (2006) 23. Lindahl, M., Pettersson, P., Yi, W.: Formal design and analysis of a gearbox controller. Software Tools for Technology Transfer (STTT) 3(3), 353–368 (2001) 24. Havelund, K., Skou, A., Larsen, K.G., Lund, K.: Formal modeling and analysis of an audio/video protocol: an industrial case study using Uppaal. In: IEEE RealTime Systems Symposium, RTSS 1997, pp. 2–13. IEEE Computer Society, Los Alamitos (1997)

Compositional Abstraction for Stochastic Systems Joost-Pieter Katoen1,2 , Daniel Klink1 , and Martin R. Neuh¨ außer1,2 1 2

RWTH Aachen University, Germany University of Twente, The Netherlands

Abstract. We propose to exploit three-valued abstraction to stochastic systems in a compositional way. This combines the strengths of an aggressive state-based abstraction technique with compositional modeling. Applying this principle to interactive Markov chains yields abstract models that combine interval Markov chains and modal transition systems in a natural and orthogonal way. We prove the correctness of our technique for parallel and symmetric composition and show that it yields lower bounds for minimal and upper bounds for maximal timed reachability probabilities.

1

Introduction

To overcome the absence of hierarchical, compositional facilities in performance modeling, several efforts have been undertaken to integrate performance aspects, most notably probability distributions, into compositional modeling formalisms. Resulting formalisms are, among others, extensions of the Petri box calculus [27], Statecharts [3], and process algebras [17,13]. To bridge the gap towards classical performance and dependability analysis, compositional formalisms for continuous-time Markov chains (CTMCs) have received quite some attention. Nowadays, these formalisms are also used intensively in, e.g., the area of systems biology [4]. An elegant and prominent semantic model in this context are interactive Markov chains [12,14]. They extend CTMCs with nondeterminism, or viewed differently, enrich labeled transition systems with exponential sojourn times in a fully orthogonal and simple manner. They naturally support the specification of phase-type distributions, i.e., sojourn times that are non-exponential, and facilitate the compositional integration of random timing constraints in purely functional models [14]. In addition, bisimulation quotienting can be done in a compositional fashion reducing the peak memory consumption during minimization. This has been applied to several examples yielding substantial state-space reductions, and allowing the analysis of CTMCs that could not be analyzed without compositional quotienting [14,9,10]. 

The research has been funded by the DFG Research Training Group 1298 (AlgoSyn), the NWO project QUPES (612.000.420) and the EU FP7 project Quasimodo.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 195–211, 2009. c Springer-Verlag Berlin Heidelberg 2009 

196

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

This paper goes an important step further by proposing a framework to perform more aggressive abstraction of interactive Markov chains (IMCs) in a compositional manner. We consider state-based abstraction that allows to represent any (disjoint) group of concrete states by a single abstract state. This flexible abstraction mechanism generalizes bisimulation minimization (where “only” bisimilar states are grouped) and yields an overapproximation of the IMC under consideration. This abstraction is a natural mixture of abstraction of labeled transition systems by modal transition systems [26,25] and abstraction of probabilities by intervals [8,21]. Abstraction is shown to preserve simulation, that is to say, abstract models simulate concrete ones. Here, simulation is a simple combination of refinement of modal transition systems [25] and probabilistic simulation [20]. It is shown that abstraction yields lower bounds for minimal and upper bounds for maximal timed reachability probabilities. Compositional aggregation is facilitated by the fact that simulation is a precongruence with respect to TCSP-like parallel composition and symmetric composition [15] on our abstract model. Accordingly, components can be abstracted prior to composing them. As this abstraction is coarser than bisimulation, a significantly larger state-space reduction may be achieved and peak memory consumption is reduced. This becomes even more advantageous when components that differ only marginally are abstracted by the same abstract model. In this case, the symmetric composition of these abstract components may yield huge reductions compared to the parallel composition of the slightly differing concrete ones. A small example shows this effect, and shows that the obtained bounds for timed reachability probabilities are rather exact. Several abstraction techniques for (discrete) probabilistic models have been developed so far. However, compositional ones that go beyond bisimulation are rare. Notable exceptions are Segala’s work on simulation preorders for probabilistic automata [28] and language-level abstraction for PRISM [23]. Note that compositional abstractions have been proposed in other settings such as traditional model checking [29,30] and for timed automata [2]. Compositional analysis techniques for probabilistic systems have been investigated in [6,31]. Alternative abstraction techniques have, e.g., been studied in [7,5,24]. Outline. Section 2 gives some necessary background. In section 3 and 4, AIMCs are introduced for which we investigate parallel and symmetric composition in section 5. Section 6 shows how to consistently abstract components. In section 7 we focus on the computation of time-bounded reachability probabilities.

2

Preliminaries

  Let  X be a finite set. For Y, Y ⊆ X and function f : X × X → R let f (Y, Y ) = y∈Y,y  ∈Y  f (y, y ) (for singleton sets, brackets may be omitted). Function f (x, ·) is given by x  → f (x, x ) for all x ∈ X; further, by f [y  → x] we denote the function that agrees with f except at y ∈ X where it equals x. Function f is a  distribution on X iff f : X → [0, 1] and f (X) = x∈X f (x) = 1. The support of a distribution f is supp(f ) = {x ∈ X | f (x) > 0} and the set of all distributions on X is denoted by distr (X). Let B2 = {⊥, } be the two-valued truth domain.

Compositional Abstraction for Stochastic Systems

197

Interactive Markov chains, a formalism for compositional modeling systems embracing nondeterministic and stochastic behavior, have been thoroughly investigated in [12]. They can be seen as an extension of transition systems with exponentially distributed delays and probabilism. We consider a restricted form, where all delays are exponentially distributed with the same exit rate. These uniform IMCs have been successfully adopted for the performability analysis of Statemate models [11] by specifying random time constraints as CTMCs that are composed with the functional behavior as in [14]. As CTMCs can simply be transformed into weakly bisimilar uniform ones, uniform IMCs result. Definition 1 (Uniform IMC). A uniform interactive Markov chain (IMC) is a tuple (S, A, L, P, λ, s0 ) where S is a non-empty finite set of states with initial state s0 ∈ S, A = Ae ∪· Ai is a non-empty finite set of external and internal actions, L : S × A × S → B2 is a two-valued labeled transition relation, P : S × S → [0, 1] is a transition probability function such that for all s ∈ S it holds P(s, S) = 1, – λ ∈ R+ is a uniform exit rate. – – – –

A Markovian transition leads from state s to state s (denoted s  s ) iff P(s, s ) > 0; intuitively, if s  s , the probability to take this transition equals P(s, s ) whereas the residence time in state s is exponentially distributed with rate λ. We require P(s, S) = 1 to exclude deadlock states; this can easily be achieved by adding Markovian self-loops to states without Markovian transitions. Similarly, an interactive transition leads from s to s via action a (denoted a s− → s ) iff L(s, a, s ) = . External actions a ∈ Ae allow synchronization with the environment whereas internal actions τ ∈ Ai happen instantaneously and autonomously. The maximal progress assumption [12] states that whenever internal transitions exist in the current state, the system nondeterministically moves along one of these transitions ignoring all other Markovian and external transitions. This ensures that internal actions cannot be delayed.

va lu e

1 1 Example 1. As a running example, we consider the 3 1 s1 value s2 2 1 3 IMC model of a worker, depicted in Fig. 1, where 10 1 4 s4 vdone λ = 10. The work cycle starts in s0 where the qual3 1 4 s0 ity of a piece of raw material has to be determined. s2 2 One out of ten pieces is flawed and cannot be used pdone s5 9 to craft a premium product. In that case (s1 ) the 1 10  s1 prem s3 2 1 worker will only be able to make a value product, 1 which may take several work steps. If the raw material is flawless, the worker decides Fig. 1. An IMC for value or premium. For a premium product (s3 ), everything has to be done smoothly in the first attempt, however, if the result is not perfect, with some corrections, a value product will be made. If the worker decides for value (s2 ), chances that no corrections are necessary are better than for the case that the raw material was flawed.

198

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

We call an IMC closed if all actions are internal. On the one hand, closing a system by turning external actions to internal ones prevents any further interaction, on the other hand it allows for quantitative analysis [18].

3

Abstract Interactive Markov Chains

In this paper, we aim at abstracting an IMC by collapsing disjoint sets of concrete states into single abstract ones. In contrast to bisimulation quotienting where bisimilar states are grouped, here groups of states can (in principle) be chosen arbitrarily. In fact, we abstract an IMC along two lines: We use mustand may-transitions as introduced for modal transition systems [26] to abstract from differences in the states’ available nondeterministic choices. Further, instead of only considering fixed transition probabilities, we follow the approach taken in interval Markov chains [8,21] and allow to specify intervals of transition probabilities. The combination of these two ingredients yields: Definition 2 (Abstract IMC). An abstract IMC is a tuple (S, A, L, Pl , Pu , λ, s0 ) where S, A, λ and s0 are as before, and – L : S × A × S → B3 is a three-valued labeled transition relation, and – Pl , Pu : S × S → [0, 1] are transition probability bound functions such that Pl (s, S) ≤ 1 ≤ Pu (s, S) for all s ∈ S. Here B3 := {⊥, ?, } is the complete lattice with the usual ordering ⊥ < ? <  and meet ( ) and join () operations. The labeling L(s, a, s ) identifies the transition “type”:  indicates must-transitions, ? may-transitions, and ⊥ the absence of a transition. Note that any IMC is an AIMC without may-transitions for which Pl = Pu = P. Further, any interval Markov chain is an AIMC without must- and may-transitions. The requirement Pl (s, S) ≤ 1 ≤ Pu (s, S) ensures that in every state s, a distribution μ over successor states can be chosen such that Pl (s, s ) ≤ μ(s ) ≤ Pu (s, s ) for all s ∈ S. This can be achieved by equipping such states with a Markovian [1, 1] self-loop, without altering the model’s behavior: if state s has an outgoing internal interactive transition, the maximal progress assumption guarantees that it still takes priority; otherwise, the self-loop neither alters its synchronization capabilities nor its sojourn time. Example 2. Figure 2 (middle) depicts an example abstract model (AIMC) of a worker, similar to the one in Fig. 2 (left). It abstracts from the difference 1 1 10

s1 value s2

vdone 1 2

s0

1 3

1 4

1 vdone value

s4 3 4

s2

u0

1

s5 va lu e

pdone 9 10

2 3

s1 prem s3

1 2

u1 1

pdone

[ 14 , 13 ] may prem

u2

τu0

u4 [ 23 , 34 ]

1 2

u3

τu 2

1 u0

1 2

1

1 u5

τu0

u1 1

[ 14 , 13 ] may τu3

u2

u4 [ 23 , 34 ]

1

1 2

u3

1 2

1 u5

1

1

Fig. 2. An open IMC (left), an open AIMC (middle) and its closed version (right)

Compositional Abstraction for Stochastic Systems

199

between the raw material quality represented by the states s1 and s1 in Fig. 2 (left). Instead, the premium choice is modeled as a may-transition, i.e., it is possible to decide for premium in state u1 but this possibility may be omitted. In state u2 , the probability that no further working step is necessary varies from 2 3 3 to 4 . We abbreviate point intervals of the form [p, p] and simply write p. Closing. AIMCs are (like IMCs and transition systems) subject to interaction. In order to carry out a quantitative analysis of such “open” models, one typically considers a closed variant, i.e., a variant that is behaviorally the same, but can no longer interact. This corresponds to the hiding operation in process algebras where external actions are turned into internal (τ )-actions. We keep slightly more information: the distributions in case of a Markovian transition, and the target state id for interactive transitions. This facilitates a transformation of an AIMC into a continuous-time MDP as described later on. Definition 3 (Closed AIMC). An AIMC M = (S, A, L, Pl , Pu , λ, s0 ) induces the closed AIMC Mτ = (S, Aτ , Lτ , Pl , Pu , λ, s0 ) where Aτ = s∈S AIs ∪ AM s and AIs = {τs | ∃s ∈ S. ∃a ∈ A. L(s, a, s ) = ⊥} , M  As =  {τμ | ∃μ ∈ distr (S). ∀s ∈ S. Pl (s, s ) ≤ μ(s ) ≤ Pu (s, s )} ,   if τ = τs a∈A L(s, a, s )  Lτ (s, τ, s ) = ⊥ otherwise.   In general, the sets AM s are uncountable as the range [Pl (s, s ), Pu (s, s )] is dense. A key aspect in our approach is how to deal with these uncountable sets of distributions. We will show in Section 4 that it suffices to consider only a finite subset for the analysis.

Example 3. Fig. 2 (right) illustrates the closed induced AIMC of Fig. 2 (middle).

4

Nondeterminism

In a closed AIMC, we classify states according to the type of outgoing transitions: the state space S is partitioned into the sets of Markovian states SM , hybrid states SH and may states SMH . A state is Markovian iff only Markovian transitions leave that state; a state is hybrid iff it has emanating Markovian and must-transitions. Further, states in SMH only have outgoing Markovian and may-transitions but no must-transitions. By assumption, any state has at least one outgoing Markovian transition; hence, deadlock states do not exist. According to this state classification, three sources of nondeterminism occur in AIMCs: If multiple must-transitions exist in a state s ∈ SH , that is, if L(s, a, s ) = L(s, b, s ) for some a, b ∈ AIs and s = s , the decision which transition to take is nondeterministic. Due to the maximal progress assumption, nondeterminism only occurs between internal transitions. May-transitions induce the second indefinite behavior: If L(s, a, s ) = ? for some a ∈ AIs and s, s ∈ S, the existence of the may-transition to s is nondeterministically resolved: In the positive case, the behavior is that of a hybrid

200

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

state (i.e. the may-transition is treated as a must-transition). Otherwise, the may-transition will considered to be missing; if further must-transitions exist, the state is treated as a hybrid state, otherwise, it becomes a Markovian state. The third type of nondeterminism occurs in Markovian states s ∈ SM of an AIMC: The abstraction yields transition probability intervals (formalized by Pl and Pu ) which induce a generally uncountable set of distributions that conform to these intervals. Selecting one of these distributions is nondeterministic. Note that in the special case of IMCs, the successor-state distribution is uniquely determined as Pl = Pu . Hence, IMCs do not exhibit this type of nondeterminism. To formalize this intuition, let A(s) be the set of enabled actions in state s. I M Formally, define A(s) = AIs if s ∈ SH , A(s) = AM s if s ∈ SM and A(s) = As ∪As if s ∈ SMH . Each action τ ∈ A(s) represents a distribution over the successors of state s. We define (for arbitrary τ ∈ Aτ ) the distribution T(τ ) such that T(τμ ) = μ if τ = τμ is a Markovian transition and T(τs ) = {s  → 1} if τ = τs is an internal action; further, we extend this notion to sets of actions: for B ⊆ Aτ  let T(B) = τ ∈B T(τ ). We use normalization as in [8] to restrict the intervals such that only valid probability distributions arise. Normalization. An AIMC M is called delimited, if for any state, every possible selection of a transition probability can be extended to a distribution, i.e., if for any s, s ∈ S and p ∈ [Pl (s, s ), Pu (s, s )], we have μ(s ) = p for some μ ∈ TM (AM s ). An AIMC M can be normalized, yielding the delimM ited AIMC η(M) where Tη(M) (AM s ) = TM (As ) for all s ∈ S. Formally, ˜ l, P ˜ u , λ, s0 ) and η(Pl , Pu ) = (P ˜ l, P ˜ u ) where for all s, s ∈ S: η(M) = (S, A, L, P ˜ l (s, s ) = max{Pl (s, s ), 1 − Pu (s, S \ {s })} and P ˜ u (s, s ) = min{Pu (s, s ), 1 − Pl (s, S \ {s })}. P Example 4. The AIMC in Fig. 3 (left) is delimited. Selecting 23 for the transition from s to u yields a non-delimited AIMC with Pl (s, ·) = (0, 23 , 0) and Pu (s, ·) = ( 12 , 23 , 23 ). Applying normalization results in new upper bounds ( 13 , 23 , 13 ) and a delimited AIMC: for any probability p ∈ [0, 13 ] to take the self-loop, the probability to take the transition to v can be chosen as 13 − p and vice versa. Schedulers. In order to maximize (or minimize) the probability to reach a set of goal states B within a given time bound t (denoted ♦≤t B), we use schedulers which resolve the nondeterministic choices in the underlying AIMC. If the AIMC is in a state s ∈ S, a scheduler selects an enabled action τ ∈ A(s) to continue with. As shown in [1], schedulers that take the system’s (time abstract) history into account yield better decisions than positional schedulers which only rely on the current state. A scheduler is randomized, if it may not only choose a single action but a distribution over all enabled actions in the current state. Note that for Markovian states s ∈ SM , the set AM s is generally uncountable as it consists of all distributions μ that obey the transition probability intervals of Markovian transitions emanating state s. Therefore, we reduce AM s to finitely many actions as follows: Consider the cube in Fig. 3. It represents all combinations of values that can be chosen from the three probability intervals [0, 12 ],

Compositional Abstraction for Stochastic Systems

[0, 23 ]

u

[0, 23 ]

v

s

201

s

s [0, 12 ]

u

s

v

1

0

]

3

u

v

]

2

3

[0 ,

2

, [0

[0, 12 ]

0

0

u

v

Fig. 3. Finite representation of infinitely many distributions

[0, 23 ] and [0, 23 ] of the AIMC in Fig. 3 (left). The set distr (S) is represented by the dotted triangle. Hence, all points in the intersection of the cube and the triangle are valid distributions. For randomized schedulers, the six bold vertices spanning the intersection (right) serve as a finite representation of AM s : Every distribution μ ∈ T(AM s ) can be constructed as a convex combination of the six extreme distributions which span the intersection. Definition 4 (Extreme distributions). Let M = (S, A, L, Pl , Pu , λ, s0 ) be a delimited AIMC, s ∈ S and S  ⊆ S. We define extr (Pl , Pu , S  , s) ⊆ distr (S) such that μ ∈ extr(Pl , Pu , S  , s) iff either S  = ∅ and μ = Pl (s, ·) = Pu (s, ·) or one of the following conditions holds: – ∃s ∈ S  : μ(s ) = Pl (s, s ) ∧ μ ∈ extr(η(Pl , Pu [(s, s )  → μ(s )]), S  \ {s }, s)      – ∃s ∈ S : μ(s ) = Pu (s, s ) ∧ μ ∈ extr (η(Pl [(s, s )  → μ(s )]), Pu , S  \ {s }, s) A distribution μ ∈ extr(Pl , Pu , S, s) is called extreme. Lemma 1. Let M = (S, A, L, Pl , Pu , λ, s0 ) be an AIMC and s ∈ S. For any μ ∈ distr (S) with Pl (s, s ) ≤ μ(s ) ≤ Pu (s, s ) for all s ∈ S, there exists μ ¯ ∈ distr (extr(Pl , Pu , S, s)) such that for all s ∈ S  μ(s ) = μ ∈extr(Pl ,Pu ,S,s) μ ¯(μ )μ (s ). For randomized schedulers, we thus may replace the uncountable sets AM s in the induced closed AIMC by finite sets AM,extr = {τμ | μ ∈ extr (P , P , S, s)}. We l u s  use Aextr to denote the set AM,extr ∪ AIs ; further, let Aextr = s∈S Aextr . s s s Paths. A timed path in a closed AIMC Mτ is an infinite alternating sequence σ = s0 τ0 t0 s1 τ1 t1 . . . of states, internal actions and the states’ residence times. A path fragment in Mτ is a finite alternating sequence σ = s0 τ0 t0 s1 . . . τn−1 tn−1 sn . Time-abstract paths (path fragments) are alternating sequences of states and actions only. The set of timed paths in Mτ is denoted Paths Mτ whereas the set of timed path fragments of length n is denoted Pathf nMτ ; further, let Pathf Mτ = ∞ n n=0 Pathf Mτ be the set of all path fragments. In the following, we omit Mτ whenever it is clear from the context; further, we denote the sets of time-abstract paths and path fragments by adding subscript abs.

202

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

By σ[i] we denote the (i+1)-st state on the path, i.e. for σ = s0 τ0 t0 s1 τ1 t1 . . ., we set σ[i] = si . By σ@t we denote the state occupied at time t, i.e. σ@t = i si where i is the smallest index such that t < j=0 tj . For finite path σ = s0 τ0 t0 · · · τn−1 tn−1 sn , we define last(σ) = sn to denote the last state on σ. We consider history-dependent randomized schedulers that choose from the set of extreme distributions and from interactive transitions: Definition 5 (Extreme scheduler). Let Mτ be a closed AIMC. An extreme scheduler on Mτ is a function D : Pathf abs → distr (Aextr ) with supp(D(σ)) ⊆  Aextr last (σ) for all σ ∈ Pathf abs . Let D(Mτ ) denote the set of extreme schedulers for Mτ . For D ∈ D(Mτ ) and history σ ∈ Pathf abs , let the distribution over all successor states be given by  τ ∈Aextr D(σ)(τ ) · T(τ )(s) for all s ∈ S. Probability measure. We are interested in the infimum and supremum of probability measures on measurable sets of paths over all schedulers in D(Mτ ). In the same fashion as for IMCs [18, p.53], for AIMCs the probability measure Pr ω s,D w.r.t. initial state s in Mτ and D ∈ D(Mτ ) can be inductively defined via combined transitions and measurable schedulers.

5

Composing AIMCs

We consider parallel and symmetric composition of AIMCs and show that the latter typically yields more compact models which are bisimilar to the parallel composition of identical components. These operators are defined in a TCSP-like manner, i.e., they are parameterized with a set of external actions that need to be performed simultaneously by all involved components. To define this multi-way synchronization principle, let for finite set X, the function I : X × X → {⊥, } be given by I(x, x ) =  iff x = x . Similarly, let 1 : X × X → {0, 1} be defined by 1(x, x ) = 1 iff x = x . In the sequel of this paper, we assume that any AIMC is delimited unless stated otherwise. Definition 6 (Parallel composition). Let M = (S, A, L, Pl , Pu , λ, s0 ) and M = (S  , A , L , Pl , Pu , λ , s0 ) be AIMCs. The parallel composition of M and M w.r.t. synchronization set A¯ ⊆ Ae ∩ Ae is defined by: M||A¯ M = (S × S  , A ∪ A , L , Pl , Pu , λ + λ , (s0 , s0 )) where for s, u ∈ S and s , u ∈ S  : – L ((s, s ), a, (u, u )) (L(s, a, u) I(s , u ))  (L (s , a, u ) I(s, u)) = L(s, a, u) L (s , a, u ) – Pl ((s, s ), (u, u )) = – Pu ((s, s ), (u, u )) =

λ λ+λ λ λ+λ

λ    λ+λ · Pl (s , u ) · 1(s, u)  λ    1(s , u ) + λ+λ  · Pu (s , u ) · 1(s, u)

· Pl (s, u) · 1(s , u ) + · Pu (s, u) ·

if a ∈ A¯ if a ∈ A¯

Compositional Abstraction for Stochastic Systems

203

Non-synchronizing actions are interleaved while actions in the set A¯ need to be performed simultaneously by the involved components. Due to the memoryless property of exponential distributions, parallelly composed components delay completely independently. This is similar as in Markovian process algebras and for parallel composition of IMCs [12,14]. The proportion with which one of the λ λ components delays, i.e., λ+λ  and λ+λ respectively, results from the race between exponential distributions. This justifies the definition of Pl and Pu . Composing several instances of the same AIMC by parallel composition may lead to excessive state spaces. To alleviate this problem, we adopt the approach of [15] and also consider symmetric composition. To formally define this notion, we use the concept of multisets (or bags). A multiset M over a finite set S is a function S → N. M (s) is the cardinality of s in M . We use common notations as s ∈ M iff M (x) > 0 and e.g., M = {|a, a, b|} for M over {a, b} with M (a) = 2 and M (b) = 1. For multisets M, M  over S, M  M  = M  is a multiset for which M  (s) = M (s) + M  (s) for all s ∈ S. The same applies to M \ M  = M  where M  (s) = max(0, M (s) − M  (s)). A multiset relation R : S × S → N is a mapping w.r.t. multisets M, M  over S, iff R(s, S) = M (s) and R(S, u) = M  (u). The set of all mappings w.r.t. multisets M, M  is denoted ΓM,M  . Definition 7 (Symmetric composition). For AIMC M = (S, A, L, Pl , Pu , λ, s0 ) and A¯ ⊆ Ae , the symmetric composition of n ∈ N+ copies of M is given by: n |||A¯ M





n times     , Pl , Pu , nλ, {| s0 , . . . , s0 |})

= (S , A, L  where S = {M : S → N | s∈S M (s) = n} and for all s , u ∈ S  :  if a ∈ A¯   :u =(s \{|s|}){|u|} L(s, a, u)    – L (s , a, u ) = s∈s ,u∈u  if a ∈ A¯ R∈Γs ,u s,u∈S:R(s,u)>0 L(s, a, u) ⎧ s (s) ⎪ if s = u and u = (s \ {|s|})  {|u|} ⎨n · Pl (s, u) s (s)      – Pl (s , u ) = s∈S n · Pl (s, s) if s = u ⎪ ⎩ 0 otherwise 

The definition of Pu is obtained from Pl by replacing all instances of Pl by Pu . While in parallel compositions states are tuples, in symmetric compositions they are represented by multisets. Transitions, however, are defined in the very same fashion as for parallel composition. Non-synchronized actions of n components are interleaved and in the synchronized case, all components have to simultaneously take the same synchronizing action. For transition probabilities, as all instances of the same component have the same exit rate λ, each component wins the race with probability n1 . The application of both composition operators on AIMCs results in another AIMC. Note that this also implies uniformity of the resulting model, cf. [11].

204

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

Lemma 2. Let M and M be AIMCs, A¯ the synchronization set and n ∈ N+ , n then M||A¯ M and |||A¯ M are AIMCs. 1 s

a

1

a may a

Example 5. Consider AIMC M in Fig. 4. For state {|s, s, u|} 3 in |||{a} M, the states reachable with a synchronized must a-transition are {|s, s, v|}, {|s, v, v|}, {|v, v, v|} and the states reachable with a synchronized may-transition are {|s, s, s|}, {|s, s, v|}, {|s, v, v|}. Note that there are several ways for the system to move to states {|s, s, v|} and {|s, v, v|}. In both cases, there exists a must-transition and thus a must a-transition leads from {|s, s, u|} to {|s, s, v|} and {|s, v, v|} respectively.

v a

u 1

Fig. 4.

Example 6. Modeling three independent (abstract) workers as given in Fig. 2 can be done by both parallel and symmetric com- states IMC AIMC position with an empty synchronization set. 1 worker 8 6 As shown in the table on the right, differ3, par. comp. 512 216 ences in the sizes of the resulting models are 56 significant. Fig. 5 depicts the outgoing tran- 3, sym. comp. 120 sitions of states (u1 , u1 , u2 ) and {|u1 , u1 , u2 |} that result from parallel and symmetric composition of three abstract workers.

(u1 , u2 , u2 )

2 3

+ 13 ·[ 14 , 13 ]

(u2 , u1 , u2 )

{|u1 , u2 , u2 |}

value

value

(u1 , u1 , u2 )

prem (u1 , u3 , u2 )

1 2 3 ·[ , ] 3 3 4

value (u1 , u1 , u4 )

2 3

+ 13 ·[ 14 , 13 ]

{|u1 , u1 , u2 |}

1 2 3 ·[ , ] 3 3 4

{|u1 , u1 , u4 |}

prem

prem (u3 , u1 , u2 )

{|u1 , u2 , u3 |}

Fig. 5. Fragment of the parallel composition M||∅ M||∅ M (left) and the symmetric composition |||3∅ M (right) for open AIMC M from Fig. 2 (middle)

As suggested by Ex. 6, symmetric composition is a more space-efficient way to compose a component several times with itself. While for parallel composition of n identical components  the size of the state space is in O(|S|n ), with symmetric n−1+|S| composition, it is in O . The following result shows that symmetn ric composition yields models that are bisimilar to parallel composition of a component with itself. This generalizes a similar result for IMCs, cf. [15].

Definition 8 (Bisimulation). Let M = (S, A, L, Pl , Pu , λ, s0 ) be an AIMC. An equivalence R ⊆ S × S is a bisimulation on M, iff for any sRs it holds: 1. for all a ∈ A and u ∈ S with L(s, a, u) = ⊥, there exists u ∈ S with L(s, a, u) = L(s , a, u ) and uRu

Compositional Abstraction for Stochastic Systems

205

2. if for all a ∈ Ai and all u ∈ S it holds L(s, a, u) = , then for all C ∈ S/R: Pl (s, C) = Pl (s , C) and Pu (s, C) = Pu (s , C) We write s ≈ s if sRs for some bisimulation R on M and we write M ≈ M for IMCs M and M with initial states s0 and s0 , iff s0 ≈ s0 holds for the disjoint union1 of M and M . The first condition on may- and must-transitions is standard. The second condition asserts that for state s without outgoing internal must-transitions —which would have priority over Markovian transitions according to the maximal progress assumption— the probability to directly move to an equivalence class (under R) coincides with that of s . The condition on probabilities is standard, whereas the exception of outgoing internal must-transition originates from IMCs [12,14]. The main results of this section now follow: Theorem 1 (Symmetric composition). Let M be an AIMC, A¯ a synchronization set and n ∈ N+ , then: n times   n |||A¯ M ≈ M||A¯ . . . ||A¯ M Lemma 3. Strong bisimulation ≈ is a congruence w.r.t. ||A¯ and |||A¯ .

6

Abstraction

This section describes the process of abstracting (A)IMCs by partitioning the state space, i.e., by grouping sets of concrete states to abstract ones. For state space S and partitioning S  of S, let α : S → S  map states to their corresponding abstract one, i.e., α(s) denotes the abstract state of s, and α−1 (s ) is the set of concrete states that map to s . Abstraction yields an AIMC that covers at least all possible behaviors of the concrete model, but perhaps more. The relationship between the abstraction and its concrete model is formalized by a strong simulation. We will define this notion and show that it is a precongruence with respect to parallel and symmetric composition. This result enables a compositional abstraction of AIMCs. Definition 9 (Abstraction). For an AIMC M = (S, A, L, Pl , Pu , λ, s0 ) and partitioning S  of S, the abstraction function α : S → S  induces the AIMC (S  , A, L , Pl , Pu , λ, α(s0 )), denoted by α(M), where: ⎧  −1  ⎪ ⎨ if u∈α−1 (u ) L(s, a, u) =  for all s ∈ α (s )    – L (s , a, u ) = ⊥ if u∈α−1 (u ) L(s, a, u) = ⊥ for all s ∈ α−1 (s ) ⎪ ⎩ ? otherwise     – Pl (s , u ) = mins∈α−1 (s ) u∈α−1 (u ) Pl (s, u)  – Pu (s , u ) = min(1, maxs∈α−1 (s ) u∈α−1 (u ) Pu (s, u)) 1

Note that the union is only defined for two uniform AIMCs with the same exit rate as for different exit rates, the result is not uniform.

206

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

Lemma 4. For any AIMC M, α(M) is an AIMC. Example 7. Let M be the IMC in Fig. 2 (left) and N be the AIMC in Fig. 2 (middle). Then, N = α(M) with α(si ) = ui for i ∈ {0, . . . , 5} and α(si ) = ui for i ∈ {1, 2}. Consider a worker M that is a variant of the one in Fig. 2 (left), say, whose judgement on the quality of raw material is different, i.e. whose P(s0 , s1 ) and P(s0 , s1 ) differ. For such a worker, we also get N = α(M ). Symmetric composition of two different workers M and M is not possible. However, replacing both M and M by abstract worker N enables symmetric composition and yields a compact representation of an abstraction of M||A¯ M . The formal relationship between an AIMC and its abstraction is defined in terms of a strong simulation. In fact, the notion defined below combines the concepts of refinement for modal transition systems [25] (items 1a and 1b) with that of probabilistic simulation [19,20] (item 2). Definition 10 (Strong simulation). For AIMC M = (S, A, L, Pl , Pu , λ, s0 ), R ⊆ S × S is a simulation relation, iff for all sRs the following holds: 1a. for all a ∈ A and u ∈ S with L(s, a, u) = ⊥ there exists u ∈ S with    L(s , a, u ) = ⊥ and uRu , 1b. for all a ∈ A and u ∈ S with L(s , a, u ) =  there exists u ∈ S with L(s, a, u) =  and uRu , and 2. if for all a ∈ Ai and all u ∈ S it holds L(s, a, u) = , then for all μ ∈ T(s) there exists μ ∈ T(s ) and Δ : S × S → [0, 1] such that for all u, u ∈ S: (a) Δ(u, u ) > 0 =⇒ uRu (b) Δ(u, S) = μ(u) (c) Δ(S, u ) = μ (u ) We write s  s if sRs for some simulation R and M  M for AIMCs M and M with initial states s0 and s0 , if s0  s0 in the disjoint union of M and M . Let us briefly explain this definition. Item 1a requires that any may- or musttransition of s must be reflected in s . Item 1b requires that any must-transition of s must match some must-transition of s, i.e., all required behavior of s stems from s. Note that this allows a must-transition of s to be mimicked by a maytransition of s . Finally, condition 2 requires the existence of a weight function Δ [19,20] that basically distributes μ of s to μ of s such that only related states obtain a positive weight (2(a)), and the total probability mass of u that is assigned by Δ coincides with μ(u) and symmetrically for u (cf. 2(b), 2(c)). Note that every bisimulation equivalence R is also a simulation relation. Theorem 2. For any AIMC M and abstraction function α, M  α(M). Example 8. Consider AIMCs M and N given in Example 7. As N is an abstraction of M, it follows M  N . To be able to compose abstractions while preserving this formal relation, the following result is of interest. It allows to abstract parallel and symmetric compositions of AIMCs in a component-wise manner, to avoid the need for generating the entire state space prior to abstraction. Theorem 3. Strong simulation  is a precongruence w.r.t. ||A¯ and |||A¯ .

Compositional Abstraction for Stochastic Systems

7

207

Timed Reachability

In this section, we show how to analyse closed AIMCs by reducing them to uniform IMCs. As presented in [18], those can be reduced to uniform continuoustime Markov decision processes (CTMDP) for which an efficient algorithm is implemented in MRMC, a state of the art model checker. We analyse two reachability objectives for the running example and show how abstraction and symmetric composition reduce the maximal size of the state space during the construction of the model. To obtain the induced IMC for an AIMC, we separate the nondeterministic choice for values from the intervals in Markovian states from the actual Markovian behavior, i.e. the delay and the subsequent probabilistic transitions. This is achieved by adding one intermediate state for each extreme distribution. Definition 11 (Induced IMC). For closed AIMC M = (S, A, L, Pl , Pu , λ, s0 ), let θ(M) = (S ∪· S extr , Aextr , L , P , λ, s0 ) where – S extr = {sμ | ⎧ ∃s ∈ S : μ ∈ extr (Pl , Pu , S, s)} ⎪ L(s, a, s ) if s ∈ SH ∪ SMH , a = τs ⎪ ⎪ ⎨  if s ∈ SM ∪ SMH , a = τμ , s = sμ – L (s, a, s ) = ⎪ and μ ∈ extr(Pl , Pu , S, s) ⎪ ⎪ ⎩ ⊥ otherwise   μ(s ) if s = sμ ∈ S extr – P (s, s ) =  1(s, s ) otherwise Lemma 5. For a closed AIMC M it holds that θ(M) is a closed uniform IMC. Example 9. Let M be the symmetric composition of two independent abstract workers as depicted in Fig. 2 (middle). We focus on state {|s0 , s2 |} in M, cf. Fig. 6 (left). In the corresponding induced IMC θ(M), there are new states sμ and sμ with outgoing Markovian transitions according to the extreme distributions μ and μ of {|s0 , s2 |} with μ({|s1 , s2 |}) = 12 , μ({|s0 , s2 |}) = 16 , μ({|s0 , s4 |}) = 26 and μ ({|s1 , s2 |}) = 12 , μ ({|s0 , s2 |}) = 18 , μ ({|s0 , s4 |}) = 38 . Additionally, labeled transitions with internal actions τμ (τμ resp.) leading from {|s0 , s2 |} to the new intermediate states are introduced. sμ

1 1 1 ·[ , ] 2 4 3

{|s1 , s2 |}

1 2

{|s0 , s2 |}

1 2 1 2 3 ·[ , ] 2 3 4

{|s0 , s4 |}

{|s1 , s2 |} 1 2

τμ

1 6

{|s0 , s2 |} τμ

1 8

sμ

2 6

{|s0 , s4 |} 3 8

Fig. 6. Fragment of the parallel composition M||{} M for the AIMC M from Fig. 2 (left) and the induced IMC detail (right)

208

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

For closed AIMC M = (S, A, L, Pl , Pu , λ, s0 ), we define the set of paths starting in initial state s0 and visiting a state in B ⊆ S within t ∈ R≥0 time units by Paths M (♦≤t B) = {σ ∈ Paths M | σ[0] = s0 , ∃t ∈ [0, t] : σ@t ∈ B}. Lemma 6. Let M = (S, A, L, Pl , Pu , λ, s0 ) be a closed AIMC and θ(M) its induced IMC. For all B ⊆ S, t ∈ R≥0 and D ∈ D(M) there exists D ∈ D(θ(M)) M M with Pr ω (♦≤t B)) = Pr ω (♦≤t B)). s0 ,D (Paths s0 ,D (Paths For interactive transitions, a corresponding scheduler in the induced IMC chooses exactly as the AIMC scheduler. The choice of a distribution in the AIMC is mimicked by a randomized choice of τμ actions (cf. Fig. 6). From this, we obtain: Theorem 4. For a closed AIMC M = (S, A, L, Pl , Pu , λ, s0 ), B ⊆ S, t ∈ R≥0 : M θ(M) supD∈D(M) Pr ω (♦≤t B)) = supD∈D(θ(M)) Pr ω (♦≤t B)) s0,D (Paths s0,D (Paths M θ(M) inf D∈D(M) Pr ω (♦≤t B)) = inf D∈D(θ(M)) Pr ω (♦≤t B)) s0,D (Paths s0,D (Paths

The analysis of time-bounded reachability probabilities for uniform IMCs is investigated in [18] and the core algorithm [1] is implemented in MRMC. Basically, a uniform IMC is reduced to a uniform CTMDP by transformations to so-called Markov alternating and strictly alternating IMCs. This transformation preserves (weak) bisimulation. The following example relies on this results: Example 10. Assume the number of machines that are available for crafting value and premium products is limited to two. First, we investigate the probabilities for b out of w workers M1 to Mw to be waiting for machines within t time units. Let P = ({m0 , m1 , m2 }, A, L, 1, 1, ε, m0 ) where in mi there are i machines in use and let A = {value, prem, vdone, pdone}, L(mi , a, mi+1 ) =  if a ∈ {value, prem} for i ∈ {0, 1} and L(mi+1 , a, mi ) =  if a ∈ {vdone, pdone} for i ∈ {0, 1}, otherwise L(m, a, m ) = ⊥. Let Mi be pairwise distinct variants of workers as described in Ex. 7. Then, (M1 ||∅ . . . ||∅ Mw )||A P yields an IMC where the measure of interest can be derived by computing probabilities for reaching states (¯ s, m2 ) with at least b components of s¯ being s1 or s1 . In contrast,  w when M1 = . . . = Mw = M we can instead compute the probabilities in |||∅ M ||A P for reaching states (M, m2 ) with M (s1 ) + M (s1 ) ≥ b. The maximal sizes of the state spaces obtained during the construction of the models are given in Table 1 (left). Let AIMC N = α(M1 ) = . . . = α(Mw ) as described in Ex. 7. Then, Table 1. Maximal size of the state spaces during construction max. size IMC, par. IMC, sym. AIMC, par. AIMC, sym.

w=3, b=1 w=4, b=1 w=4, b=2 512 120 216 56

4096 330 1296 126

4096 330 1296 126

w=1 352 352 264 264

w=2

w=3

w=4

2816 22528 180224 1584 5280 14520 1584 9504 57024 924 2464 5544

Compositional Abstraction for Stochastic Systems

209

Fig. 7. Minimal and maximal probabilities for b out of w workers having no access to one of 2 machines in t time units (left). Maximal probabilities for w workers and 2 machines to produce 10 value and 3 premium in t time units (right). Curves for concrete workers are solid and dashed for abstract ones.

even for pairwise distinct workers, symmetric composition can be used to obtain w the abstract system (|||∅ N )||A P. While the abstract model of one worker has 6 instead of 8 states, the relative savings during composition are much larger (cf. Table 1). But still, the minimal and maximal probabilities (Fig. 7, left) obtained for w instances of the abstract worker N (dashed curves) are almost the same as for w copies of the concrete worker M as shown in Fig. 2 (left) (solid curves). Secondly, we compute the maximal probabilities for producing 10 value and 3 premium products with w workers within t time units. Note, that minimal probabilities are 0 for all time bounds t, as workers may stall premium production. We define counting AIMC Q = ({nv,p | v ∈ {0, . . . , 10}, p ∈ {0, . . . , 3}}, A, L, 1, 1, ε, n0,0 ) with A = {vdone, pdone}, L(nv,p , vdone, nv+1,p ) =  for v ∈ {0, . . . , 9}, p ∈ {0, . . . , 3} and L(nv,p , pdone, nv,p+1 ) =  for v ∈ {0, . . . , 10}, p ∈ {0, . . . , 2}, otherwise L(n, a, n ) = ⊥. Letconcrete and workers M and N be given  wabstract  w as in Fig. 2. Then, in |||∅ M ||A Q and |||∅ N ||A Q, we compute probabilities to reach any state (M, n10,3 ). As shown in Fig. 7 (right), the maximal probabilities for w ∈ {1, . . . , 4} abstract workers (dashed curves) are rather close to values derived for concrete workers (solid curves). The maximal sizes of the state spaces during construction are given in Table 1 (right).

8

Conclusion

This paper proposed a novel compositional abstraction technique for continuoustime stochastic systems. This technique allows for aggressive abstractions of single components, enabling the analysis of systems that are too large to be handled when treated as monolithic models. The feasibility of our approach has been demonstrated by the analysis of a production system. Future work includes the application of this technique to realistic applications, counterexample-guided abstraction refinement [16,22], and the treatment of non-uniform IMCs.

210

J.-P. Katoen, D. Klink, and M.R. Neuh¨ außer

References 1. Baier, C., Hermanns, H., Katoen, J.-P., Haverkort, B.R.: Efficient computation of time-bounded reachability probabilities in uniform continuous-time Markov decision processes. Theor. Comput. Sci. 345, 2–26 (2005) 2. Berendsen, J., Vaandrager, F.W.: Compositional abstraction in real-time model checking. In: Cassez, F., Jard, C. (eds.) FORMATS 2008. LNCS, vol. 5215, pp. 233–249. Springer, Heidelberg (2008) 3. Bode, E., Herbstritt, M., Hermanns, H., Johr, S., Peikenkamp, T., Pulungan, R., Wimmer, R., Becker, B.: Compositional performability evaluation for statemate. In: QEST, pp. 167–178. IEEE Computer Society Press, Los Alamitos (2006) 4. Cardelli, L.: On process rate semantics. Theor. Comput. Sci. 391, 190–215 (2008) 5. Chadha, R., Viswanathan, M., Viswanathan, R.: Least upper bounds for probability measures and their applications to abstractions. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008. LNCS, vol. 5201, pp. 264–278. Springer, Heidelberg (2008) 6. de Alfaro, L., Henzinger, T.A., Jhala, R.: Compositional methods for probabilistic systems. In: Larsen, K.G., Nielsen, M. (eds.) CONCUR 2001. LNCS, vol. 2154, pp. 351–365. Springer, Heidelberg (2001) 7. de Alfaro, L., Roy, P.: Magnifying-lens abstraction for Markov decision processes. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 325–338. Springer, Heidelberg (2007) 8. Fecher, H., Leucker, M., Wolf, V.: Don’t know in probabilistic systems. In: Valmari, A. (ed.) SPIN 2006. LNCS, vol. 3925, pp. 71–88. Springer, Heidelberg (2006) 9. Garavel, H., Hermanns, H.: On combining functional verification and performance evaluation using CADP. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 410–429. Springer, Heidelberg (2002) 10. Gilmore, S., Hillston, J., Ribaudo, M.: An efficient algorithm for aggregating PEPA models. IEEE Trans. Software Eng. 27, 449–464 (2001) 11. Hermanns, H., Johr, S.: Uniformity by construction in the analysis of nondeterministic stochastic systems. Dependable Systems and Networks, 718–728 (2007) 12. Hermanns, H. (ed.): Interactive Markov Chains. LNCS, vol. 2428. Springer, Heidelberg (2002) 13. Hermanns, H., Herzog, U., Katoen, J.-P.: Process algebra for performance evaluation. Theor. Comput. Sci. 274, 43–87 (2002) 14. Hermanns, H., Katoen, J.-P.: Automated compositional Markov chain generation for a plain-old telephone system. Sci. Comput. Program. 36, 97–127 (2000) 15. Hermanns, H., Ribaudo, M.: Exploiting symmetries in stochastic process algebras. In: European Simulation Multiconference, SCS Europe, pp. 763–770 (1998) 16. Hermanns, H., Wachter, B., Zhang, L.: Probabilistic CEGAR. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 162–175. Springer, Heidelberg (2008) 17. Hillston, J.: A Compositional Approach to Performance Modelling. Cambridge University Press, Cambridge (1996) 18. Johr, S.: Model Checking Compositional Markov Systems. PhD thesis, Universit¨ at des Saarlandes, Saarbr¨ ucken, Germany (2007) 19. Jones, C., Plotkin, G.: A probabilistic powerdomain of evaluations. In: LICS, pp. 186–195. IEEE Computer Society, Los Alamitos (1989) 20. Jonsson, B., Larsen, K.G.: Specification and refinement of probabilistic processes. In: LICS, pp. 266–277. IEEE Computer Society, Los Alamitos (1991)

Compositional Abstraction for Stochastic Systems

211

21. Katoen, J.-P., Klink, D., Leucker, M., Wolf, V.: Three-valued abstraction for continuous-time Markov chains. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 311–324. Springer, Heidelberg (2007) 22. Kattenbelt, M., Kwiatkowska, M., Norman, G., Parker, D.: Abstraction refinement for probabilistic software. In: Jones, N.D., M¨ uller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 182–197. Springer, Heidelberg (2009) 23. Kattenbelt, M., Kwiatkowska, M.Z., Norman, G., Parker, D.: Game-based probabilistic predicate abstraction in PRISM. ENTCS 220, 5–21 (2008) 24. Kwiatkowska, M., Norman, G., Parker, D.: Game-based abstraction for Markov decision processes. In: QEST, pp. 157–166. IEEE Computer Society Press, Los Alamitos (2006) 25. Larsen, K.G., Thomsen, B.: A modal process logic. In: LICS, pp. 203–210. IEEE Computer Society Press, Los Alamitos (1988) 26. Larsen, K.G.: Modal specifications. In: Sifakis, J. (ed.) CAV 1989. LNCS, vol. 407, pp. 232–246. Springer, Heidelberg (1990) 27. Maci, H., Valero, V., de Frutos-Escrig, D.: sPBC: A Markovian extension of finite Petri box calculus. Petri Nets and Performance Models, 207–216 (2001) 28. Segala, R., Lynch, N.A.: Probabilistic simulations for probabilistic processes. Nord. J. Comput. 2, 250–273 (1995) 29. Shoham, S., Grumberg, O.: Compositional verification and 3-valued abstractions join forces. In: Riis Nielson, H., Fil´e, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 69–86. Springer, Heidelberg (2007) 30. Shoham, S., Grumberg, O.: 3-valued abstraction: More precision at less cost. Inf. Comput. 206, 1313–1333 (2008) 31. Tofts, C.M.N.: Compositional performance analysis. In: Brinksma, E. (ed.) TACAS 1997. LNCS, vol. 1217, pp. 290–305. Springer, Heidelberg (1997)

Stochastic Games for Verification of Probabilistic Timed Automata Marta Kwiatkowska, Gethin Norman, and David Parker Oxford University Computing Laboratory, Parks Road, Oxford, OX1 3QD

Abstract. Probabilistic timed automata (PTAs) are used for formal modelling and verification of systems with probabilistic, nondeterministic and real-time behaviour. For non-probabilistic timed automata, forwards reachability is the analysis method of choice, since it can be implemented extremely efficiently. However, for PTAs, such techniques are only able to compute upper bounds on maximum reachability probabilities. In this paper, we propose a new approach to the analysis of PTAs using abstraction and stochastic games. We show how efficient forwards reachability techniques can be extended to yield both lower and upper bounds on maximum (and minimum) reachability probabilities. We also present abstraction-refinement techniques that are guaranteed to improve the precision of these probability bounds, providing a fully automatic method for computing the exact values. We have implemented these techniques and applied them to a set of large case studies. We show that, in comparison to alternative approaches to verifying PTAs, such as backwards reachability and digital clocks, our techniques exhibit superior performance and scalability.

1

Introduction

Probabilistic behaviour occurs naturally in many real-time systems, either due to the use of randomisation, or because of the presence of unreliable components. Prominent examples include communication protocols such as Bluetooth, IEEE 802.11 and FireWire, which use randomised back-off schemes and are designed to function over faulty communication channels. Another important class are security protocols, such as for non-repudiation, anonymity and non-interference, where randomisation and timing are both essential ingredients. Probabilistic timed automata (PTAs) [9,1,16], which are finite state automata extended with real-valued clocks and discrete probabilistic choice, are a natural formalism for modelling and analysing such systems. Formal verification techniques for PTAs can help to identify anomalies resulting from the subtle interplay between probabilistic, real-time and nondeterministic aspects of these systems. A fundamental property of a PTA is the minimum or maximum probability of reaching a particular class of states in the model. This allows the expression of a wide range of useful properties, for example, “the minimum probability that a data packet is correctly delivered with t seconds”. There are three main existing algorithmic approaches to the verification of PTAs: (i) forwards reachability [16,5]; (ii) backwards reachability [17]; and (iii) J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 212–227, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Stochastic Games for Verification of Probabilistic Timed Automata

213

digital clocks [15]. Forwards reachability is based on a symbolic forwards exploration, similar to the techniques implemented in state-of-the art tools for nonprobabilistic timed automata [6,18]. This approach is appealing because it can be implemented extremely efficiently with data structures such as difference-bound matrices (DBMs). However, in the context of probabilistic timed automata, these techniques yield only an upper bound on maximum reachability probabilities. Backwards reachability [17] performs a state-space exploration in the opposite direction, from target to initial states. This computes exact values for both minimum and maximum reachability probabilities; however, the operations required to implement it are expensive, limiting its applicability. The digital clocks technique of [15] uses an efficient language-level translation to a probabilistic model with finite state semantics. This also gives precise values for minimum and maximum probabilities, but is only applicable to a restricted class of PTAs. PTAs are, because of their real-valued model of time, inherently infinite-state. The three PTA verification techniques described above work by constructing a finite-state Markov decision process (MDP) that can be analysed with existing tools and techniques. This MDP can be viewed as an abstraction of the infinitestate semantics of the PTA. In this paper, we take a new approach, using the ideas of [13] to represent PTA abstractions as stochastic two-player games. We first show how the forwards reachability technique of [16] can be generalised to produce a stochastic game that yields lower and upper bounds on either minimum or maximum reachability probabilities of PTAs. Then, using abstraction-refinement methods, we show how the stochastic game can be iteratively refined in order to tighten these bounds. This gives a fully automatic technique to compute exact reachability probabilities within a finite number of steps. Finally, we present a prototype tool implementing these techniques that exhibits significantly better performance than other PTA verification approaches. A full version of this paper, including proofs is also available [14]. Related work. Existing PTA verification techniques are discussed above and a detailed experimental comparison is included in Section 6. Also relevant is [3], which presents an algorithm for computing time-abstracting bisimulation quotients of PTAs. Abstraction-refinement approaches have been proposed for non-probabilistic timed automata, e.g. [7] which uses bounded model checking and SAT-based techniques, [21] which is based on the region graph construction, and [12] for verifying PLC automata using UPPAAL [18].

2

Markov Decision Processes and Stochastic Games

Markov decision processes (MDPs) are a widely used formalism for modelling systems that exhibit both nondeterministic and probabilistic behaviour. Definition 1. An MDP M is a tuple (S, S, Act, Steps M ) where S is a set of states, S ⊆ S is the set of initial states, Act is a set of actions and Steps M : S×Act → Dist(S) is the probabilistic transition function.

214

M. Kwiatkowska, G. Norman, and D. Parker

In each state s ∈ S of an MDP M, there is a nondeterministic choice between one or more available actions a ∈ Act (those for which Steps M (s, a) is defined). After the choice of an action a, a successor state is selected at random according to the probability distribution Steps M (s, a). A path through M is a sequence of states selected in this fashion. To reason about the MDP M, we use the notion of an adversary, which is a possible resolution of all nondeterministic choices in M (formally, an adversary is a function from finite paths to actions). For a fixed adversary A, we can define a probability measure over the set of paths from a state s and, in particular, the probability pA s (F ) of reaching a target F ⊆S from s under A. We are typically interested in the minimum and maximum reachability probabilities for F : A max A pmin M (F ) = inf s∈S inf A ps (F ) and pM (F ) = sups∈S supA ps (F ) . def

def

These values, and an adversary of M which produces them, can be computed with a simple numerical computation called value iteration [19]. Stochastic two-player games [20,4] extend MDPs by allowing two types of nondeterministic choice, controlled by separate players. We use stochastic games in the manner proposed in [13] to represent an abstraction of an MDP. Definition 2. A stochastic game G is a tuple (S, S, Act, Steps G ) where: S is a set of states, S ⊆ S is the set of initial states Act is a set of actions and Steps G : S×Act → 2Dist(S) is the probabilistic transition function. Each transition of a stochastic game G comprises three choices: first, like for an MDP, player 1 picks an available action a∈Act; next, player 2 selects a distribution λ from the set Steps G (s, a); finally, a successor state is chosen at random according to λ. A resolution of the nondeterminism in G (the analogue of an MDP adversary) is a pair of strategies σ1 , σ2 for the players, under which we can define the probability pσs 1 ,σ2 (F ) of reaching a target F ⊆S from a state s. Intuitively, the idea of [13] is that, in a stochastic game G, representing an abstraction of an MDP M, player 2 choices represent nondeterminism present in M and player 1 choices represent additional nondeterminism introduced through abstraction. By quantifying over strategies for players 1 and 2, we can obtain both lower bounds (lb) and upper bounds (ub) on the minimum and maximum reachability probabilities of M. If G is constructed from M using the approach of [13], then, in the case of maximum probabilities, for example: ub,max plb,max (F )  pmax (F ) M (F )  pG G

where, in the stochastic game G: def

plb,max (F ) = sups∈S inf σ1 supσ2 pσs 1 ,σ2 (F ) G def ub,max pG (F ) = sups∈S supσ1 supσ2 pσs 1 ,σ2 (F ) Using similar techniques as those for MDPs, we can efficiently compute these values and strategies for players 1 and 2 that result in them [4].

Stochastic Games for Verification of Probabilistic Timed Automata

3

215

Probabilistic Timed Automata

Time, clocks and zones. Probabilistic timed automata model time using clocks, variables over the set R of non-negative reals. We assume a finite set X of clocks. A function v : X → R is referred to as a clock valuation and the set of all clock valuations is denoted by RX . For any v ∈ RX , t ∈ R and X ⊆ X , we use v+t to denote the clock valuation which increments all clock values in v by t and v[X:=0] for the valuation in which clocks in X are reset to 0. The set of zones of X , written Zones(X ), is defined by the syntax: ζ ::= true | x  d | c  x | x+c  y+d | ¬ζ | ζ ∨ ζ where x, y ∈ X and c, d ∈ N. A zone ζ represents the set of clock valuations v which satisfy ζ, denoted v  ζ, i.e. those for which ζ resolves to true by substituting each clock x with v(x). We will use several classical operations on zones [8,22]. The zone ζ contains all clock valuations that can be reached from a valuation in ζ by letting time pass. Conversely, ζ contains those that can reach ζ by letting time pass. For X⊆X , the zone [X:=0]ζ contains the clock valuations which result in a valuation in ζ when the clocks in X are reset to 0, while ζ[X:=0] contains the valuations obtained from those in ζ by resetting these clocks to 0. Syntax and semantics of PTAs. We now present the formal syntax and semantics of probabilistic timed automata. Definition 3. A PTA is a tuple P=(L, l, Act, inv , enab, prob) where: – – – – –

L is a finite set of locations and l ∈ L is the initial location; Act is a finite set of actions; inv : L → Zones(X ) is the invariant condition; enab : L×Act → Zones(X ) is the enabling condition; prob : L×Act → Dist(2X ×L) is the probabilistic transition function.

A state of a PTA is a pair (l, v) ∈ L×RX such that v  inv (l). In any state (l, v), a certain amount of time t ∈ R can elapse, after which an action a ∈ Act is performed. The choice of t requires that, while time passes, the invariant inv (l) remains continuously satisfied. Each action a can be only chosen if it is enabled, that is, the zone enab(l, a) is satisfied by v+t. Once action a is chosen, a set of clocks to reset and successor location are selected at random, according to the distribution prob(l, a). We call each element (X, l ) ∈ 2X ×L in the support of prob(l, a) an edge and, for convenience, assume that the set of such edges, denoted edges(l, a), is an ordered list e1 , . . . , en . Definition 4. Let P=(L, l, Act, inv , enab, prob) be a PTA. The semantics of P is defined as the (infinite-state) MDP [[P]] = (S, S, R×Act, Steps P ) where: – S = {(l, v) ∈ L × RX | v  inv (l)} and S = {(l, 0)}; – Steps P ((l, v), (t, a)) = λ if and only if v+t  inv (l) for all 0t t, v+t  enab(l, a) and, for any (l , v  ) ∈ S:     prob(l, a)(X, l ) | X ∈ 2X ∧ v  = (v+t)[X:=0]  . λ(l , v  ) =

216

M. Kwiatkowska, G. Norman, and D. Parker

Each transition of the semantics of the PTA is a time-action pair (t, a), representing time passing for t time units, followed by a discrete a-labelled transition. If Steps P ((l, v), (t, a)) is defined and edges(l, a) = (l1 , X1 ), . . . , (ln , Xn ) , we write t,a (l, v) −−→ s1 , . . . , sn where si = (li , (v+t)[Xi :=0]) for all 1  i  n. We make several standard assumptions about probabilistic timed automata. Firstly, we restrict our attention to structurally non-Zeno automata [23]. This class of models, which can be identified syntactically and in a compositional fashion [24], guarantees time-divergent behaviour. Secondly, for technical reasons, we assume all zones appearing in a PTA are diagonal-free [2]. Probabilistic Reachability. The minimum and maximum probabilities of reaching, from the initial state of a PTA P, a certain target F ⊆ L are: min pmin P (F ) = p[[P]] (SF )

and

pmax (F ) = pmax P [[P]] (SF )

where SF = {(l, v) | v  inv (l) ∧ l ∈ F }. We can easily consider more expressive targets, that refer to both locations and clock values, through a simple syntactic modification of the PTA [16]. Symbolic states and operations. In order to represent sets of PTA states, we use the concept of a symbolic state: a pair z = (l, ζ), comprising a location l and a zone ζ over X , representing the set of PTA states {(l, v) | v  ζ}. We use the notation (l, v) ∈ (l, ζ) to denote inclusion of a PTA state in a symbolic state. We will use the time successor and discrete successor operations of [8,22]. For a symbolic state (l, ζ), action a, and edge e = (X, l ) ∈ edges(l, a), we define: def

– tsuc(l, ζ) = (l, inv (l)∧ ζ) is the time successor of (l, ζ); def – dsuc[a, e](l, ζ) = (l , (ζ∧enab(l, a))[X:=0]∧inv (l )) is the discrete successor of (l, ζ) with respect to e; def – post[a, e](l, ζ) = tsuc(dsuc[a, e](l, ζ)) is the post of (l, ζ) with respect to e. The c-closure of a zone ζ is obtained by removing any constraint that refers to integers greater than c. For a given c, there are only a finite number of c-closed zones. For the remainder of this paper, we assume that all zones are c-closed where c is the largest constant appearing in the PTA under study.

4

Forwards Reachability for PTAs

In this section, we begin by describing the approach of [16], which we will refer to as MDP-based forwards reachability. This computes only upper bounds on maximum reachability probabilities of a PTA. Subsequently, we will propose a new algorithm, based on stochastic games, which addresses these limitations. 4.1

MDP-Based Forwards Reachability

The MDP-based forwards reachability approach of [16] works by building an abstraction of a PTA P. This abstraction is represented by an MDP M whose

Stochastic Games for Verification of Probabilistic Timed Automata

217

BuildReachGraph(P, F ) 1 2 3 4 5 6 7 8 9 10 11 12

Z := ∅ Y := {tsuc(l, 0)} while Y = ∅ choose (l, ζ) ∈ Y Y := Y \ {(l, ζ)} Z := Z ∪ {(l, ζ)} for a ∈ Act such that enab(l, a) ∧ ζ = ∅ for ei ∈ edges(l, a) = e1 , . . . , en  (li , ζi ) := post[(l, a), ei ](l, ζ) if (li , ζi ) ∈ Z and li ∈ F then Y := Y ∪ {(li , ζi )} R := R ∪ {((l, ζ), a, (l1 , ζ1 ), . . . , (ln , ζn ))} return (Z, R)

BuildMDP(Z, R) 1 Z := {(l, ζ) ∈ Z | l = l} 2 for (l, ζ) ∈ Z and θ ∈ R(l, ζ) 3 Steps M ((l, ζ), θ) := λθ 4 return M = (Z, Z, R, Steps M )

Fig. 1. Algorithm for MDP-based forwards reachability, based on [16]

state space is a set Z of symbolic states, i.e. each state of M represents a set of states of the infinite-state MDP semantics [[P]]. The algorithm of [16] is shown in Figure 1. For the purposes of this presentation, we have reformulated the algorithm into: (i) the construction of a reachability graph over the set of symbolic states Z; and (ii) the construction of an MDP M from this graph. The algorithm to build this reachability graph is based on the well-known forwards reachability algorithm for non-probabilistic timed automata [6,18]. It performs a forwards exploration through the automata, successively computing symbolic states using the post operation. One important difference is that, in the probabilistic setting, on-the-fly techniques cannot be used: the state-space exploration is exhaustive. This is because the aim is to determine, not just the existence of a path to the target, but the probability of reaching the target. For this, an MDP containing all such paths is constructed and analysed. A reachability graph captures information about the transitions in a PTA. It comprises a multiset1 Z of symbolic states and a set R ⊆ Z×Act×Z+ of symbolic transitions. Each symbolic transition θ ∈ R takes the form:   θ = (l, ζ), a, (l1 , ζ1 ), . . . , (ln , ζn ) where n = |edges(l, a)|. Intuitively, θ represents the possibility of taking action a from a PTA state in (l, ζ) and, for each edge (Xi , li ) ∈ edges(l, a), reaching a state in (li , ζi ). A key property of symbolic transitions is the notion of validity: 1

The use of a multiset is a technical requirement, later used for abstraction refinement.

218

M. Kwiatkowska, G. Norman, and D. Parker

  def valid (θ) = ζ ∧  enab(l, a)∧ (∧ni=1 ([Xi :=0]ζi )) which gives precisely the set of clock valuations satisfying ζ from which it is possible to let time pass and perform the action a such that taking the ith edge (Xi , li ) gives a state in (li , ζi ). A symbolic transition θ is valid if the zone valid (θ) is non-empty. This leads to the following formal definition of a reachability graph. Definition 5. A reachability graph for a PTA P=(L, l, Act, inv , enab, prob) and target F , is a pair (Z, R) where: – Z ⊆ L×Zones(X ) is a multiset of symbolic states where {s ∈ z | z ∈ Z} = S; – R ⊆ Z×Act ×Z+ is a set of valid symbolic transitions; t,a

and, if z = (l, ζ) ∈ Z, l  ∈ F , s ∈ z and s −−→ s1 , . . . , sn , then R contains a symbolic transition (z, a, z1 , . . . , zn ) such that si ∈ zi for all 1  i  n. For any PTA P and target F , it follows from the definition of post that algorithm BuildReachGraph(P, F ) in Figure 1 returns a (unique) reachability graph for (P, F ). However, the above conditions do not imply the uniqueness of reachability graphs, and there may exist many other such graphs for (P, F ). Given a reachability graph (Z, R) we can construct an MDP M with state space Z using the symbolic transitions in R to build the transitions of M. More precisely, a symbolic transition θ = ((l, ζ), a, (l1 , ζ1 ), . . . , (ln , ζn ) ) induces a probability distribution λθ over symbolic states Z where for any (l , ζ  ) ∈ Z: λθ (l , ζ  ) =

def



{| prob(l, a)(ei ) | ei ∈ edges(l, a) ∧ ζi =ζ  |} .

Using these distributions, the algorithm BuildMDP(Z, R) in Figure 1 constructs an MDP M, analysis of which yields bounds on the behaviour of P. Theorem 1. Let P be a PTA with target F . If (Z, R) is a reachability graph for (P, F ) and M is the MDP returned by BuildMDP(Z, R) (see Figure 1), then min max pmin (F )  pmax M (ZF )  pP (F ) and pP M (ZF ) where ZF = F ×Zones(X ). This theorem extends [16], by establishing the result for any reachability graph, not just that returned by BuildReachGraph and, by restricting to structurally non-Zeno PTAs, also yields lower bounds on minimum reachability probabilities. Example 1. We illustrate these ideas using the simple PTA P in Figure 2(a). We use the standard graphical notation for PTAs and omit probability 1 labels. Applying BuildReachGraph(P, {l3 }) (see Figure 1) yields the symbolic states: Z = {(l0 , x=y), (l1 , x=y), (l1 , y<x−2), (l2 , xy), (l3 , x=y)} and the set of symbolic transitions R. From the first two symbolic states, for example, we have R(l0 , x=y) = {θa } and R(l1 , x=y) = {θb , θc } where:   θa = (l0 , x=y), a, (l1 , x=y),(l2 , xy)   θb = (l1 , x=y), b, (l1 , x=y) , θc = (l1 , x=y), c, (l3 , x=y)

Stochastic Games for Verification of Probabilistic Timed Automata

b y>2 y:=0

l3 , true x=0

l1 , true 0.6

c

y:=0 c x=0∧y=1

x>2 l2 , true y:=0 b x:=0 0.4 a true

l0 , true (a) PTA

(l3 , x=y)

(l1 , x=y)

219

(l1 , y<x−2)

(l2 , xy)

0.6

0.4

(l0 , x=y) (b) MDP

Fig. 2. Analysis of a PTA through MDP-based forwards reachability

The resulting MDP is shown in Figure 2(b). The maximum probability of reaching location l3 in the PTA is 0.6, which results from taking action a in l0 immediately and, if l1 is reached, proceeding straight to l3 . An alternative is to wait for 1 time unit in l0 and then take a, reaching l3 via l2 , however, this results in a lower probability of 0.4. An upper bound on the maximum probability for the PTA is obtained from the maximum probability of reaching (l3 , x=y) in the MDP. The resulting value is 1. This is because the symbolic states for locations l1 and l2 are too coarse to preserve the precise time that action a is taken. 4.2

Game-Based Forwards Reachability

The main limitation of the MDP-based forwards reachability algorithm is that it only provides lower bounds for minimum and upper bounds for maximum reachability probabilities. We now describe how to construct, from a reachability graph, a stochastic game G that yields both lower and upper bounds. The game G is, like the MDP in the previous section, an abstraction of the infinite-state MDP semantics of the PTA, whose state space is the symbolic states Z. We utilise the approach of [13] to represent an abstraction of an MDP as a stochastic two-player game. The basic idea is that the two players in the game represent nondeterminism introduced by the abstraction and nondeterminism from the original model. In a symbolic state (l, ζ) of the game abstraction of a PTA, player 1 first picks a PTA state (l, v) ∈ (l, ζ) and then player 2 makes a choice over the actions that become enabled after letting time pass from (l, v). In order to construct such a game from a reachability graph (Z, R), we first extend the notion of validity to sets of symbolic transitions with the same source. For any symbolic state (l, ζ) ∈ Z and set of symbolic transitions Θ ⊆ R(l, ζ), let:   def valid (Θ) = (∧θ∈Θ valid (θ)) ∧ ∧θ∈R(l,ζ)\Θ ¬valid (θ) . By construction, valid (Θ) identifies precisely the clock valuations v  ζ such that, from (l, v), it is possible to perform a transition encoded by any symbolic transition θ ∈ Θ, but it is not possible to perform a transition encoded by any other symbolic transition of R(l, ζ).

220

M. Kwiatkowska, G. Norman, and D. Parker

BuildGame(Z, R) 1 Z = {(l, ζ) ∈ Z | l = l} 2 for (l, ζ) ∈ Z 3 for Θ ⊆ R(l, ζ) such that Θ = ∅ and valid (Θ) 4 Steps G ((l, ζ), Θ) := {λθ | θ ∈ Θ} 5 return G = (Z, Z, 2R , Steps G )

Fig. 3. Algorithm to construct a stochastic game from a reachability graph

The algorithm BuildGame in Figure 3 describes how to construct, from a reachability graph R, a stochastic game with symbolic states Z. In a state z of the game, player 1 chooses between any non-empty valid set of symbolic transitions Θ ⊆ R(z). Player 2 then selects a symbolic transition θ ∈ Θ. As the following result demonstrates, this game yields lower and upper bounds on either minimum or maximum reachability probabilities of the PTA. Theorem 2. Let P be a PTA with target F . If (Z, R) is a reachability graph for (P, F ) and G is the stochastic game returned by BuildGame(Z, R) (see Figure 3), ub,  then plb, (ZF ) for  ∈ {min, max}. G (ZF )  pP (F )  pG Example 2. We return to the PTA from Figure 2 and the reachability graph constructed in Example 1. The corresponding stochastic game is shown in Figure 4(a). As for PTAs and MDPs, we draw probability distributions as arrows grouped by an arc, omitting the labelling of probability 1 transitions. A set of distributions emanating from a black circle indicates a player 2 choice; the outgoing edges from each symbolic state represent a player 1 choice. Consider, the symbolic state (l1 , x=y), for which there are two symbolic transitions θb and θc (see Example 1). Since valid (θb )=(x=y) and valid (θc )=(x=y=0), we have valid ({θb })=(x=y>0), valid ({θc })=∅ and valid ({θb , θc })=(x=y=0). This tells us that there are two classes of PTA states in (l1 , x=y): those in which both actions b and c become enabled, and those in which only b becomes

(l3 , x=y)

(l1 , y<x−2)

(l1 , x=y)

(l2 , xy)

0.6

0.4

(l0 , x=y) (a) From reachability graph

(l3 , x=y)

(l1 , y<x−2)

(l1 , x=y=0) (l1 , x=y>0) (l2 , xy) 0.6

0.6

0.4

0.4

(l0 , x=y) (b) After one refinement

Fig. 4. Stochastic games for the PTA example of Figure 2

Stochastic Games for Verification of Probabilistic Timed Automata

221

enabled. Thus, in the game state (see Figure 4(a)), we see that player 1 chooses between these two classes and then player 2 chooses an available action. Using Theorem 2, the stochastic game in Figure 4(a) gives bounds on the maximum probability of reaching l3 in the PTA. The upper bound (as for the MDP) is 1 as, after either branch of the initial probabilistic choice, player 1 can make a choice which allows l3 to be reached with probability 1. The lower bound, however, is 0 because player 1 can also, in both cases, make l3 unreachable. As the above example illustrates, it is possible that the difference between the lower and upper bounds from the game is too great to provide useful information. In the next section, we will address this issue by introducing a way to refine the abstraction to reduce the difference between the bounds.

5

Abstraction Refinement

The game-based abstraction approach of [13] has been extended with refinement techniques in [10,11]. Inspired by non-probabilistic counterexample-guided abstraction refinement, the idea is that an initially coarse abstraction is iteratively refined until it is precise enough to yield useful verification results. Crucial to this approach is the use of the lower and upper bounds provided by a stochastic game abstraction as a quantitative measure of the preciseness of the abstraction. The refinement algorithm. Our refinement algorithm takes a reachability graph (Z, R), splits one or more of the symbolic states in Z and then modifies the symbolic transitions of R accordingly. This process is guided by the analysis of the stochastic game constructed from (Z, R), i.e. the bounds for the probability of reaching the target and player 1 strategies that attain these bounds. We now outline the refinement of a single symbolic state (l, ζ) for which the bounds differ and for which distinct player 1 strategies yield each bound.2 A player 1 strategy chooses, for any state in the stochastic game, an action available in the state. By construction, an available action in (l, ζ) is a valid set of symbolic transitions from R(l, ζ). We let Θlb , Θub ⊆ R(l, ζ) denote the distinct player 1 strategy choices for the lower and upper bound respectively. Since the validity conditions for Θlb and Θub identify precisely the clock valuations in ζ for which the corresponding transitions of [[P]] are possible, we split (l, ζ) into:       l, valid (Θlb ) , l, valid (Θub ) and l, ζ ∧ ¬(valid (Θlb ) ∨ valid (Θub )) . By construction, valid (Θlb ) and valid (Θub ) are both non-empty. Furthermore, since Θlb  = Θub , from the definition of validity, we have valid (Θ)∧valid (Θ ) = ∅, and hence the split of (l, ζ) produces a strict refinement of Z. The complete refinement algorithm is shown in Figure 5. Lines 1–4 refine Z, as just described, and lines 5–12 update the set of symbolic transitions R. The result is a new reachability graph, for which the corresponding stochastic game is a refined abstraction of the PTA, satisfying the following properties. 2

From the results of [13] such a state exists when the bounds differ in some state.

222

M. Kwiatkowska, G. Norman, and D. Parker

Refine(Z, R, (l, ζ), Θlb , Θub ) 1 2 3 4 5 6 7 8 9 10 11 12 13

ζlb := valid (Θlb ) ζub := valid (Θub ) Znew := {(l, ζlb ), (l, ζub ), (l, ζ∧¬(ζlb ∨ζub ))} \ {∅} Zref := (Z \ {(l, ζ)})  Znew Rref := ∅ for θ = (z0 , a, z1 , . . . , zn ) ∈ R if (l, ζ) ∈ {z0 , z1 , . . . , zn } then Rref := Rref ∪ {θ} else Θnew := {(z0 , a, z1 , . . . , zn ) | zi ∈ Znew if zi = (l, ζ) and zi = zi o/wise} for θnew ∈ Θnew such that valid (θnew ) = ∅ Rref := Rref ∪ {θnew } return (Zref, Rref )

Fig. 5. Algorithm to refine symbolic state (l, ζ) in reachability graph (Z, R)

Theorem 3. Let P be a PTA with target F and (Z, R) be a reachability graph for (P, F ). If (Zref, Rref) is the result of applying algorithm Refine (see Figure 5) to (Z, R), G = BuildGame(Z, R) and Gref = BuildGame(Zref, Rref), then: (i) (Zref , Rref) is a reachability graph for (P, F ); lb, ub, ub, (ii) plb, (ZF ) for  ∈ {min, max}. G (ZF )  pGref (ZF ) and pGref (ZF )  pG This refinement scheme, applied in a iterative manner, provides a way of computing exact values for minimum or maximum reachability probabilities of a PTA. This algorithm, outlined in Figure 6, starts with the reachability graph constructed through forwards reachability and then repeatedly: (i) builds a stochastic game; (ii) solves the game to obtain lower and upper bounds; and (iii) refines the reachability graph, based on an analysis of the game. The iterative process terminates when the difference between the bounds falls below a given level of precision ε. In fact, as the following result states, this process is guaranteed to terminate, in a finite number of steps, with the precise answer.

AbstractRefine(P, F, , ε) 1 2 3 4 5 6 7 8 9

(Z, R) := BuildReachGraph(P, F ) G := BuildGame(Z, R) ub, (plb, , σ1lb , σ1ub ) := AnalyseGame(G, F, ) G , pG ub, while pG −plb, >ε G choose (l, ζ) ∈ Z (Z, R) := Refine(Z, R, (l, ζ), σ1lb (l, ζ), σ1ub (l, ζ)) G := BuildGame(Z, R) ub, (plb, , σ1lb , σ1ub ) := AnalyseGame(G, F, ) G , pG lb, return [ pG , pub, ] G

Fig. 6. Abstraction-refinement loop to compute reachability probabilities

Stochastic Games for Verification of Probabilistic Timed Automata

223

Theorem 4. Let P be a PTA with target F and  ∈ {min, max}. The algorithm AbstractRefine(P, F, , 0) (see Figure 6) terminates after a finite number of steps ub, and returns [plb, ] where plb, = pP (F ) = pub, . G , pG G G Example 3. We return to our running example (see Figures 2 and 4) and consider the refinement of (l1 , x=y), from which the lower and upper bounds on the maximum probability of reaching location l3 are 0 and 1. The player 1 strategies (see Example 2) to achieve these bounds select Θlb = {θb } and Θub = {θb , θc }, respectively. The validity conditions for these choices are (x=y>0) and (x=y=0), and hence (l1 , x=y) is divided into z1 = (l1 , x=y>0) and z2 = (l1 , x=y). We then update the set R, as described in Figure 5, splitting symbolic transitions whose source or target is (l1 , x=y). For example, θa , θb and θc (see Example 1) are split into, for i = 1, 2:       θai = (l0 , x=y), a, zi , (l2 , xy) , θbi = zi , b, zi and θci = zi , c, (l3 , x=y=0) . After removing θc2 , which is not valid, the resulting stochastic game is shown in Figure 4(b). While this still yields bounds of [0, 1] for the initial state, two subsequent refinement tighten this to [0.6, 1.0] and then [0.6, 0.6].

6

Experimental Results

Implementation. We have implemented a prototype PTA model checker based on the techniques in this paper. It uses difference-bound matrices (DBMs) to represent zones. Since refinement can introduce non-convex zones, we also employ lists of DBMs. Our tool takes a textual description of a PTA (or the parallel composition of several PTAs) and a set of target locations. It then executes the abstraction-refinement loop described in Section 5 to compute either the minimum or maximum reachability probability. Several aspects of the abstraction-refinement implementation merit further discussion. In particular, the refinement process presented in Section 5 discusses the refinement of a single symbolic state. Because each refinement requires a potentially expensive numerical solution phase, an efficient scheme to select which state (or states) are to be split is essential. In fact, we found it possible to obtain very good performance with relatively simple heuristics. In the results presented here, we simply refine all states for which the lower and upper bounds differ. Our implementation includes several useful optimisations. Firstly, we modify the BuildGame algorithm so that it only rebuilds states of a stochastic game that have actually been modified during refinement. Secondly, we use the techniques described in [10] to re-use numerical results between refinement iterations, reducing the amount of numerical solution required. Experimental results. We evaluate our implementation on 7 large PTA case studies from the literature: (i) csma and csma abst, two models of the IEEE 802.3 CSMA/CD protocol; (ii) firewire and firewire abst, two models of the IEEE 1394 FireWire root contention protocol; (iii) zeroconf, the Zeroconf network configuration protocol; and (iv) nrp honest and nrp malicious, two model of Markowitch

224

M. Kwiatkowska, G. Norman, and D. Parker

Table 1. Performance statistics and comparisons for game-based PTA verification Case study Game-based Backwards Digital clocks (parameters) verification reachability [17] [15] [min / max] Iters States Time (s) States Time (s) States Time (s) csma 24 10 6,476 3.9 243 20.7 n/a n/a (max backoff 2 8 10 18,196 8.9 575 77.8 n/a n/a collisions) 44 10 34,826 20.5 303 1443.7 n/a n/a [max] 48 10 239,298 431.4 time out time out n/a n/a csma ∞ 0 117 0.2 0 8.7 5240 21.2 abst 1000 0 6,392 1.9 366 68.2 1,876,105 71.2 (deadline) 2000 37 24,173 20.7 722 367.8 6,570,692 651.8 [min] 3000 76 79,608 448.0 1,736 1436.3 11,780,692 1951.9 ∞ 0 257 0.7 127 26.4 212,268 39.7 firewire 25 0 1,369 2.0 1,004 839.5 14,089,691 324.6 (deadline) 50 17 4,215 10.6 3,096 3149.9 time out time out [min] 75 34 10,252 83.4 time out time out mem out mem out firewire ∞ 0 10 0.03 0 1.0 776 0.3 abst 50 7 205 0.25 63 2.4 298,010 14.5 (deadline) 100 19 1,023 1.76 180 3.8 686,008 36.4 [min] 200 40 9,059 26.1 640 26.4 1,462,010 149.2 ∞ 0 26 0.17 19 0.22 357 1.69 zeroconf 100 0 132 0.16 15 0.32 8,423 0.93 (deadline) 150 13 380 0.44 101 0.72 23,888 1.71 [max] 200 17 670 0.73 274 4.77 41,713 2.92 nrp ∞ 0 5 0.04 0 0.70 n/a n/a honest 40 19 428 1.80 33 5.25 n/a n/a (deadline) 80 39 1,448 3.56 63 6.18 n/a n/a [min] 100 49 2,183 5.35 78 6.97 n/a n/a nrp ∞ 11 351 1.3 62 1.5 n/a n/a malicious 5 3 1,663 1.5 75 2.9 n/a n/a (deadline) 10 15 8,080 11.1 408 117.3 n/a n/a [max] 20 7 49,622 218.1 1,108 1606.5 n/a n/a

Min/Max reachability probability 0.143555 0.005259 0.076904 1.65e-5 1.0 0.0 0.869791 0.999820 1.0 0.5 0.78125 0.931641 1.0 0.78125 0.974731 0.999630 0.001302 6.52e-4 0.001073 0.001222 1.0 0.612580 0.864915 0.920234 0.105658 0.1 0.105363 0.105657

& Roggeman’s non-repudiation protocol. Full details of all these case studies, their parameters, and the properties checked are available.3 We present a comparison of our implementation with the two other existing techniques for reachability analysis of PTAs: backwards reachability [17] and digital clocks [15]. For the former, we use the implementation of [17] which uses PRISM as a back-end to analyse MDP. For the latter, we use a simple languagelevel translation. We do not consider the MDP-based forwards reachability algorithm [16,5] since this does compute exact probability values and is thus not directly comparable. All experiments were run on a 2GHz PC with 2GB RAM. Any run exceeding a time-limit of 1 hour was disregarded. Table 1 summarises the experimental results. We give, for each PTA and each applicable analysis technique,4 the total time required and the size of the probabilistic model constructed. For backwards reachability and digital clocks, this model is an MDP; for our approach, it is a stochastic game (we give the size of the final game constructed during abstraction-refinement). For backwards reachability, the time given includes both generation of an MDP and its solution in PRISM; for digital clocks, the value is just the solution time in PRISM. 3 4

http://www.prismmodelchecker.org/files/formats09/ The digital clocks approach is not applicable to several of the case studies since the PTAs contain zones with strict constraints.

Stochastic Games for Verification of Probabilistic Timed Automata

225

For our game-based verification approach, we give the total time for all steps: reachability graph generation and multiple iterations of game construction, solution and analysis. The number of refinement steps required is also shown; in all cases, we refine until precise values are obtained (i.e. ε=0). Finally, Table 1 also gives the actual reachability probability for each model checking query and whether this a minimum or maximum value. Analysis of the results. Our game-based approach to PTA verification performs extremely well. In all cases, it is faster than both backwards reachability and digital clocks, often by several orders of magnitude. We are also able to analyse PTAs too large to be verified using the digital clocks approach. In terms of the size of the probabilistic models generated by the three techniques, we find that backwards reachability usually yields the smallest state spaces. This is because it only considers symbolic states for which the required probability is greater than 0. Thanks to the fact that our approach avoids some of the complex zone operations required for backwards reachability, we are able to consistently outperform it, despite this fact. On PTAs with a very small number of clocks (e.g. firewire abst has only 2), the overhead of these complex operations is reduced and backwards reachability performs better. By contrast, for PTAs with more clocks (firewire has 7 and csma has 5), the opposite is true. The reason that our game-based technique outperforms the digital clocks approach is that the latter generates models with much larger state spaces, which are slow to analyse, even with the efficient symbolic techniques of PRISM.

7

Conclusions

We have presented a novel technique for the verification of probabilistic automata, based on the use of two-player stochastic games to represent abstractions of their semantics. Our approach generates lower and upper bounds for either minimum or maximum reachability probabilities and then iteratively refines the game to compute the exact values in a finite number of steps. We have implemented this process and shown that it outperforms existing PTA verification techniques on a wide range of large case studies. Our approach can easily be extended to compute expected-reward properties for the case where rewards are associated with transitions of a PTA. Furthermore, we plan to adapt our techniques to compute lower and upper bounds on more general classes of rewards properties. Another direction of future work is the investigation of improved abstraction-refinement schemes. The simple approach adopted in this paper works very well but we anticipate that there is considerable scope for improving performance further in this way. Finally, we also plan to apply this approach to the verification of real-time properties of software. Acknowledgments. The authors are supported in part by EPSRC grants EP/D07956X and EP/D076625.

226

M. Kwiatkowska, G. Norman, and D. Parker

References 1. Beauquier, D.: Probabilistic timed automata. Theoretical Computer Science 292(1), 65–84 (2003) 2. Bouyer, P.: Untameable timed automata! In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 620–631. Springer, Heidelberg (2003) 3. Chen, T., Han, T., Katoen, J.-P.: Time-abstracting bisimulation for probabilistic timed automata. In: Proc. TASE 2008, pp. 177–184. IEEE CS Press, Los Alamitos (2008) 4. Condon, A.: The complexity of stochastic games. Inf. and Comp. 96(2), 203–224 (1992) 5. Daws, C., Kwiatkowska, M., Norman, G.: Automatic verification of the IEEE 1394 root contention protocol with KRONOS and PRISM. International Journal on Software Tools for Technology Transfer (STTT) 5(2-3), 221–236 (2004) 6. Daws, C., Olivero, A., Tripakis, S., Yovine, S.: The tool Kronos. In: Alur, R., Sontag, E.D., Henzinger, T.A. (eds.) HS 1995. LNCS, vol. 1066, pp. 208–219. Springer, Heidelberg (1996) 7. Dierks, H., Kupferschmid, S., Larsen, K.G.: Automatic abstraction refinement for timed automata. In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 114–129. Springer, Heidelberg (2007) 8. Henzinger, T., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic model checking for real-time systems. Inf. and Comp. 111(2), 193–244 (1994) 9. Jensen, H.: Model checking probabilistic real time systems. In: Proc. 7th Nordic Workshop on Programming Theory, pp. 247–261 (1996) 10. Kattenbelt, M., Kwiatkowska, M., Norman, G., Parker, D.: A game-based abstraction-refinement framework for Markov decision processes. Technical Report RR-08-06, Oxford University Computing Laboratory (February 2008) 11. Kattenbelt, M., Kwiatkowska, M., Norman, G., Parker, D.: Abstraction refinement for probabilistic software. In: Jones, N.D., M¨ uller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 182–197. Springer, Heidelberg (2009) 12. Kemper, S., Platzer, A.: SAT-based abstraction refinement for real-time systems. In: Proc. FACS 2006. ENTCS, vol. 182, pp. 107–122 (2007) 13. Kwiatkowska, M., Norman, G., Parker, D.: Game-based abstraction for Markov decision processes. In: Proc. QEST 2006, pp. 157–166. IEEE CS Press, Los Alamitos (2006) 14. Kwiatkowska, M., Norman, G., Parker, D.: Stochastic games for verification of probabilistic timed automata. Technical Report RR-09-05, Oxford University Computing Laboratory (2009) 15. Kwiatkowska, M., Norman, G., Parker, D., Sproston, J.: Performance analysis of probabilistic timed automata using digital clocks. Formal Methods in System Design 29, 33–78 (2006) 16. Kwiatkowska, M., Norman, G., Segala, R., Sproston, J.: Automatic verification of real-time systems with discrete probability distributions. Theoretical Computer Science 282, 101–150 (2002) 17. Kwiatkowska, M., Norman, G., Sproston, J., Wang, F.: Symbolic model checking for probabilistic timed automata. Inf. and Comp. 205(7), 1027–1077 (2007) 18. Larsen, K., Pettersson, P., Yi, W.: UPPAAL in a nutshell. International Journal on Software Tools for Technology Transfer 1(1-2), 134–152 (1997) 19. Puterman, M.: Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley and Sons, Chichester (1994)

Stochastic Games for Verification of Probabilistic Timed Automata

227

20. Shapley, L.: Stochastic games. Proc. National Academy of Science 39, 1095–1100 (1953) 21. Sorea, M.: Lazy approximation for dense real-time systems. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS 2004 and FTRTFT 2004. LNCS, vol. 3253, pp. 363– 378. Springer, Heidelberg (2004) 22. Tripakis, S.: The formal analysis of timed systems in practice. PhD thesis, Universit´e Joseph Fourier (1998) 23. Tripakis, S.: Verifying progress in timed systems. In: Katoen, J.-P. (ed.) AMASTARTS 1999, ARTS 1999, and AMAST-WS 1999. LNCS, vol. 1601, pp. 299–314. Springer, Heidelberg (1999) 24. Tripakis, S., Yovine, S., Bouajjani, A.: Checking timed B¨ uchi automata emptiness efficiently. Formal Methods in System Design 26(3), 267–292 (2005)

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions Guangyuan Li State Key Laboratory of Computer Science, Institute of Software, The Chinese Academy of Sciences, Beijing, 100190, P.R. of China [email protected]

Abstract. This paper shows that the zone-based LU-extrapolation of Behrmann et al, that preserves reachability of timed automata, also preserves emptiness of timed B¨ uchi automata. This improves the previous results by Tripakis et al who showed that the k-extrapolation preserves timed B¨ uchi automata emptiness. The LU-extrapolation is coarser than k-extrapolation, allowing better state space reductions. A tool with LUextrapolation for emptiness checking of timed B¨ uchi automata has been implemented, and some experiments are reported.

1

Introduction

Timed automata[1,4] are a popular formalism for modeling and verification of realtime systems. In the past decade, several tools for the model checking of timed automata have been developed and used, including Uppaal, Kronos, Red, etc. However, most of the model checkers for timed automata are oriented to the branching-time temporal logics(such as CTL and its real-time extension TCTL). Due to the limitation of branching-time temporal logics, these tools are not very convenient for checking liveness properties, such as ‘if a request occurs infinitely often, so does the response’[1]. Linear-time based temporal logics, such as LTL[19] and MITL[6], are good candidates for expressing liveness properties of real-time systems. At the time when the notion of timed automata was proposed, Alur et al. proposed an automata-theoretic approach via automata emptiness for model checking linear-time temporal properties of timed automata. The main idea is that, to verify whether a timed automaton A satisfies a linear-time based temporal formula ϕ, the model checking algorithm constructs a timed B¨ uchi automaton A¬ϕ that accepts all timed words that violate ϕ, and checks whether the product of A with A¬ϕ has a nonempty language[1,4,5,6]. In this way, the model checking of linear-time properties for timed automata is reduced to the emptiness checking problem of timed B¨ uchi automata[4]. Therefore, developing an efficient emptiness checking algorithm for timed B¨ uchi automata is extremely important for model checking linear-time properties of timed automata. 

Supported by the National Natural Science Foundation of China under Grant Nos. 60673051, 60736017, 60721061.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 228–242, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

229

Most of the model checking tools of timed automata follow the zone-based symbolic approach. With this approach, a symbolic state is a convex set of clock valuations called a zone, and the state space of a timed automaton is a zonegraph( called exact simulation graph in [20]). However, the zone-graph of a timed automaton may be infinite, which can be a problem with respect to the termination of model checking. To overcome this problem, zone-based abstractions are introduced to define the finite versions of the zone-graph. Generally a zone-based abstraction a is a mapping from zones to zones such that a has a finite range and Z ⊆ a(Z) for each zone Z. Given a zone-based abstraction, a finite abstract transition system( see Def. 11) can be defined for each timed automaton, it may preserve some interesting properties of the original timed automaton and can be used for model checking purpose. The most well-known zone-based abstraction is the k-extrapolation(called knormalization in [11], k-approximation in [12], and zone-closure operator in [20]). Bouyer has showed in [12] that k-extrapolation preserves the reachabilitity of diagonal-free timed automata(all timed automata are assumed to be diagonalfree in this paper) and Tripakis has showed in [20] that k-extrapolation preserves the emptiness of timed B¨ uchi automata. The LU-extrapolation of Behrmann et al [9] is a more effective zone-based abstraction than k-extrapolation. It has been proved to be sound and complete w.r.t. reachability and has been implemented in Uppaal for reachability analysis. In [20] Tripakis raised the question about whether the LU-extrapolation can be used to check timed B¨ uchi automata emptiness? In the last paragraph of [20], he said, “It would also be interesting to study whether other, coarser, zone-based abstraction, such as the inclusion abstraction proposed in [Daws and Tripakis 1998] or the abstractions proposed in [Behrmann et al. 2004], can be used to check timed B¨ uchi automata emptiness.” In this paper we will show that the LU-extrapolation preserves the emptiness of timed B¨ uchi automata and can be used efficiently in the emptiness checking of timed B¨ uchi automata. A prototype tool called CTAV has been implemented for model checking the emptiness of timed B¨ uchi automata. One can choose either LU-extrapolation or k-extrapolation to perform the emptiness checking with CTAV. Experimental results shows that LU-extrapolation is more efficient than k-extrapolation. The rest of this paper is organized as follows. Section 2 gives the notations and preliminaries. Section 3 focuses on the symbolic semantics and the zonebased abstractions. Section 4 is the main theoretical results. Section 5 is the experimental comparisons of LU-extrapolation and k-extrapolation, and Section 6 is a comparison with related works.

2

Timed B¨ uchi Automata

Definition 1. Let X be a finite set of clocks, the set Φ(X) of clock constraints over X is defined by the grammar φ ::= true | x ∼ m | φ1 ∧ φ2 where x ∈ X, ∼∈ {<, ≤, >, ≥} and m ∈ N(N is the set of nonnegative integers).

230

G. Li

A clock valuation μ over X is a mapping from X to the time domain R≥0 (nonnegative reals). We use Val(X, R≥0 ) to denote the set of all clock valuations over X. For δ ∈ R≥0 , we write μ + δ for the clock valuation that assigns to each clock x ∈ X the value μ(x) + δ. For λ ⊆ X, we use μ[λ := 0] to denote the clock valuation that for each y ∈ λ gives 0 and for each x ∈ X−λ gives the value μ(x). A clock valuation μ satisfies a clock constraint φ, written μ |= φ, iff φ evaluates to true according to the values given by μ. Definition 2. A timed automaton (TA) is a tuple M=< L, l0 , Σ, X, I, E >, where – – – – –

L is a finite set of locations, and l0 ∈ L is the initial location; Σ is a finite set of labels; X is a finite set of clocks; I is a mapping from L to Φ(X), and I(l) is called the invariant of l; E ⊆ L × Φ(X) × Σ × 2X × L is a set of edges. Each edge (l1 , g, a, λ, l2 ) ∈ E represents a switch labeled with a from location l1 to location l2 . The guard g is a clock constraint that specifies when the switch is enabled, and the set λ ⊆ X gives the clocks to be reset to 0 with this switch.

A state of M is a pair (l, μ), where l ∈ L, and μ ∈Val(X, R≥0 ). The initial state → − → − of M is the pair (l0 , 0 ), where l0 is the initial location of M, and 0 (x) = 0 for all x ∈ X. The semantics of M is defined to be a labeled transition system (SM , s0 , Σ ∪ R≥0 , →), where – SM = L×Val(X, R≥0 ) is the set of all states, → − – s0 = (l0 , 0 ) is the initial state, – →⊆ SM × (Σ ∪ R≥0 ) × SM is a set of transitions, and → consists of two kinds of transitions: δ 1. delay transition: (l, μ) − → (l, μ+δ), if δ ∈ R≥0 , μ |= I(l), and μ+δ |= I(l); a 2. discrete transition: (l, μ) − → (l , μ[λ := 0]), if there is an edge (l, g, a, λ, l) ∈ E such that μ |= g, and μ[λ := 0] |= I(l ). δ a

δ

Given s, s ∈ SM , we write s − →− → s if there exists s ∈ SM such that s − → s  a  and s − →s. A timed ω-word over Σ is an infinite sequence of the form w = (a0 , t0 )(a1 , t1 ) (a2 , t2 ) . . . with ti ∈ R≥0 , ti ≤ ti+1 and ai ∈ Σ for all i ∈ N. The corresponding untimed ω-word of w is untimed(w)=a0 a1 a2 . . .. A timed ω-word w = (a0 , t0 )(a1 , t1 )(a2 , t2 ) . . . is called accepting by M if t0 a0 there exists an infinite sequence s0 s1 s2 . . . of states such that s0 −→ −→ s1 , t −t t1 −t0 a1 t2 −t1 a2 i i−1 ai s1 −−−→−→ s2 , s2 −−−→−→ s3 , . . . , si −−−−−→−→ si+1 , . . ., and s0 is the initial state of M. In such a case, the infinite sequence s0 s1 s2 . . . is called an infinite run (or path) over the word w. A timed ω-word w = (a0 , t0 )(a1 , t1 )(a2 , t2 ) . . . is called non-zeno if {ti }i∈N is an unbounded sequence. Otherwise, the timed ω-word is called zeno.

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

231

Definition 3. The timed ω-language for a timed automaton M, denoted L(M), is defined to be the set of all accepting timed ω-words of M. Definition 4. (Timed B¨ uchi automaton[4]) A timed B¨ uchi automaton (TBA) is a pair B=(M, F ), where M= < L, l0 , Σ, X, I, E > is a timed automaton, and F ⊆ Σ is a set of accepting labels. The timed B¨ uchi automaton B has the same states, delay transitions, and discrete transitions as the timed automaton M. The main difference between B and M lies in their accepting timed ω-words. Definition 5. (Accepting timed ω-words) Let B=(M, F ) be a TBA and w = (ai , ti )i∈ N be a timed ω-word over Σ. w is accepting by B if w is accepting by M, and there exists one label in F that appears infinitely often in the sequence a0 a1 a2 . . ., that is, for any n ∈ N, there is a k > n, such that ak ∈ F . Definition 6. (Language and emptiness problem for TBA). The language of B, denoted L(B), is defined to be the set of all accepting timed ω-words of B. The emptiness problem for B is to check whether L(B) = ∅. L(B) may include zeno words, the transformation in Page 273 of [21] can help us to restrict L(B) only to non-zeno words. Alur and Dill presented a procedure for checking the emptiness of TBA in [4], and showed that the emptiness problem for TBA is PSPACE-complete. The main idea in their approach is to divide the infinite state space of a timed automaton into finite equivalence classes and obtain a finite quotient automaton( called region automaton[4]) which preserves some desired properties of the original timed automaton. Definition 7. Let M= < L, l0 , Σ, X, I, E > be a TA. Two states (l1 , μ1 ) and (l2 , μ2 ) of M are called equivalent, denoted (l1 , μ1 ) ≡M (l2 , μ2 ), iff l1 = l2 , and μ1 μ2 . The relation μ1 μ2 holds if the following conditions are met: – for each x ∈ X, μ1 (x) > cx iff μ2 (x) > cx 1 ; – for all x, y ∈ X, if μ1 (x) ≤ cx and μ1 (y) ≤ cx then2 • μ1 (x) = μ2 (x), • f rac(μ1 (x)) = 0 iff f rac(μ2 (x)) = 0, and • f rac(μ1 (x)) ≤ f rac(μ1 (y)) iff f rac(μ2 (x)) ≤ f rac(μ2 (y)). The equivalence relation is called the region equivalence, and there are only finitely many -equivalence classes(called regions). Definition 8. (Time-abstracting simulation and time-abstracting bisimulation) 1. A time-abstracting simulation R is a binary relation over SM satisfying the following conditions: 1 2

cx = max{m | x ∼ m is a clock constraint in M}. . denotes the integral part of a real number and f rac(.) the fractional part.

232

G. Li a

a

– If s1 Rs2 and s1 − → s1 , then there exists s2 − → s2 such that s1 Rs2 ; δ

δ

1 2 – If s1 Rs2 , δ1 ∈ R≥0 and s1 −→ s1 , then there exist δ2 ∈ R≥0 and s2 −→ s2 such that s1 Rs2 . 2. If both R and R−1 are time-abstracting simulations, then R is called a timeabstracting bisimulation.

Lemma 1. The equivalence relation ≡M is a time-abstracting bisimulation [2]. a

a

Notations. We write s − →ε s if there exist s ∈ SM and δ ∈ R≥0 such that s − → a1 ,a2 ,...,ak   δ   s and s − → s . We write s −−−−−−−→ s if there exist s , s , . . . , s ∈ S ε 1 2 k−1 M ak a1 a2 a3  such that s −→ ε s1 , s1 −→ε s2 , s2 −→ε s3 , . . ., and sk−1 −→ε s . a1 ,a2 ,...,ak

Lemma 2. Let R be a time-abstracting simulation, and s1 Rs1 . If s1 −−−−−−−→ε a1 ,a2 ,...,ak s2 , then there exists s2 such that s1 −−−−−−−→ε s2 , and s2 Rs2 . a1 ,a2 ,...,ak

Lemma 3. If s1 −−−−−−−→ε s2 and s1 ≡M s2 , then there is an infinite sequence a1 ,a2 ,...,ak of states s1 s2 s3 s4 . . . such that for each i ≥ 1, si −−−−−−−→ε si+1 . Proof. We define sk (k = 3, 4, . . .) by induction on k. a1 ,a2 ,...,ak Basis: By Lemma 1 and Lemma 2, there exists s3 such that s2 −−−−−−−→ε s3 , and s2 ≡M s3 . Inductive assumption: Assume that we have s1 s2 . . . sk such that for each a1 ,a2 ,...,ak i ∈ {1, 2, . . . , k − 1}, si −−−−−−−→ε si+1 , and sk−1 ≡M sk . a1 ,a2 ,...,ak Inductive step: Since sk−1 −−−−−−−→ε sk , and sk−1 ≡M sk , by Lemma 2 a1 ,a2 ,...,ak there exists sk+1 such that sk −−−−−−−→ε sk+1 , and sk ≡M sk+1 . Thus, by the principle of mathematical induction, we get an infinite sequence a1 ,a2 ,...,ak of states s1 s2 s3 s4 . . . such that for each i ≥ 1, si −−−−−−−→ε si+1 . 

3

Symbolic Semantics and Zone-Based Abstractions

This section will recall some basic concepts and results about symbolic semantics and zone-based abstractions, and make some preparations for our main theoretical results which will be presented in the next section. Definition 9. (Extended clock constraints) Let X be a finite set of clocks, the set Φ+ (X) of extended clock constraints over X is defined by the grammar φ ::= x ∼ m | x − y ∼ m | φ1 ∧ φ2 where x, y ∈ X, ∼∈ {<, ≤, >, ≥} and m ∈ N. A clock valuation μ ∈Val(X, R≥0 ) satisfies an extended clock constraint φ, written μ |= φ, iff φ is true under the assignment μ. Let X be a finite set of clocks, a zone D over X is a set of clock valuations over X that can be represented by an extended clock constraint φ ∈ Φ+ (X), that is, D={μ | μ |= φ}. We use Zone(X) to denote the set of all zones over X.

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

233

Lemma 4. [2] Let D be a zone over X and λ ⊆ X. Then D↑ = {μ + δ | μ ∈ D ∧ δ ∈ R≥0 }, and D[λ := 0] = {μ[λ := 0] | μ ∈ D} are also zones over X. A symbolic state of a TA is a pair (l, D), where l is a location and D is a zone. Definition 10. (Symbolic semantics) Let M=< L, l0 , Σ, X, I, E > be a timed automaton, the symbolic semantics of M is a labeled transition system SG(M)=(SM , S0 , Σ, =⇒), where – SM = L×Zone(X) is the set of all symbolic states; → − – S0 =(l0 , { 0 }↑ ∧I(l0 )) is the starting symbolic state; a – (l1 , D1 ) =⇒ (l2 , D2 ) if there is an edge (l1 , g, a, λ, l2 ) ∈ E such that D2 = ((D1 ∧ g)[λ := 0] ∧ I(l2 ))↑ ∧ I(l2 ), and D2  = ∅. Notation: Let s = (l1 , μ) be a state, and S = (l2 , D) be a symbolic state, we write s  S iff l1 = l2 and μ ∈ D. Lemma 5. a a 1. If S =⇒ S  and s  S  , then s − →ε s for some s  S. a a 2. If s − →ε s and s  S, then S =⇒ S  for some S  with s  S  . Proof. See Theorem 11.5 of [2].  The transition system SG(M) may be an infinite system. To obtain a finite transition system, some kind of abstraction[10] on SG(M) is needed. In this paper we consider abstraction to be a mapping C from SM to SM , satisfying the following conditions: – If (l2 , D2 ) = C ((l1 , D1 )), then l1 = l2 , and D1 ⊆ D2 ; – There exists a time-abstracting simulation C such that if S2 = C (S1 ), then for each s  S2 , there is a s  S1 satisfying s C s . Obviously, if s  S, then s  C (S). We say an abstraction C is a finite abstraction if the image of C is finite, that is, the set {C (S) | S ∈ SM } is finite. Examples: The four extrapolation operators ExtraM , Extra+ M , ExtraLU , and Extra+ LU in section 4 of [9] provide us four instances of finite abstraction. For + each Extra ∈ {ExtraM , Extra+ M , ExtraLU , ExtraLU }, the mapping CExtra which assigns (l, Extra(D)) to (l, D) is a finite abstraction. ExtraM is the kextrapolation and ExtraLU is the LU-extrapolation. Definition 11. (Abstract symbolic semantics) Given a finite abstraction C , we can construct a finite labeled transition system A(M,C ) =(QM , Q0 , Σ, =⇒C ) as follows: – QM = {C (S) | S ∈ SM }; → − – Q0 = C ((l0 , D0 )) is the starting state, where D0 = { 0 }↑ ∧I(l0 ) ; a a – Q1 =⇒C Q2 if there is a S ∈ SM such that Q1 =⇒ S and Q2 = C (S).

234

G. Li

Uppaal has used such an abstract symbolic semantics for reachability analysis [9]. In the next section we will show that it can be used to check the TBA emptiness. In the rest of this section, we give some lemmas that will be used in the next section. These lemmas tell us that if there is a reachable cycle in (QM , Q0 , Σ, =⇒C ), then we can construct an infinite run of M. Lemma 6. a 1. If Q1 =⇒C Q2 , and s  Q2 , then there exist some s1 , s2 such that s1  Q1 , a s1 − →ε s2 , and s C s2 . a a 2. If s1 − →ε s2 and s1  Q1 , then Q1 =⇒C Q2 for some Q2 with s2  Q2 . Proof. a

a

1. By Q1 =⇒C Q2 , we know that there exists a S such that Q1 =⇒ S and Q2 = C (S). For any s  Q2 , since Q2 = C (S), there is a s2  S such that s C s2 . a Since Q1 =⇒ S and s2  S, by Lemma 5, there is a s1  Q1 such that a s1 − →ε s2 . a 2. By Lemma 5, there is a zone S such that Q1 =⇒ S with s2  S. a Let Q2 = C (S), then s2  Q2 and Q1 =⇒C Q2 .  a1 ,a2 ,...,ak Notation. For Q, Q ∈ QM , we write Q =======⇒C Q if there exist some a1 a2 a3 Q1 , Q2 , . . . , Qk−1 ∈ QM such that Q =⇒ C Q1 , Q1 =⇒C Q2 , Q2 =⇒C Q3 , . . . , ak Qk−1 =⇒C Q . a1 ,a2 ,...,ak

Lemma 7. If Q1 =======⇒C Q2 , and s  Q2 , then there exist s1 , s2 such that a1 ,a2 ,...,ak s1  Q1 , s1 −−−−−−−→ε s2 , and s C s2 . Proof. We prove the lemma by induction on k. Basis: By Lemma 6, the lemma is true for k = 1. Inductive assumption: Assume that the lemma is true for k = n. Inductive step: Now we prove that the lemma is true for k = n + 1. a1 ,a2 ,...,an+1 Q1 =========⇒C Q2 implies that there exists a Q ∈ QM such that an+1 a1 ,a2 ,...,an Q1 =======⇒C Q and Q ===⇒C Q2 . an+1

By Lemma 6 and the fact that Q ===⇒C Q2 and s  Q2 , we have s and s such that an+1

s  Q, s −−−→ε s , and s C s . a1 ,a2 ,...,an

(1).

Since Q1 =======⇒C Q and s  Q, by induction hypothesis, there exist s1 and s such that a1 ,a2 ,...,an s1  Q1 , s1 −−−−−−−→ε s , and s C s . (2).    an+1  Since s C s and s −−−→ε s , by Lemma 2 it follows that there is a s2 an+1 such that s −−−→ε s2 and s C s2 .

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

235

Since C is transitive, then from the fact that s C s and s C s2 we have that s C s2 . an+1 a1 ,a2 ,...,an ,an+1 a1 ,a2 ,...,an By s1 −−−−−−−→ε s and s −−−→ε s2 , we obtain that s1 −−−−−−−−−−−→ε s2 . Thus the lemma is true for k = n + 1.  a1 ,a2 ,...,ak

Lemma 8. If Q =======⇒C Q and s  Q, then for any n ≥ 1, there exist s1 s2 s3 . . . sn+1 such that s1  Q, s C sn+1 , and for each i ∈ {1, 2, . . . , n}, a1 ,a2 ,...,ak si −−−−−−−→ε si+1 . Proof. We prove the lemma by induction on n. Basis: By Lemma 7, the lemma is true for n = 1. Inductive assumption: Assume that the lemma is true for n = m. Inductive step: Now we prove that the lemma is true for n = m + 1. a1 ,a2 ,...,ak   Since Q =======⇒ C Q and s  Q, by Lemma 7, there exist s , s such that a   1 ,a2 ,...,ak   s  Q, s −−−−−−−→ε s , and s C s . a1 ,a2 ,...,ak Applying the induction hypothesis to Q =======⇒C Q and s  Q, we know that there exist s1 , s2 , s3 , . . . , sm+1 such that s1  Q, s C sm+1 , and for each a1 ,a2 ,...,ak i ∈ {1, 2, . . . , m}, si −−−−−−−→ε si+1 . a ,a ,...,a 1 2 k Since s −−−−−−−→ε s and s C sm+1 , by Lemma 2, there exists a sm+2 a1 ,a2 ,...,ak such that sm+1 −−−−−−−→ε sm+2 , and s C sm+2 . Since s C s and s C sm+2 implies s C sm+2 , thus the lemma is true for n = m + 1.  a1 ,a2 ,...,ak

Lemma 9. If Q =======⇒C Q and s  Q, then there exist s1 s2 s3 . . . sm and i ∈ {2, 3, . . . , m− 1} such that s1  Q, si ≡M sm , and for each j ∈ {1, 2, . . . , m− a1 ,a2 ,...,ak 1}, sj −−−−−−−→ε sj+1 . Proof. We know that there are only finitely many ≡M -equivalence classes. Let n be an integer greater than the number of ≡M -equivalence classes. By Lemma 8, there exist s1 , s2 , s3 , . . . , sn+1 such that s1  Q, and for each i ∈ {1, 2, . . . , n}, a1 ,a2 ,...,ak si −−−−−−−→ε si+1 . Since the sequence of states s2 s3 s4 . . . sn+1 has length n, by the pigeonhole principle, there exist i, m ∈ {2, 3, . . . , n + 1} such that i < m and si ≡M sm .  a1 ,a2 ,...,ak ∗ a1 ,a2 ,...,ak Notation. We write s −−−−−−−→ε s if s −−−−−−−→ε s or there exist some a1 ,a2 ,...,ak a1 ,a2 ,...,ak s1 , s2 , . . . , sn (n ≥ 1) such that s −−−−−−−→ε s1 , s1 −−−−−−−→ε s2 , . . . , sn−1 a1 ,a2 ,...,ak a1 ,a2 ,...,ak −−−−−−−→ε sn and sn −−−−−−−→ε s . a1 ,a2 ,...,ak

Lemma 10. If Q =======⇒C Q, then there exist s , s , s such that s  Q, a1 ,a2 ,...,ak ∗ a1 ,a2 ,...,ak ∗ s −−−−−−−→ε s , s −−−−−−−→ε s and s ≡M s . a1 ,a2 ,...,ak

Proof. Since Q =======⇒C Q, by Definition 10, there exists a s  Q. By Lemma 9, there exist s1 , s2 , s3 , . . . , sm and i ∈ {2, 3, . . . , m−1} such that s1  Q, a1 ,a2 ,...,ak si ≡M sm , and for each j ∈ {1, 2, . . . , m − 1}, sj −−−−−−−→ε sj+1 .

236

G. Li a1 ,a2 ,...,ak ∗

Let s = s1 , s = si , and s = sm , then s  Q, s −−−−−−−→ε s , a1 ,a2 ,...,ak ∗ s −−−−−−−→ε s , and s ≡M s .  a1 ,a2 ,...,ak ∗

Lemma 11. If s1 −−−−−−−→ε s2 and s1 ≡M s2 , then there is an infinite sea1 ,a2 ,...,ak ∗ quence of states s1 s2 s3 s4 . . . such that for each i ≥ 1, si −−−−−−−→ε si+1 . 

Proof. Follows immediately from Lemma 3. a1 ,a2 ,...,ak

Lemma 12. If Q =======⇒C Q, then there exists an infinite sequence of states a1 ,a2 ,...,ak ∗ s1 s2 s3 s4 . . . such that s1  Q, and for each i ≥ 1, si −−−−−−−→ε si+1 . a1 ,a2 ,...,ak ∗

Proof. By Lemma 10, there exist s1 , s2 , s3 such that s1  Q, s1 −−−−−−−→ε s2 , a1 ,a2 ,...,ak ∗ s2 −−−−−−−→ε s3 and s2 ≡M s3 . By Lemma 11, there is an infinite sequence of states s2 s3 s4 . . . such that for a1 ,a2 ,...,ak ∗ each i ≥ 2, si −−−−−−−→ε si+1 . 

4

Checking the Emptiness of TBA Using Zone-Based Abstractions

First we give a definition for B¨ uchi automata, it is a variant of the classical definition[8]. Definition 12. (B¨ uchi automaton) A B¨ uchi automaton (BA) B is a tuple (Q, q0 , Σ, − →, F ) where – – – –

Q is a finite set of states, and q0 ∈ Q is the initial state; Σ is a finite set of labels; →⊆ Q × Σ × Q is a set of transitions; − F ⊆ Σ is a set of accepting labels, called the accepting set.

A ω-word w = a0 a1 a2 . . . ∈ Σ ω is accepting if there is an infinite sequence ai q0 q1 q2 . . . of states in Q such that qi −→ qi+1 for all i ∈ N, and for infinitely many i ∈ N, ai ∈ F . The accepting language L(B) of B is the set of all accepting ω-words. Let B=(M, F ) be a timed B¨ uchi automaton. Given a finite abstraction C , by Definition 11, we can obtain a B¨ uchi automaton B(B,C ) =(QM , Q0 , Σ, =⇒C , F ). Theorem 1. Let B be a timed B¨ uchi automaton, and C be a finite abstraction. Then L(B(B,C ) )  = ∅ iff L(B)  = ∅. Proof. L(B)  = ∅ implies L(B(B,C ) )  = ∅ can be proved easily by induction and Lemma 6. We omit the proof here. Now we give a proof for the assertion that L(B(B,C ) ) = ∅ implies L(B) = ∅.

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

237

If the B¨ uchi automaton B(B,C ) is not empty, then there exist a Q ∈ QM and a0 , a1 , . . ., ai , . . . , ak ∈ Σ such that a0 ,a1 ,...,ai−1 ai ,ai+1 ,...,ak Q0 =========⇒C Q, Q ========⇒C Q, and F ∩ {ai , ai+1 , . . . , ak } = ∅, → − where Q0 = C ((l0 , { 0 }↑ ∧I(l0 ))) is the initial state of the B¨ uchi automaton B(B,C ) . ai ,ai+1 ,...,ak

Applying Lemma 12 to Q ========⇒C Q, we have an infinite sequence of ai ,ai+1 ,...,ak ∗ states s2 s3 s4 s5 . . . such that s2  Q, and for each j ≥ 2, sj −−−−−−−−→ε sj+1 . a0 ,a1 ,...,ai−1

Applying Lemma 7 to Q0 ======== =⇒C Q and s2  Q, it follows that there     a0 ,a1 ,...,ai−1 exist s , s such that s  Q0 , s −−−−−−−−→ε s , and s2 C s . By s  Q0 and Q0 = C ((l0 , D0 )), we know that there exists a s1  (l0 , D0 ) such that s C s1 . a0 ,a1 ,...,ai−1 From the fact that s −−−−−−−−→ε s and s C s1 , we know there exists a a0 ,a1 ,...,ai−1 s2 such that s1 −−−−−−−−→ε s2 , and s C s2 . Thus we have obtained that s2 C s2 . ai ,ai+1 ,...,ak ∗ Applying Lemma 2 to s2 C s2 and sj −−−−−−−−→ε sj+1 (j = 2, 3, 4, . . .), we can obtain an infinite sequence of states s3 s4 s5 . . . such that ai ,ai+1 ,...,ak ∗

ai ,ai+1 ,...,ak ∗

ai ,ai+1 ,...,ak ∗

s2 −−−−−−−−→ε s3 −−−−−−−−→ε s4 −−−−−−−−→ε s5 . . .,

→ − Furthermore, from the fact that s1  (l0 , D0 ) and D0 = { 0 }↑ ∧I(l0 ), it follows → − d that there is a d ∈ R≥0 such that s0 − → s1 , where s0 = (l0 , 0 ) is the initial state of B. Thus, we have proved that there exists an infinite sequence of states s1 , s2 , s3 , s4 , . . . such that d

a0 ,a1 ,...,ai−1

ai ,ai+1 ,...,ak ∗

ai ,ai+1 ,...,ak ∗

ai ,ai+1 ,...,ak ∗

s0 − → s1 −−−−−−−−→ε s2 −−−−−−−−→ε s3 −−−−−−−−→ε s4 −−−−−−−−→ε s5 . . .. (1)

By (1) and the fact that F ∩ {ai , ai+1 , . . . , ak } = ∅, we know that B has an infinite run accepting the untimed word a0 a1 . . . ai−1 (ai ai+1 . . . ak )ω . Hence L(B)  = ∅.  By Theorem 1, given a finite abstraction C , the emptiness checking of a TBA B can be reduced to the emptiness checking of a B¨ uchi automaton B(B,C ) . Thus, we have reached a generic conclusion that any zone-based abstraction which satisfies our definition of finite abstraction can be used in a zone-based approach to the model-checking of TBA emptiness. Hence, several abstractions that are used in Uppaal (for instance, the k-extrapolation and the LU-extrapolation) can be used for model-checking TBA emptiness. A prototype tool CTAV3 has been implemented for model checking the TBA emptiness. To check the emptiness of a TBA B, CTAV uses the SCC-based onthe-fly algorithm in [14] to check the emptiness of B(B,C ) , which is generated dynamically during the test for emptiness. CTAV uses k-extrapolation or LUextrapolation to reduce the state space, depending on the options you pass it. 3

http://lcs.ios.ac.cn/˜ ligy/tools/CTAV LTL

238

G. Li

CTAV is also an LTL model checking tool for timed automata. For a given timed automaton M and a given LTL formula ϕ, by checking the emptiness of M||Aϕ , CTAV can answer whether M has one run satisfying ϕ, where || is the product operator and Aϕ the B¨ uchi automaton corresponding to ϕ. CTAV is build on top of Spot model checking library4 , Uppaal UTAP library5 and Uppaal DBM library6 . It uses Spot to transform an LTL formula into a B¨ uchi automaton, uses UTAP library to parse the Uppaal timed automata models, and uses the zone operations in Uppaal DBM library to do the symbolic computation.

5

Experimental Comparisons of LU-Extrapolation and k-Extrapolation

The LU-extrapolation has been proved to be an effective technique in reachability analysis of timed automata [9]. In order to test the effect of LU-extrapolation in emptiness checking and LTL model checking, we made two implementations of CTAV: one with LU-extrapolation and another with k-extrapolation. This section presents our experimental results on Fischer Mutual Exclusion Protocol, which has become a standard benchmark for tools that implement timing. The protocol consists of n processes and the ith process can be modeled as a timed automaton Ai showed in Fig. 1. Variable id in Ai is shared by all processes used to regulate the access to critical section. The protocol ensures mutual exclusion iff constant a is smaller than constant b.

Fig. 1. The timed automaton Ai for process i

The properties we used are LTL formulas ϕ = (♦(k = 1)) ∨ (♦(k = 0)) and φi = ♦(Ai .critical), where k is an integer variable to count the number of processes currently staying in their critical sections. We check whether the system [A1 ||A2 . . . ||An ] has a run satisfying the properties. For φi , such a run exists. But for ϕ, there is no run satisfying it. 4 5 6

http://spot.lip6.fr/wiki/ http://www.cs.auc.dk/˜ behrmann/utap http://www.cs.aau.dk/˜ adavid/UDBM/

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions n property 4

ϕ

5

ϕ

6

ϕ

7 8 9

ϕ ϕ ϕ

16

φ10

16

φ11

16

φ12

16

φ13

16

φ14

16

φ15

16

φ16

239

option states transitions memory time LU-Extrap 623 2236 27.33 0.08 k-Extrap 7671 36288 29.18 0.62 LU-Extrap 2655 11080 27.73 0.16 k-Extrap 116078 700375 60.44 69.51 LU-Extrap 11839 55854 31.55 0.64 k-Extrap 2095713 15427566 726.46 25964.14 LU-Extrap 53863 283990 50.34 3.55 LU-Extrap 245631 1438744 148.56 20.24 LU-Extrap 1112927 7205868 661.27 116.22 LU-Extrap. 6397 19558 39.61 0.46 k-Extrap 19172 68638 65.03 1.70 LU-Extrap. 13693 46756 53.81 1.02 k-Extrap 41572 165849 108.59 4.04 LU-Extrap. 29181 110562 85.62 2.30 k-Extrap 89572 395156 199.26 9.58 LU-Extrap 61949 258784 149.24 5.20 k-Extrap 191972 929935 387.88 22.46 LU-Extrap 131069 600030 280.70 11.98 k-Extrap 409572 2164618 784.62 53.65 LU-Extrap 276477 1379292 553.52 26.63 k-Extrap 870372 4989829 1610.74 123.88 LU-Extrap 581629 3145690 1118.04 60.30

Fig. 2. Experimental comparisons of LU-extrapolation and k-extrapolation

Fig. 2 summarizes our experimental results on Fischer’s Protocol with a = 3 and b = 5, where n is the number of processes. All experiments were performed on a ThinkPad X301 notebook(Intel Core2 Duo 1.40GHz CPU, 2G Memory, Ubuntu 8.10 operating system). Timings are in seconds, states are the number of generated states, and memory usage is in MB. The experiment results shows that LU-extrapolation is also effective for TBA emptiness checking.

6

Comparison with Profounder

S. Tripakis et al.[20,21] have proposed a zone-based symbolic procedure for the emptiness checking of TBA. They shows that the so-called zone-closed simulation graph[20], can be used for checking emptiness of TBA. They have implemented a verification tool called Profounder 7 and claimed that it was the only available tool for emptiness checking of TBA. Similar to our abstract symbolic semantics(see Def. 11), the zone-closed simulation graph is also a zone-based symbolic transition system, with k-extrapolation used to reduce the state space. Profounder uses a nested-DFS algorithm [16] to check the emptiness of the zone-closed simulation graph. 7

http://www-verimag.imag.fr/˜ tripakis/openkronos.html

240

G. Li acc-cond φ1 φ2 φ3 φ4 φ5 φ6 φ7 φ8 φ9 φ10 φ11 φ12 φ13 φ14 φ15 φ16

tool states transitions memory time CTAV(lu-extrap) 4 4 6.62 0.03 CTAV(k-extrap) 4 4 1.62 0.03 Profounder 4.61 0.05 CTAV(lu-extrap) 9 10 6.62 0.04 CTAV(k-extrap) 9 10 26.16 0.04 Profounder 4.74 0.11 CTAV(lu-extrap) 21 27 26.16 0.04 CTAV(k-extrap) 30 38 26.16 0.04 Profounder 5.67 2.59 CTAV(lu-extrap) 55 82 26.16 0.04 CTAV(k-extrap) 122 196 26.16 0.04 Profounder 26.20 110.55 CTAV(lu-extrap) 127 211 26.16 0.05 CTAV(k-extrap) 322 600 26.16 0.05 Profounder 550.92 7071.33 CTAV(lu-extrap) 285 534 26.16 0.6 CTAV(k-extrap) 772 1658 28.52 0.09 CTAV(lu-extrap) 629 1336 26.16 0.08 CTAV(k-extrap) 1772 4639 31.42 0.18 CTAV(lu-extrap) 1373 3306 28.65 0.12 CTAV(k-extrap) 3972 11176 38.02 0.34 CTAV(lu-extrap) 2973 8088 32.88 0.25 CTAV(k-extrap) 8772 27955 53.33 0.84 CTAV(lu-extrap) 6397 19558 45.28 0.54 CTAV(k-extrap) 19172 68638 82.84 2.02 CTAV(lu-extrap) 13693 46756 66.05 1.20 CTAV(k-extrap) 41572 165849 144.93 4.78 CTAV(lu-extrap) 29181 110562 111.78 2.75 CTAV(k-extrap) 89572 395156 275.39 11.28 CTAV(lu-extrap) 61949 258784 203.31 6.23 CTAV(k-extrap) 191972 929935 548.62 26.93 CTAV(lu-extrap) 131069 600030 393.51 14.03 CTAV(k-extrap) 409572 2164618 1121.96 62.30 CTAV(lu-extrap) 276477 1379292 787.77 31.52 CTAV(lu-extrap) 581629 3145690 1604.27 70.09

Fig. 3. Experimental comparisons of CTAV and Profounder

Fig. 3 presents some experimental results about Profounder and CTAV on emptiness checking of TBA. The sample example is the 20-process Fischer’s mutual exclusion protocol [A1 ||A2 . . . ||A20 ], with different B¨ uchi accepting conditions. In Fig. 3, φi denotes the B¨ uchi accepting condition that “Process Ai can enter its critical section for infinitely often”. The experiments were performed on the same machine as in the last section.

Checking Timed B¨ uchi Automata Emptiness Using LU-Abstractions

7

241

Conclusion

This paper considers the emptiness checking of timed B¨ uchi automata. It shows that the LU-extrapolation which has been proved to gain efficiency in reachability analysis is also a sound extrapolation in emptiness checking of timed B¨ uchi automata. This gives a positive answer to the problem of Tripakis[20]. As future work, one thing we plan to do is to develop a MITL[6,18] model checker for timed automata. It can be done by implementing a tool to translate MITL formulas into timed B¨ uchi automata.

Acknowledgment Many thinks to Yan Rongjie, Wei Xukai, Peng Yunquan, and Zhang Wenliang for their great efforts in the implementation of CTAV. Thanks Prof. Stavros Tripakis for answering my question about Profounder and providing me some test examples. Thanks Prof. Wang Yi and Prof. Kim Larsen for their suggestions and encouragement. I would like also to thank the anonymous referees for their helpful comments and corrections.

References 1. Alur, R.: Timed Automata. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 8–22. Springer, Heidelberg (1999) 2. Aceto, L., Ingolfsdottir, A., Larsen, K., Srba, J.: Reactive Systems. In: Modelling, Specification and Verification. Cambridge University Press, Cambridge (2007) 3. Aceto, L., Bouyer, P., Burgueno, A., Larsen, K.: The power of reachability testing for timed automata. Theoretical Computer Science 300(1-3), 411–475 (2003) 4. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126(2), 183–235 (1994) 5. Alur, R., Dill, D.L.: Automata-theoretic verification of real-time systems. In: Formal Methods for Real-Time Computing. Trends in Software Series, pp. 55–82. John Wiley & Sons Publishers, Chichester (1996) 6. Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing punctuality. Journal of the ACM 43, 116–146 (1996) 7. Alur, R., Madhusudan, P.: Decision problems for timed automata: A survey. In: 4th Intl. School on Formal Mthods for Computer, Communication, and Software Systems: Real Time (2004) 8. Baier, C., Katoen, J.-P.: Principles of Model Checking. MIT Press, Cambridge (2008) 9. Behrmann, G., Bouyer, P., Larsen, K., Pel´ anek, R.: Lower and upper bounds in zone-based abstractions of timed automata. STTT 8(3), 204–215 (2006) 10. Behrmann, G., Bouyer, P., Fleury, E., Larsen, K.G.: Static Guard Analysis in Timed Automata Verification. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 254–270. Springer, Heidelberg (2003) 11. Bengtsson, J.E., Yi, W.: Timed Automata: Semantics, Algorithms and Tools. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098, pp. 87–124. Springer, Heidelberg (2004)

242

G. Li

12. Bouyer, P.: Forward Analysis of Updatable Timed Automata. Formal Methods in System Design 24(3), 281–320 (2004) 13. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. The MIT Press, Cambridge (1999) 14. Couvreur, J.-M.: On-the-fly verification of linear temporal logic. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 253–271. Springer, Heidelberg (1999) 15. Couvreur, J.-M., Duret-Lutz, A., Poitrenaud, D.: On-the-Fly Emptiness Checks for Generalized B¨ uchi Automata. In: Godefroid, P. (ed.) SPIN 2005. LNCS, vol. 3639, pp. 169–184. Springer, Heidelberg (2005) 16. Courcoubetis, C., Vardi, M.Y., Wolper, P., Yannakakis, M.: Memory-Efficient algorithms for the verification of temporal properties. Formal Methods in System Design 1(2/3), 275–288 (1992) 17. Kesten, Y., Manna, Z., Pnueli, A.: Verifying clocked transition systems. In: Alur, R., Sontag, E.D., Henzinger, T.A. (eds.) HS 1995. LNCS, vol. 1066, pp. 13–40. Springer, Heidelberg (1996) 18. Maler, O., Nickovic, D., Pnueli, A.: From MITL to Timed Automata. In: Asarin, E., Bouyer, P. (eds.) FORMATS 2006. LNCS, vol. 4202, pp. 274–289. Springer, Heidelberg (2006) 19. Manna, Z., Pnueli, A.: The temporal logic of reactive and concurrent systems: Specification. Springer, New York (1992) 20. Tripakis, S.: Checking Timed Buchi Automata Emptiness on Simulation Graphs. ACM Transactions on Computational Logic 10(3), 15:1–15:19 (2009) 21. Tripakis, S., Yovine, S., Bouajjani, A.: Checking Timed B¨ uchi Automata Emptiness Efficiently. Formal Methods in System Design 26(3), 267–292 (2005)

On the Supports of Recognizable Timed Series Karin Quaas Institut f¨ ur Informatik, Universit¨ at Leipzig 04009 Leipzig, Germany [email protected]

Abstract. Recently, the model of weighted timed automata has gained interest within the real-time community. In a previous work, we built a bridge to the theory of weighted automata and introduced a general model of weighted timed automata defined over a semiring and a family of cost functions. In this model, a weighted timed automaton recognizes a timed series, i.e., a function mapping to each timed word a weight taken from the semiring. Continuing in this spirit, the aim of this paper is to investigate the support and cut languages of recognizable timed series. We present results that lead to the decidability of weighted versions of classical decidability problems as e.g. the emptiness problem. Our results may also be used to check whether weighted timed systems satisfy specifications restricting the consumption of a resource.

1

Introduction

Since its introduction in 2001 by Alur et al. and Behrmann et al. [3,6], weighted timed automata have become a well-studied object of research within the realtime community. This model allows for a natural modelling of continuous resource consumption of real-time systems and has interesting applications in operations research and optimal scheduling. Weighted timed automata are timed automata [2] extended with one or more variables representing resources e.g. energy, memory or money. A function assigns weights to both the edges and the locations of the timed automaton that may be interpreted as costs or rewards. The variables do not influence the behaviour of a timed automaton, but may be used as a measure of performance. This model gives rise to a lot of interesting questions, e.g. what is the cheapest way to reach a certain location, what are the minimal average costs in non-terminating timed systems, or what is the optimal rate of produced items and energy consumption. Problems of this kind have been thoroughly investigated in recent papers on solving optimal reachability problems [6,5,3,1,11,9], model checking WCTL, WMTL or WLTL [8,10,14,12] and weighted timed games [13,8,10]. Recently, we proposed to define weighted timed automata in a general way over a semiring and a family of location cost functions [16]. Doing so, we not only obtain a model that generalizes most of the models used in the literature so far including amongst others the original proposal [3,6] and which may also J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 243–257, 2009. c Springer-Verlag Berlin Heidelberg 2009 

244

K. Quaas

be used to model weighted timed automata with more than one cost variable (as in e.g. [11,19]); but the general definition also gives rise to new instances of models using different semirings and families of cost functions. Moreover, by defining weighted timed automata over semirings, we build a bridge to the wellinvestigated theory of weighted automata. We believe that the connection between weighted automata and weighted timed automata may be cross-fertilizing for both research areas. In particular, while most of the above mentioned papers focus on algorithmic methods that may be used for specific problems in verification, we aim to investigate different aspects of the behaviour of weighted timed automata in terms of timed series, i.e., functions mapping timed words to weights in the semiring. Doing so, we hope to gain a deeper understanding of the nature of weighted timed automata and to build a solid basis for further research on this model. For instance, we were able to generalize two of the most fundamental results in the theory of formal languages to weighted timed automata, namely Kleene’s respectively B¨ uchi’s theorems on the equality of recognizable and rational respectively MSO-definable languages [16,21]. Here, we aim to shed light on the so-called supports of timed series, consisting of all timed words which are not mapped to zero. Within the theory of weighted automata, supports have been extensively studied (see eg. [7,23]). For instance, for large classes of semirings, the support of a recognizable formal power series is known to be recognizable, which implies the decidability of generalizations of some of the fundamental decidability problems of formal language theory as e.g. the emptiness problem or the universality problem. We also want to investigate the recognizability of so-called cut languages. These are sets of timed words which are assigned a weight smaller than (or greater than, respectively) a given value. We believe that both supports and cut languages provide the real-time community with nice applications in the analysis of real-time systems. For instance, we may be interested in whether the set of timed words whose cost under a weighted timed automaton is not exceeding a given value satisfies a specification. Problems like this can be solved using an automata-theoretic approach by using methods presented in this paper. In this paper, we focus on recognizable timed series over semirings having weights in the reals and families of linear functions, as these allow for the most interesting applications in the theory of weighted timed automata [6,3,9]. Many algorithms for decision problems in the (untimed) weighted setting rely on the fact that the set of weights occuring in a weighted automaton is finite. However, in a weighted timed automaton with linear cost functions this is not the case. Thus, the main challenge is to deal with the infinite number of weights occuring in a weighted timed automaton. We can show that for some problems and semirings it is not necessary to consider the exact weights of the transitions participating in a run. Besides linear cost functions, we consider weighted timed automata over step functions for which the problem of infinite weights does not occur. For this kind of functions we can show that most of the results of the (untimed) setting can be carried over to the timed setting.

On the Supports of Recognizable Timed Series

2

245

Preliminaries

Let , ≥0 , ≥0 , ≥0 and  denote the set of natural, positive integer, positive rational, positive real numbers and real numbers, respectively. We use Σ to denote a finite alphabet. A timed word over Σ is a finite sequence (a1 , t1 )...(an , tn ) ∈ (Σ × ≥0 )∗ , where the sequence of timestamps t1 ...tn is non-decreasing. We write T Σ ∗ for the set of timed words over Σ. A set L ⊆ T Σ ∗ is called a timed language. We say that a timed word is strictly monotonic if its sequence of timestamps is strictly monotonic increasing (i.e., we rule out zero time delays). We use Ts Σ ∗ to denote the set of strictly monotonic timed words. A timed language L ⊆ Ts Σ ∗ is called strictly monotonic. Given a timed word w as above we define the length |w| of w to be n. Let X be a finite set of so-called clock variables ranging over ≥0 . We define clock constraints φ over X to be conjunctions of formulas of the form x ∼ k, where k ∈ ≥0 , x ∈ X, and ∼∈ {<, ≤, >, ≥}. Let Φ(X) be the set of all clock constraints φ over X. A clock valuation ν : X → ≥0 is a function that assigns a value to each clock variable. We let ν0 be the special clock valuation assigning 0 to each clock variable. A clock valuation ν satisfies a clock constraint φ, written ν |= φ, if φ evaluates to true according to the values given by ν. For δ ∈ ≥0 and λ ⊆ X, respectively, we define ν + δ to be (ν + δ)(x) = ν(x) + δ for each x ∈ X and (ν[λ := 0])(x) = 0 if x ∈ λ and (ν[λ := 0])(x) = ν(x) otherwise. A semiring K is an algebraic structure (K, ⊕, , , ) such that (K, ⊕, ) is a commutative monoid, (K, , ) is a monoid, distributes over ⊕, and  is absorbing. As an example, consider the min-plus-semiring (≥0 ∪{∞}, min, +, ∞, 0) or the semiring (, +, ·, 0, 1) over the reals with ordinary addition and multiplication. Let Γ be a set. A mapping T : Γ ∗ → K is called a series. For historical reasons, we write (T , w) instead of T (w) for w ∈ Γ ∗ . The support supp(T ) of T is defined to be the set {w ∈ Γ ∗ |(T , w) = }. We let F be a family of functions from ≥0 to K. In this paper, we are mainly interested in two kinds of such families, namely the family of step functions and the family of linear functions. A function f : ≥0 → K is a step function if it is of the form f (δ) = 1≤i≤n αi χAi (δ) for every δ ∈ ≥0 , where n ∈ , αi ∈ K, Ai are =k  intervals over ≥0 with borders in ≥0 such that Aj ∩ Ak = ∅ for j and 1≤i≤n Ai = ≥0 , and χAi is a characteristic function of Ai , i.e., we have χAi (δ) =  if δ ∈ Ai and  otherwise, for every i ∈ {1, ..., n}. A step function has the important property of having a finite image. For semirings where K ⊇ ≥0 , we say that a function f : ≥0 → K is linear if it is of the form f (δ) = k · δ for every δ ∈ ≥0 and some k ∈ K. A weighted timed automaton over K, Σ and F is a tuple (S, S0 , Sf , X, E, C), where – – – –

S is a finite set of locations (states) S0 ⊆ S is a set of initial locations Sf ⊆ S is a set of final locations X is a finite set of clock variables

246

K. Quaas

– E ⊆ S × Σ × Φ(X) × 2X × S is a finite set of edges. An edge (s, σ, φ, λ, s ) allows a jump from s to s if σ is read, provided that for the current clock valuation ν we have ν |= φ. After the edge has been executed, the new clock valuation is ν[λ := 0]. – C = {CE } ∪ {Cs : s ∈ S}, where CE : E → K, and Cs ∈ F for any s ∈ S. A weighted timed automaton A induces an infinite state transition system consisting of states of the form (s, ν), where s ∈ S and ν is a clock valuation. Beδ

tween the states there are timed transitions of the form (s, ν) −→ (s, ν + δ) e for some δ ∈ ≥0 , and discrete transitions of the form (s, ν) −→ (s , ν  ) for   some e = (s, a, φ, λ, s ) ∈ E such that ν |= φ and ν = ν[λ := 0]. A transiδ

tion is a timed transition (s, ν) −→ (s, ν + δ) followed by a discrete transition e δ e (s, ν + δ) −→ (s , ν  ), abbreviated by (s, ν) −→−→ (s , ν  ). A run of A on a timed δ

e

δ

e

δ|w| e|w|

1 1 2 2 word w is a finite sequence (s0 , ν0 ) −→ −→ (s1 , ν1 ) −→ −→ ... −→−→ (s|w| , ν|w| ) X of transitions, where ν0 = 0 . We say that a run r is successful if s0 ∈ S0 and s|w| ∈ Sf . We define the running weight rwt(r) of a run r as ∗ above to be si−1 (δi ) CE (ei ). The behaviour A : T Σ → K of A 1≤i≤|w| C is given by (A, w) = {rwt(r) : r is a successful run of A on w}. A function T : T Σ ∗ → K is called a timed series. A timed series T is recognizable over K, Σ and F if there is a weighted timed automaton A over K, Σ and F with A = T . An (unweighted) timed automaton as defined by Alur and Dill [2] can be seen as weighted timed automaton over the Boolean semiring and the family of constant functions, where C maps every edge and every pair in S × ≥0 to . In this case the behaviour of the automaton A is a characteristic function and we have L(A) = supp(A). If we ignore all timing information and let C map every pair in S × ≥0 to , we obtain the model of (untimed) weighted automata. The standard model of weighted timed automata [3,6] can be modeled using the min-plus-semiring and the family of linear functions. A (weighted) timed automaton is unambiguous, if for every timed word w there is at most one successful run. A timed language (timed series, respectively) is called unambiguously recognizable, if there is an unambiguous timed automaton (weighted timed automaton, respectively) recognizing it. A timed series T is called strictly monotonic, if for each timed word w ∈ T Σ ∗ \Ts Σ ∗ we have (T , w) = . Given a weighted timed automaton A = (S, S0 , Sf , X, E, C), we define wgte (A) = {CE (e)|e ∈ E} and wgts (A) = {Cs (δ)|s ∈ S, δ ∈ ≥0 } and put wgt(A) = wgte (A) ∪ wgts (A). Let I be the set of all intervals over ≥0 with borders in ≥0 and x a clock variable. We define a function x : I → Φ({x}) by

⎧ a < x∧x
if if if if

I I I I

= (a, b) = [a, b) for every I ∈ I. = (a, b] = [a, b]

On the Supports of Recognizable Timed Series

3

247

Supports of Recognizable Timed Series

In this section, we study whether the support of a recognizable timed series is a recognizable timed language. It is well-known that in the untimed setting the support of every series recognizable over a positive semiring is recognizable [24]. A semiring is positive if it is both zero-sum free and zero-divisor free, i.e., we have k ⊕ k  =  implies k =  and k  = , and k k  =  implies k =  or k  =  for each k, k  ∈ K. With these two properties it is easy to construct a finite automaton recognizing exactly the support of the behaviour of some given weighted automaton by simply removing all edges with weight  [24]. For the timed setting, this idea can more or less be adopted by removing not only the edges with weight  but also all locations whose cost functions map all time delays to . However, for certain positive semirings and families the method does only work for strictly monotonic timed series. For instance, let K = (≥0 , +, ·, 0, 1) and F be the family of linear functions. Even if in a weighted timed automaton over K and F we remove all locations with cost functions of the form f (δ) = 0 · δ, we cannot conclude that in the resulting weighted timed automaton every successful run has a running weight different from 0. This is because we have f (0) = 0 for every f ∈ F and thus the running weight of every successful run on a timed word with a zero delay equals 0. Lemma 1. Let K be positive. 1. Assume that for all f ∈ F we have either f (δ) =  for all δ ∈ ≥0 or f (δ) =  for all δ ∈ ≥0 . If T is a recognizable timed series, then supp(T ) is recognizable. 2. Assume that for all f ∈ F we have either f (δ) =  for all δ ∈ ≥0 \{0} or f (δ) =  for all δ ∈ ≥0 \{0}. If T is a strictly monotonic and recognizable timed series, then supp(T ) is strictly monotonic and recognizable. As a consequence, the support of the behaviour of each weighted timed automaton over the widely-used [6,3,9] setting of the min-plus-semiring and the family of linear functions is recognizable. To give another example, the first part of Lemma 1 also applies to the semiring ([0, 1], max, ·, 0, 1) and families of functions of the form f (δ) = k δ for some k ∈ [0, 1] and each δ ∈ ≥0 . In the past few years, weighted timed automata with multiple prices have attracted interest [11,19]. These may be modeled using the direct product of e.g. the min-plus-semiring and component-wisely defined linear functions. Unfortunately, while still being zero-sum free, direct products of positive semirings are not zero-divisor free and thus Lemma 1 cannot be applied. Very recently, Kirsten showed that the commutativity and zero-sum freeness of the semiring is a sufficient condition for the support of a recognizable series being recognizable [18]. Kirsten’s proof method strongly relies on the fact that the set of disjoint weights occurring in any of the runs of the weighted automaton is finite. However, for weighted timed automata over the family of linear functions this is not the case. Nevertheless, for certain semirings we can adapt the proof by exploiting the fact that the exact weights emerging from staying in a location are not crucial for

248

K. Quaas

deciding whether the running weight of a run equals  or not, but rather it is sufficient to consider the semiring coefficients that the time delay is multiplied with, as the following example shows. Example 1. Let A be a weighted timed automaton over the min-plus-semiring. For the sake of simplicity, in this example we assume that CE (e) = 0 for every edge e. Then for each run r of A on a timed word w we have rwt(r) = ∞ iff there is some i ∈ {1, ..., |w|} such that Csi−1 (δi ) = ∞. However, for every location s and time delay δ, we have Cs (δ) = ∞ iff Cs (δ) = ∞ · δ for each δ ∈ ≥0 . Hence, the exact time delays are not important but it is sufficient to consider the coefficients of the cost functions of the participating locations in a run. For the direct product of the min-plus-semiring we have a similar result: rwt(r) = (∞, ∞) iff either there is some i ∈ {1, ..., |w|} such that Csi−1 (δi ) = (∞, ∞), or there are i, j ∈ {1, ..., |w|} such that i = j and Csi−1 (δi ) = (a, ∞) and Csj−1 (δj ) = (∞, b), for some a, b ∈ ≥0 . Again, the exact time delays are not important. This leads us to the following result. Lemma 2. Let K be commutative and zero-sum free. 1. If F is the family of step functions and T is a recognizable timed series, then supp(T ) is recognizable. 2. If F is the family of linear functions and K is (the direct product of ) one of the following semirings (a) (≥0 ∪ {∞}, min, +, ∞, 0) (b) (≥0 ∪ {−∞}, max, +, −∞, 0) (c) (≥0 ∪ {∞, −∞}, min, max, ∞, −∞) and T is a recognizable timed series, then supp(T ) is recognizable. 3. If F is the family of linear functions, K is the (direct product of ) (≥0 , +, ·, 0, 1), and T is strictly monotonic and recognizable, then supp(T ) is strictly monotonic and recognizable. None of the constructions used in the proofs of Lemmas 1 and 2 increases the number of clock variables used. Combining these two results with the decidability of the emptiness problem for timed automata [2] and the universality problem for single-clock timed automata [20], we obtain the following corollary. Corollary 1. If K, F and T correspond to one of the settings defined in Lemmas 1 and 2, then it is decidable whether supp(T ) = ∅. If, additionally, T can be recognized by a single-clock weighted timed automaton, then it is decidable whether supp(T ) = T Σ ∗. Next, we consider recognizable timed series over fields, i.e., semirings where (K, ⊕, ) is a group and (K\{}, , ) is a commutative group. It is well-known that already in the untimed setting there are recognizable series over fields for which the support is not recognizable (see e.g. [18]). Yet, by a result of Berstel and Reutenauer [7], it is decidable whether the support of a recognizable series over a field is empty or not. In the next section, we show that this also holds for recognizable timed series over certain fields and families of cost functions.

On the Supports of Recognizable Timed Series

4

249

The Empty Support Problem for Fields

In the following, we let K be a field, e.g. the semiring over the rationals or reals with the usual addition and multiplication operations. We start to show that for this class of semirings and the family of step functions, it is decidable whether the support of a given recognizable timed series T is empty or not. The idea is to reduce the problem for recognizable timed series to the corresponding classical problem for recognizable (untimed) series, which is known to be decidable [7]. Lemma 3. Let K be a field and F be the family of step functions. If T : T Σ ∗ → K is a recognizable timed series over K and F , then there is a recognizable series T  : Σ ∗ → K over K such that supp(T  ) = ∅ iff supp(T ) = ∅. Proof. Let A be a weighted timed automaton such that A = T . Let R(A) be the region automaton of the timed automaton underlying A [2]. We add a cost function μ to R(A), assigning weights taken from K to every transition in R(A), obtaining a weighted automaton over K which we also will denote by R(A). The cost function μ is defined as follows: if t is a transition that stems from an edge e ∈ E in A, we put μ(t) = CE (e). Now, let t be a transition that stems from a timed  transition labelled with δ starting in some location   s, and assume Cs (δ  ) = 1≤i≤n αi χAi (δ ) for every δ ∈ ≥0 . There is a unique i ∈ {1, ..., n} such that δ ∈ Ai . We define μ(t) = αi . Using this and the fact that the infinite state-transition system induced by the timed automaton underlying A and the region automaton R(A) are bisimulation equivalent [2], one can easily show that there is a weight-preserving bijective correspondence between the set of successful runs of A and R(A). This implies supp(A) = ∅ iff supp(R(A)) = ∅.   Now we want to consider weighted timed automata over fields and the family of linear functions. Clearly, due to the infinite number of weights occuring in this kind of automata, we cannot use the same construction as above. However, similarly to the case of non-zero-divisor free semirings in Sect.3, for certain semirings we do not need to consider the exact weight of a transition in order to decide whether a running weight equals  or not. Lemma 4. Let K = (, +, ·, 0, 1) and F be the family of linear functions. If T : T Σ ∗ → K is a recognizable timed series over K and F , then there is a recognizable series T  : Σ ∗ → K over K such that supp(T  ) = ∅ iff supp(T ) = ∅.

Proof. Let A be a weighted timed automaton such that A = T . Again, we extend the region automaton R(A) of the timed automaton underlying A with a cost function μ, obtaining a weighted automaton over K which we also will denote by R(A). This time, the cost function μ is defined as follows: if t is a transition that stems from an edge e ∈ E in A, we put μ(t) = CE (e). Now, let t be a transition that stems from a timed transition labelled with δ starting in some location s, and assume Cs (δ  ) = cs · δ  for every δ  ∈ ≥0 . We define μ(t) = cs if δ = 0, μ(t) = 0 otherwise. By the fact that the infinite statetransition system induced by the timed automaton underlying A and the region

250

K. Quaas

automaton R(A) are bisimulation equivalent [2], it follows that there is a bijective correspondence between the set of successful runs of A and R(A); however, this correspondence is not weight-preserving. Let w ∈ T Σ ∗ . We use abs(w) to denote the unique (untimed) word labelling the runs of R(A) corresponding to runs of A on w. We show that (A, w) = 0 implies (R(A), abs(w)) = 0. Let δ

e

δ

δ|w| e|w|

e

1 1 2 2 r = (s0 , ν0 ) −→ −→ (s1 , ν1 ) −→ −→ ... −→−→ (s|w| , ν|w| ) be a successful run of A on w. Using commutativity of · and assuming every location cost function Cs in A to be of the form Cs (δ) = cs · δ for every δ ∈ ≥0 , we obtain rwt(r) = csi−1 · CE (ei ) · δi .

1≤i≤|w|

1≤i≤|w|

Let n be the (finite) number of successful runs of A on w and let ri be a successful run of A on w for each i ∈ {1, ..., n}. Then, by distributivity, we have

(A, w) = rwt(ri ) 1≤i≤n

=



⎡⎛ ⎣⎝

1≤i≤n

⎛

=⎝



⎞



cisj−1 · CE (eij )⎠ ·

1≤j≤|w|



1≤i≤n 1≤j≤|w|

⎞

cisj−1 · CE (eij )⎠ ·

⎤



δj ⎦

1≤j≤|w|



δj .

1≤j≤|w|

   Clearly, (A, w) = 0 iff 1≤i≤n 1≤j≤|w| cisj−1 · CE (eij ) = 0 or 1≤j≤|w| δj = 0. In the latter case, there is some j ∈ {1, ..., |w|} such that δj = 0. Then, the weight μ(t) of the transition that stems from the timed transition labelled with δj equals 0. Hence, for each i ∈ {1, ..., n}, the running weight of the successful run of R(A) corresponding to ri equals 0 and we have (R(A),  abs(w))  = 0. Now, assume that for every 1 ≤ j ≤ |w| we have δj > 0 and 1≤i≤n 1≤j≤|w| cisj−1 · CE (eij ) = 0. The definition of μ for this case implies that the running weights  of the corresponding runs in R(A) equal 1≤j≤|w| cisj−1 · CE (eij ) for each 1 ≤ i ≤ n and thus we have (R(A), abs(w)) = 0. Hence, if supp(A) = ∅ then supp(R(A)) = ∅. The proof for the other direction can be done analogously.   Observe that the crucial point for obtaining the result is the fact that the multiplication of the semiring coincides with the multiplication used for the definitions of linear functions. The proof may be extended to other semirings and families of functions for which an analogous property holds, i.e., where we use functions of the form k δ for some k ∈ K. Also notice that - as opposed to the second part of Lemma 1 - we do not need to restrict the application of Lemma 4 to strictly monotonic timed series. As a direct consequence, the following corollary (based on the fact that for every recognizable series over a field it is decidable whether its support is empty or not [7]) also holds for non-strictly monotonic timed series

On the Supports of Recognizable Timed Series

251

over (≥0 , +, ·, 0, 1) and families of linear functions (generalizing the first part of Corollary 1 for this setting). Corollary 2. If K, F and T correspond to one of the settings defined in Lemmas 3 and 4, then it is decidable whether supp(T ) = ∅. Remark 1. For the class of recognizable series over fields it is not decidable whether the support equals Σ ∗ [7]. Hence, we cannot use a reduction as above to solve the universal support problem for timed series recognizable by singleclock weighted timed automata.

5

Timed Cut Languages

In this section, we are interested in those timed words whose weights under a timed series exactly correspond to a given value, or whose weights do (not) exceed a given value from the semiring. Sets of words of the second category are knows as cut languages and play an important role in the theory of weighted automata (see eg. [17,22]). In particular, we want to investigate the following problems: given a recognizable timed series T and k ∈ K, are the sets – T −1 (k) = {w ∈ T Σ ∗ |(T , w) = k} – {w ∈ T Σ ∗|(T , w) ≤ k} – {w ∈ T Σ ∗|(T , w) ≥ k} recognizable? Besides new applications in the analysis of real-time systems, a solution to the questions above can also help to solve problems from the theory of timed languages, as the following example (adopted from [17]) shows: assume there is some semiring K and a family F such that there is some f ∈ F with f (δ) =  for each δ ∈ ≥0 and we can show that T −1 (k) is a recognizable timed language for every recognizable timed series T and every k ∈ K. Then, ¯ of every unambiguously recognizable we could conclude that the complement L timed language L is recognizable. The proof of this is as follows: let L be an unambiguously recognizable timed language and A be an unambiguous timed automaton such that L(A) = L. Then, simply assign the weight  to all edges of A and let Cs = f for any location s. Clearly, the behaviour A  of the resulting weighted timed automaton A corresponds to the characteristic function of L. ¯ must be recognizBut then by assumption the timed language A −1 () = L able. However, by now it is not known whether negation preserves recognizability of unambiguous timed languages or not [25]. A semiring K has characteristic zero if there is no n ∈ \{0} such that  ⊕  ... ⊕  = .  n

Lemma 5. Let K have characteristic zero and assume that there is some f ∈ F such that f (δ) =  for each δ ∈ ≥0 . Then there is some recognizable timed series T over K and F such that T −1 () is not recognizable.

252

K. Quaas

Proof. It is well-known that the class of recognizable timed languages is not closed under complement [2]. So let L ⊆ T Σ ∗ be a recognizable timed language ¯ is not recognizable (e.g. the example language in such that the complement L Theorem 1 in [4]). We further let A be a timed automaton recognizing L. We obtain a weighted timed automaton A over K and F by adding a cost function C such that  is assigned to every edge and the cost function of every location is f . Let w ∈ L. Then the running weight of every successful run of A on w is . Exploiting the condition on K, we get (A , w) = . Hence, L is the support of ¯ the behaviour of A , formally supp(A ) = L. But this implies A−1 () = L, which by assumption is not recognizable.   The condition on the semiring is satisfied by every semiring which is not a ring but also e.g. by the semiring over the integers with natural addition and multiplication. In particular, given a recognizable timed series T over the minplus-semiring (max-plus-semiring, respectively) and the family of step functions or linear functions, in general T −1 () is not recognizable. In contrast to this, the lemma cannot be applied if T is recognizable over the semiring (≥0 , +, ·, 0, 1) and the family F of linear functions, as there is no function f ∈ F satisfying f (δ) = 1 for every δ ∈ ≥0 . Notice that for the family of step functions there is such a function. This raises the interesting question whether in general, assuming that K is fixed, we cannot conclude from a “negative” result for the family of step functions that a negative result also holds for the (more expressive and harder) family of linear functions. The negative result in Lemma 5 mainly relies on the non-closure of recognizable timed languages under complement. The question arises whether we can obtain a positive result for k = . Unfortunately, for the most interesting setting of real-valued weights and linear cost functions we have to give a negative answer, even if we confine our study to unambiguously recognizable timed series. Lemma 6. Let K be one of the following semirings – – – –

(≥0 ∪ {∞}, min, +, ∞, 0) (≥0 ∪ {−∞}, max, +, −∞, 0) (, +, ·, 0, 1) (≥0 , +, ·, 0, 1)

and F be the family of linear functions. Then there is some unambiguously recognizable timed series T over K and F and some k ∈ K\{} such that T −1 (k) is not recognizable. Proof. We show the proof for (≥0 , +, ·, 0, 1). The proofs for the other semirings can be done analogously. Let A be the unambiguous weighted timed automaton over (≥0 , +, ·, 0, 1) and the family of linear functions shown in the figure below. Further, we put k = 6. Assume there is a timed automaton A such that L(A ) = A−1 (k). Let w = (a, t1 )(a, t2 ) be some timed word such that (A, w) = 6, e.g. (a, 1.5)(a, 0.3).

On the Supports of Recognizable Timed Series

3δ

a

5δ

253

a

Hence, there must be a successful run r of A on w. Choose an arbitrary such that t2 + ∈ ≥0 \≥0 and let w = (a, t1 )(a, t2 + ). Then, the discrete transitions of r must also constitute a successful run of A on w , because the constants in a guard may only be rational numbers and hence A cannot distinguish between the time delays t2 −t1 and (t2 + )−t1 . Hence, w ∈ L(A ), but (A, w ) > 6.   Next, we show that if we consider unambiguously recognizable timed series over the family of step functions, we can give a positive answer. This may be not too surprising, as in this case the number of weights occuring in a weighted timed automaton is finite and we can apply proof methods known from the theory of weighted automata (see e.g. [17]). For the sake of completeness we present some of the results in the following. These may also serve as a starting point for further research on other kinds of cost functions. A morphism between semirings (K, ⊕, , K , K ) and (K  , ⊕ ,  , K  , K  ) is a function η : K → K  satisfying – η(a ⊕ b) = η(a) ⊕ η(b) for all a, b ∈ K – η(a b) = η(a)  η(b) for all a, b ∈ K – η(K ) = K  and η(K ) = K  . Lemma 7. Let K, K be two semirings and F be the family of step functions from ≥0 to K. If T is a recognizable timed series over K and F and η : K → K is a semiring morphism, then η ◦ T is recognizable over K and F . Proof. If A is the weighted timed automaton over K recognizing T , we obtain a weighted timed automaton A over K by replacing all constants k ∈ K occuring in the cost functions of A by η(k). Then one can show that there is a bijective correspondence between the set of successful runs r of A and the set of successful runs r of A such that rwt(r ) = η(rwt(r)). Thus, we have  (A , w) = {rwt(r )|r is a successful run of A on w}  = {η(rwt(r))|r is a successful run of A on w}  = η( {rwt(r)|r is a successful run of A on w}) = η(A, w) Lemma 8. Let F be the family of step functions, k ∈ K\{} and T be an unambiguously recognizable timed series. If K is (the direct product of ) one of the following semirings 1. 2. 3. 4.

(K ∪ {∞}, min, +, ∞, 0) for K ∈ { , ≥0 , ≥0 , ≥0 }, ( ∪ {∞, −∞}, min, max, ∞, −∞), (K ∪ {∞}, min, ·, ∞, 1) for K ∈ { , ≥0 , ≥0 , ≥0 }, ([0, 1] ∪ {∞}, min, ·, ∞, 1),

254

5. 6. 7. 8. 9.

K. Quaas

([1, ∞], min, ·, ∞, 1), (K ∪ {−∞}, max, +, −∞, 0) for K ∈ { , ≥0 , ≥0 , ≥0 }, (K ∪ {∞}, max, min, 0, ∞) for K ∈ { , ≥0 , ≥0 , ≥0 }, ([0, 1], max, min, 0, 1), ([0, 1], max, ·, 0, 1),

or K is such that (K, , ) is locally finite, i.e., each finitely generated monoid is finite, then T −1 (k) is unambiguously recognizable. Proof. First, we give the proof for (≥0 ∪ {∞}, min, +, ∞, 0). The idea is as follows: assume that N is the minimal weight occuring as a weight in a weighted timed automaton. Then, we only have to consider runs of length smaller than or k equal to  N . This is because every other run necessarily has a running weight greater than k. Thus, the set of occuring weights relevant for solving the problem is finite and can be remembered within the discrete part of a timed automaton. Let A = (S, S0 , Sf , X, E, C) be a weighted timed automaton over K and F such that A = T and k ∈ ≥0 . We assume Cs to be of the form min{αsi + χAsi |1 ≤ i ≤ ns } for every s ∈ S. Define N = min(wgt(A)\{0}). Let y be a “fresh” clock variable not occurring in X. We define the timed automaton A = (S  , S0 , Sf , X  , E  ) by – S  = S × {m ∈ ≥0 ∪ {∞}|m = m1 + ... + mp , m1 , ..., mp ∈ wgt(A), p ∈ {1, ...,  Nk }} ∪ {0, k} – S0 = S0 × {0} – Sf = Sf × {k} – X  = X ∪ {y} – E  = {((s, m), a, φ , λ , (s , m ))|(s, a, φ, λ, s ) ∈ E such that φ = φ ∧ Asi y , λ = λ∪{y}, m = m+αi +CE ((s, a, φ, λ, s )) for every i ∈ {1, ..., ns }} Then, one can easily prove L(A ) = A−1 (k). The proof for ≥0 of course also works for , ≥0 and ≥0 , which finishes the proof for 1. Now, let ln(x) denote the natural logarithm of a number x and abbreviate Pmax = ([0, 1], max, ·, 0, 1) and Rmin = (≥0 ∪ {∞}, min, +, ∞, 0). We define the semiring morphism η : [0, 1] → ≥0 ∪ {∞} by η(x) = −ln(x). Let T be recognizable over Pmax and k ∈ [0, 1]\{0}. Then, by Lemma 7, η ◦ T is recognizable over Rmin . Using 1., we know that {w ∈ T Σ ∗ |(η ◦ T , w) = η(k)} is recognizable. But this implies that {w ∈ T Σ ∗ |(T , w) = k} is recognizable. This proves 8. Similar proof ideas can be used to prove the claim for the other semirings.   Lemma 9. Let K be a semiring such that = min or = max, F is the family of linear functions of the form c · δ such that c ∈  and k ∈ . If T is an unambiguously recognizable timed series over K and F , then T −1 (k) is unambiguously recognizable. Proof. We briefly summarize the idea of the construction of a timed automaton A recognizing A−1 (k). We need to remember whether during a run on a word we already have reached a weight of k or not. We obtain this information by a newly introduced clock variable y that measures the time that has been spent in

On the Supports of Recognizable Timed Series

255

the current location. At every edge a clock constraint on y controls the behaviour of A depending on whether we have already reached a weight of k or not beforehands, and on how much time we have already spent in the current location. This can be done owing to the restriction on k being a rational number.   Lastly, we want to consider cut languages. Again, we can generalize results from the theory of weighted automata for recognizable timed series over the family of step functions owing to the finite number of weights occuring in a corresponding weighted timed automaton. Notice that in the next lemma, in opposition to Lemma 8, we do not require T to be unambiguous. Lemma 10. Let F be the family of step functions, let k ∈ K\{} and T be a recognizable timed series. If K is one of the following semirings 1. 2. 3. 4. 5.

(K ∪ {∞}, min, +, ∞, 0) for K ∈ { , ≥0 , ≥0 , ≥0 }, ( ∪ {∞, −∞}, min, max, ∞, −∞), (K ∪ {∞}, min, ·, ∞, 1) for K ∈ { , ≥0 , ≥0 , ≥0 }, ([0, 1] ∪ {∞}, min, ·, ∞, 1), ([1, ∞], min, ·, ∞, 1),

then T −1 ({m|m ≤ k} is recognizable. If K is one of the following semirings 1. 2. 3. 4.

(K ∪ {−∞}, max, +, −∞, 0) for K ∈ { , ≥0 , ≥0 , ≥0 }, (K ∪ {∞}, max, min, 0, ∞) for K ∈ { , ≥0 , ≥0 , ≥0 }, ([0, 1], max, min, 0, 1), ([0, 1], max, ·, 0, 1),

then T −1 ({m|m ≥ k} is recognizable. Proof. We use the same approach as in the proof of Lemma 8. Notice that η is an anti-isomorphism w.r.t. the natural orderings in Pmax and R≥0 . Thus, we have {w ∈ T Σ ∗ |(η ◦ T , w) ≤ η(k)} = {w ∈ T Σ ∗ |(T , w) ≥ k)} and can conclude that {w ∈ T Σ ∗ |(T , w) ≥ k)} is recognizable.

6

 

Conclusion and Further Research

In this paper, we investigated decidability problems concerning the supports (and subsets of supports, respectively) of recognizable timed series. We believe that this work is only the beginning of fruitful further research within this area, as there are a lot of open problems worth considering. For instance, some results of this paper do not cover recognizable timed series over certain important semirings and families of cost functions. In particular, we would like to know whether there is a recognizable timed series over (≥0 , +, ·, 0, 1) and the family of linear functions such that T −1 (0) is not recognizable. Also, we are interested in what happens if we let F contain both linear and step functions. This is needed to model so-called stopwatch automata, where the cost variable can be switched on

256

K. Quaas

in some locations (the cost functions are linear) and switched out in the other locations (the cost functions map every time delay to the constant ). However, we cannot apply the proof method of e.g. Lemma 4 when F contains both linear and step functions. Of course, one may think of cost functions other than the step or linear cost functions as e.g. functions of the form k · ln(δ), k δ etc., and other semirings. Also, there are lots of interesting applications that require operations that do not form a semiring and have recently been introduced under the notion of quantitative languages [15]. This model is promising also within the context of real-time systems and has in fact already been used [11,19]. Thus we want to consider it in future work. Last but not least, for those settings where the supports (cut languages, respectively) of recognizable timed series in general are not guaranteed to be recognizable, we want to further examine whether we can decide whether a particular timed series has a recognizable support (cut language, respectively) or not. Altogether, with this work we hope to give a new perspective on the work on weighted timed automata.

References 1. Abdedda¨ım, Y., Maler, O.: Preemptive job-shop scheduling using stopwatch automata. In: Katoen, J.-P., Stevens, P. (eds.) TACAS 2002. LNCS, vol. 2280, pp. 113–126. Springer, Heidelberg (2002) 2. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science 126(2), 183–235 (1994) 3. Alur, R., La Torre, S., Pappas, G.J.: Optimal paths in weighted timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 49–62. Springer, Heidelberg (2001) 4. Alur, R., Madhusudan, P.: Decision problems for timed automata: A survey. In: Bernardo, M., Corradini, F. (eds.) SFM-RT 2004. LNCS, vol. 3185, pp. 1–24. Springer, Heidelberg (2004) 5. Behrmann, G., Fehnker, A.: Efficient guiding towards cost-optimality in Uppaal. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 174–188. Springer, Heidelberg (2001) 6. Behrmann, G., Fehnker, A., Hune, T., Larsen, K., Pettersson, P., Romijn, J., Vaandrager, F.: Minimum-cost reachability for priced timed automata. In: Di Benedetto, M.D., Sangiovanni-Vincentelli, A.L. (eds.) HSCC 2001. LNCS, vol. 2034, pp. 147– 161. Springer, Heidelberg (2001) 7. Berstel, J., Reutenauer, C.: Rational series and their languages. Current online version of the book of the same name from 1988 (February 2007) 8. Bouyer, P.: Weighted timed automata: Model-checking and games. In: MFPS 2006. ENTCS, vol. 158, pp. 3–17. Elsevier Science Publishers, Amsterdam (2006) 9. Bouyer, P., Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On the optimal reachability problem on weighted timed automata. Formal Methods in System Design 31(2), 135–175 (2007) 10. Bouyer, P., Brihaye, T., Markey, N.: Improved undecidability results on weighted timed automata. Inf. Process. Lett. 98(5), 188–194 (2006) 11. Bouyer, P., Brinksma, E., Larsen, K.G.: Optimal infinite scheduling for multi-priced timed automata. Formal Methods in System Design 32(1), 3–23 (2008) 12. Bouyer, P., Markey, N.: Costs are expensive! In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 53–68. Springer, Heidelberg (2007)

On the Supports of Recognizable Timed Series

257

13. Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On optimal timed strategies. In: Pettersson, P., Yi, W. (eds.) FORMATS 2005. LNCS, vol. 3829, pp. 49–64. Springer, Heidelberg (2005) 14. Brihaye, T., Bruy`ere, V., Raskin, J.-F.: On model-checking timed automata with stopwatch observers. Inf. Comput. 204(3), 408–433 (2006) 15. Chatterjee, K., Doyen, L., Henzinger, T.A.: Quantitative languages. In: Kaminski, M., Martini, S. (eds.) CSL 2008. LNCS, vol. 5213, pp. 385–400. Springer, Heidelberg (2008) 16. Droste, M., Quaas, K.: A Kleene-Sch¨ utzenberger theorem for weighted timed automata. In: Amadio, R.M. (ed.) FOSSACS 2008. LNCS, vol. 4962, pp. 142–156. Springer, Heidelberg (2008) 17. Fichtner, I.: Characterizations of Recognizable Picture Series. PhD thesis, Universit¨ at Leipzig, Institut f¨ ur Informatik, Abteilung Automaten und Sprachen (2006) 18. Kirsten, D.: The support of a recognizable series over a zero-sum free, commutative semiring is recognizable. In: Diekert, V., Nowotka, D. (eds.) DLT 2009. LNCS, vol. 5583, pp. 326–333. Springer, Heidelberg (2009) 19. Larsen, K.G., Rasmussen, J.I.: Optimal reachability for multi-priced timed automata. Theor. Comput. Sci. 390(2-3), 197–213 (2008) 20. Ouaknine, J., Worrell, J.: On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap. In: LICS, pp. 54–63. IEEE Computer Society Press, Los Alamitos (2004) 21. Quaas, K.: Weighted Timed MSO Logics. In: Diekert, V., Nowotka, D. (eds.) DLT 2009. LNCS, vol. 5583, pp. 419–430. Springer, Heidelberg (2009) 22. Rahonis, G.: Fuzzy languages. In: Droste, Kuich, Vogler (eds.) Handbook of Weighted Automata. Springer, Heidelberg (to appear, 2009) 23. Sakarovitch, J.: Rational and recognisable power series. In: Droste, Kuich, Vogler (eds.) Handbook of Weighted Automata. Springer, Heidelberg (To appear, 2009) 24. Salomaa, A., Soittola, M.: Automata-Theoretic Aspects of Formal Power Series. Springer, New York (1978) 25. Wilke, T.: Automaten und Logiken zur Beschreibung zeitabh¨ angiger Systeme. PhD thesis, Christian-Albrecht-Universit¨ at Kiel (1994)

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol Using Event Order Abstraction Shinya Umeno CSAIL, Massachusetts Institute of Technology, Cambridge MA, USA [email protected] Abstract. We present machine-assisted timing-parameter synthesis of the biphase mark protocol (BMP) [1] using event order abstraction (EOA)[2]. By using EOA, we separate the task of synthesizing parameter constraints that guarantee key safety properties of BMP into two parts: 1. Safety property verification of the protocol by a conventional untimed model-checker under the condition that “bad” event orders do not occur; and 2. Derivation of timing parameter constraints that are sufficient to exclude bad event orders in the protocol, using our tool M E TEO R S. Though the user has to provide information about bad event orders, the rest of the synthesis process is automated. With the case study presented in this paper, we provide the community with two new pieces of information about BMP. First, the synthesis process using EOA produces, as a by-product, a list of all “bad scenarios” of BMP that would happen when parameters are tuned incorrectly. Second, the M E TEO R S tool provides information about which parameter constraint in the finally derived conjunction of constraints is actually sufficient to exclude each of these bad scenarios.

1 Introduction Time-parametric verification of real-time systems has been a challenging problem in the formal verification community [1,3,4]. In this problem, timing constraints on the systems’ behavior depend on a certain parameter set, and values of these parameters are not fixed at the time of verification. Typically, only a subset of possible parameter combinations in the entire parameter space satisfies correctness of such systems. Thus, to conduct parametric verification of them, the user has to find an appropriate set of constraints for the timing parameters, and manually proves or mechanically checks correctness under the constraints. Timing-parameter synthesis is a problem in which one wants to derive with a machine support sufficient constraints on the timing parameters of an underlying real-time system under which the system executes correctly. This problem is considered harder than time-parametric verification since the mechanical tool is not a priori given a set of timing parameter constraints by the user, but it has to synthesize constraints by itself. In this paper, we present machine-assisted timing-parameter synthesis of the biphase mark protocol (BMP) [1] using event order abstraction (EOA) that we presented in [2].1 EOA can be applied to real-time systems in which “correct orderings of events” maintained by timing constraints on the systems’ behavior are critical for correctness. To use 1

The SAL code and the python code to reproduce the results of the presented case study are available from: http://people.csail.mit.edu/umeno/biphase/.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 258–274, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

259

EOA, the user models a real-time system by using the time-interval automata (TIA) framework, an extension of the I/O automata framework [5]. By using EOA, we separate the task of synthesizing parameter constraints that guarantee key safety properties of BMP into two parts: 1. Safety property verification of the protocol by a conventional untimed model-checker under the condition that “bad” event orders do not occur; and 2. Derivation of timing parameter constraints that are sufficient to exclude bad event orders in the protocol, using our tool M E TEO R S. Though the user has to provide information about bad event orders, the rest of the synthesis process is completely automated. BMP has been studied in several papers in the context of time-parametric verification, which requires a manual derivation of parameter constraints (for instance, [1,3,6]), and in the context of fully automated constraint synthesis for a restrictedly parameterized model of the protocol (in which some parameters are fixed to constraint values) [7,8]. This work presents the first machine-assisted parameter synthesis for fully parameterized model of BMP. This protocol has interesting aspects for timing parameter synthesis: 1. Considerably large number of timing parameters (10 parameters in our model) and 2. Unbounded number of repetitive events (busy-waiting) with timing constraints that may appear in the protocol executions. We will explain in Section 2 why the above mentioned two aspects make this protocol especially challenging to conduct timing-parameter synthesis with existing model-checkers. We also compare the results with case studies on BMP using other approaches. With this case study presented in this paper, we provide the community with two new pieces of information about BMP. First, the synthesis process using EOA produces, as a by-product, a list of all “bad scenarios” of BMP that would happen when parameters are tuned incorrectly. Second, the M E TEO R S tool provides information about which parameter constraint in the finally derived conjunction of constraints is actually sufficient to exclude each of these bad scenarios. We believe that these pieces of information by themselves deserves values to the community. For example, by the list of all bad scenarios and its corresponding parameter constraint, an implementer of BMP can learn what kind of bad executions could occur in the protocol when the parameters are badly tuned or the values of parameters temporally deviate from their nominal values due to transient failures. When a bad execution is actually observed in an implementation, by the list of parameter constraints for each bad scenarios, the implementer can discover which parameter constraint is violated. The user cannot easily obtain these pieces of information about bad executions of the system by existing model-checkers. The rest of the paper is organized as follows. In Section 2, we explain the reason why BMP is especially challenging to conduct fully automatic parameter synthesis with existing model-checkers. Section 3 is devoted to summarize the event order abstraction (EOA) approach that we use for the case study. In Section 4, we conduct machineassisted parameter synthesis of BMP using EOA. We also compare the results with existing case studies on BMP using other approaches. In Section 5, we conclude by discussing advantages of using EOA and stating future work.

2 Why Is the Biphase Mark Protocol Especially Challenging? There are several existing timed/hybrid model-checkers that can conduct fully automatic timing-parameter constraint synthesis [7,9,10,11,12]. However, the biphase mark

260

S. Umeno

protocol (BMP) is especially challenging to conduct parameter constraint synthesis by these model-checkers from two reasons that we will describe in the following. The first reason is that BMP performs repetitions of events, and there is a time bound between two consecutive repetitions. Namely, the receiver part of BMP conducts busy waiting to detect a signal edge, and checks to detect an edge are performed repeatedly in every certain time interval. As we will see in Section 4, these repeated checks could fail an unbounded times since we do not know the relationship between the repetition cycle (parameter Δ) and other timing parameters that are related to the timing of creating an edge. The second reason is that BMP has a considerable number of timing parameters (10 parameters in our modeling). Thus even if the user eliminates repetitions of events with timing constraints by modifying the model, the resulting model may have too many parameters to fully automatically synthesis parameter constraints. Indeed, in [7], the authors had to fix some parameters in order to automatically synthesize parameter constraints by H Y T ECH. Now let us explain why the first reason causes a trouble for existing model-checkers. The basics of an existing timed/hybrid model-checker performs parameter constraint synthesis are as follows. It first computes the reachable states of the system, symbolically represented by a linear-arithmetic expression. This is done by repeatedly computing successor states until no new successor states are discovered. Then, by taking the intersection of the reachable state and the unsafe states, it obtains the bad parameter settings. Now a parameter constraint is obtained by negating the linear-arithmetic expression that represents the intersection. If no over- or under-approximation is used for reachable set computation, then the constraint is both sufficient and necessary. When the user gives a fully parameterized model of BMP to a model-checker, the reachability computation does not terminate. As we explained above, arbitrarily number of failing checks can potentially occur by busy waiting in BMP. Because these detections are repeatedly performed every Δ time units, every successor state of these repeated detections is a new state in the reachability computation (for example, the state that can be reached just after two failing detections is a different state from the state just after one failing detection since Δ time units are elapsed since the first detection). Therefore, the reachability computation diverges. Indeed, in [7], Henzinger et al. explained that this was the reason that they had to modify the HyTech model of BMP in such a way that the model does not perform busy-waiting for an edge detection: a successful detection occurs within a certain time after an edge has created (and thus they eliminated failing detections from the model). Our EOA approach does not suffer from the same problem since the automaton model is untimed in our approach. In this untimed abstraction, failing detections become stuttering transitions, and thus the model-checking does not diverge due to failing detections. Instead, the constraint derivation process from bad event orders of EOA needs a technique called “decomposition” of event orders. This process is automated by the M E TEO R S tool once the user specifies what events must be decomposed. We will present more details about decomposition in Section 3.3. The TReX [11] model-checker can perform what the authors call “extrapolation”, with which the tool detects the loop in the state transition graph and over-approximates the effects of the loop in terms of changes of the values of timed variables. For example,

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

261

for the above discussed repetitions of failing detections, TReX may be able to compute with the extrapolation technique that the effect of these repetitions is increasing the values of timed variables by nΔ for an arbitrarily non-negative number n, and therefore may be able to complete the reachable state computation. However, as far as we can observe from [13], which presents timing-parameter synthesis for IEEE 1394 root contention protocol using TReX, the tool actually needs human-directed operations for choosing parameter constraints: the tool gives back the user the list of linear inequalities which sometimes contains unnecessary inequalities for the correctness (due to overapproximation used in the model-checking), and the user needs to manually choose a subset of the given set of inequalities that he/she believes sufficient and repeat the model-checking under the selected constraints. Moreover, the authors reported that the computation took more than 67 hours for a certain model-checking run under selected constraints. Considering that their model only have five parameters, which are considerably less compared to ten parameters in our model of BMP, timing synthesis of BMP using TReX is arguably very challenging.

3 Event Order Abstraction Approach In this section, we explain the event order abstraction (EOA) approach. In Section 3.1, we describe the time-interval automata framework that the user needs to use to model a system when using EOA. Section 3.2 is devoted to explain how the user can specify bad event orders in the system. Finally in Section 3.3, we summarize how the user conducts timing parameter synthesis using EOA and our timing-constraint synthesis tool M E TEO R S. For more detailed explanation of EOA, the reader should refer to [2]. 3.1 Time-Interval Automata The time-interval automata (TIA) framework is an extension of the I/O automata framework [5]. An I/O automaton is a classical transition system with distinguished input, output, and internal actions, and is usually described by a guarded-command style language. Informally, with the TIA framework, one can specify the lower and upper time bounds on the interval between one action and its following actions. A time bound for an action a and actions in a set of actions B is represented as an interval in the form [l, u]. Informally, this bound represents that, for any time of occurrence ta of action a, no action in B occurs before ta + l, and at least one action in B is performed before or at ta + u. An interval-bound map defined in the following Definition 1 formally specifies time bounds for actions. The special symbol ⊥ is used to express the time bound on the interval between the system start time and the time an action in the specified set occurs. Definition 1. (Interval-bound map). An interval-bound map b for an I/O automaton A is a pair of mappings, lower and upper. Each of lower and upper is a partial function from actions(A)⊥ ×P(actions(A)) to R>0 , where actions(A)⊥ = actions(A)∪{⊥} is a set of actions of A extended with a special symbol ⊥, P(actions(A)) is the power set of actions of A, and R>0 is the set of positive reals.

262

S. Umeno

An interval-bound map defined in Definition 1 may not satisfy requirements to express a meaningful bound (for example, the specified lower bound is not greater than the specified upper bound). The formal description of the requirements appears in [2]. We say that an interval-bound map is valid if it satisfies the requirements. Definition 2. (Time-interval automaton). A time-interval automaton (A, b) is an I/O automaton A together with a valid interval-bound map b for A. Definition 3. (Timed execution). A timed execution of a time-interval automaton (A, b) is a (possibly infinite) sequence α = s0 , (π1 , t1 ), s1 , (π2 , t2 ), · · · where the si ’s are states of A, the πi ’s are actions of A, and the ti ’s are times in R≥0 ; s0 is an initial state of A; and for any j ≥ 1, (sj−1 , πj , sj ) is a valid transition of A and tj ≤ tj+1 . We also require a timed execution to satisfy the upper and lower bound requirements expressed by b: Upper bound: For every pair of an action π and a set of actions Π with upper(π, Π) defined, and every occurrence of π in the execution πr = π, if there exists k > r with tk > tr + upper(π, Π), then there exists k  > r with tk ≤ tr + upper(π, Π) and πk ∈ Π. Lower bound: For every pair of an action π and a set of actions Π with lower(π, Π) defined, and every occurrence of π in the execution πr = π, there does not exist k > r with tk < tr + lower(π, Π) and πk ∈ Π. The upper and lower bound requirements for a bound with ⊥ are defined similarly (see [2]). A composition of multiple TIA is defined in a way similar to that of ordinary I/O automata (which is an ordinary asynchronous composition with synchronization of input and output actions with the same name [5]). Interval-bound maps of TIA are combined by using a union of maps (by regarding maps as relations). In order to formally define a composition for time-interval automata, we need a definition of the compatibility of a collection of TIA. The compatibility for TIA is defined simply as the compatibility of the underlying I/O automata (see [5] for the definition). Definition 4. (Composition of TIA) For a compatible collection of TIA, the composition (A, b) = Πi∈I (Ai , bi ) is the timed-interval automaton as follows. (1). A is the composition of the underlying I/O automata {Ai }i∈I , and (2). lower is given by taking union of {loweri }i∈I and upper is given by taking union of {upperi }i∈I (by regarding partial functions as sets of ordered pairs). Definition 5. (Untimed TIA) Given a TIA (A, b), the untimed model of (A, b) is simply an underlying ordinary untimed I/O automaton A. 3.2 Specifying Event Orders In this section, we presents how the user can specify an event order that needs to be excluded for system correctness. One event order specification represents a subsequence of an (untimed) execution (or technically called execution fragment) or a set of execution fragments.

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

263

An event order in its simplest form is just a sequence of actions (transition labels), which represents consecutive actions that occur in an automaton execution. In some cases (such as certain bad scenarios of BMP), it is crucial to express repetitions of events. The user can start an event order specification with the special symbol ‘⊥’, which indicates that the event order matches a prefix of an automaton execution, rather than an execution fragment in the middle of the execution. The user can express repetitions using an ignored event specification (IES). An IES specifies the repetitive events in a way similar to the repetition symbol ‘*’ of regular expressions. For example, an event order with an ignored event specification “a1 -a2 -a3 a4 : insert {a5 , a6 } in [2,4]” matches with any execution of TIA that has a subsequence that matches a regular expression a1 a2 (a5 ∪ a6 )∗ a3 (a5 ∪ a6 )∗ a4 . We use the above notation using “insert”, instead of a repetition symbol ‘*’, since we consider that it is easier to comprehend which events are inserted in what event interval. Definition 6. (Event order) An event order of a time-interval automaton (A, b) is a sequence of actions of A, possibly starting with a special symbol ⊥. In Definition 7, Ym represents a set of events that are inserted in the interval between eim and ejm . Definition 7. (Ignored event specification). An ignored event specification (IES) for an event order is in the following form: insert (Ym to [im , jm ])rm=1 . An ignored event set IkE represents the set of all ignored events between event index k and k + 1. Definition 8. (Ignored event set). For an event  order with an IES, E = (⊥)e1 · · · en : insert (Ym to [im , jm ])rm=1 , we define IkE = im ≤k<jm Ym for 0 ≤ k ≤ n − 1. Definition 9. (Match between a timed execution and an event order with an IES). Consider a timed execution α = s0 , (π1 , t1 ), s1 , · · · of a time-interval automaton (A, b). Let α be the sequence of actions that appear in α, that is, α = π1 π2 π3 · · · . We say that α matches an event order (with an IES), E = e1 · · · en : insert (Ym to [im , jm ])rm=1 , if there exists a finite subsequence β of α such that β can be split into β0 πk1 β1 πk2 β2 · · · βn−1 πkn , where, for all i, 1 ≤ i ≤ n, πki = ei , and βi is a sequence of actions and all actions that appear in βi are in IiE . A match for an event order that starts with ⊥ is defined similarly to Definition 9 (an additional condition k1 = 1 is added to the definition). For an event order without an IES, all βi ’s in Definition 9 are empty sequences. 3.3 Timing-Parameter Synthesis Using EOA Timing parameter synthesis using EOA involves two steps: 1. Identifying bad event orders in the untimed abstraction of the original model; and 2. Deriving timing parameter constraints using our M E TEO R S tool. We explain these two steps in more details in the following.

264

S. Umeno

The first step is identification of “bad” event orders that appear in the system executions. Note that the user does not need to specify all bad executions, but it is sufficient to specify the set of key subsequences of them that covers all bad executions. The user initially proposes a candidate set of bad event orders that he/she wants to exclude from the system executions (this candidate set may be empty). The user then model-checks a safety property of interest on an untimed model of the underlying TIA, under the assumption that the model does not exhibit the proposed bad event orders. Recall that an untimed model of a TIA (A, b) is simply an underlying ordinary I/O automaton A. If the model-checking is completed with a positive answer, then the user has obtained a sufficient set of bad event orders to be excluded for the given safety property. Otherwise, the user uses a counterexample obtained from the model-checking to extract an additional bad event order, and repeats the same process until he/she successfully model-checks the untimed model. Model-checking under a specific event order assumption is carried out in the following two steps. The user first constructs a monitor that raises a flag when any of the identified bad event orders is exhibited. Then he/she model-checks the untimed model with this monitor under the assumption that the monitor does not raise the flag (in Linear Temporal Logic (LTL) [14], this condition can be represented by: (¬Monitor.flag) ⇒ (¬UntimedModel.propertyViolated)). We used the SAL model-cheker [15] in the presented work. We manually constructed monitors in the presented case study, but we are planning to develop an automatic monitor construction tool. In the second step, the user provides the set of identified bad event orders to our tool M E TEO R S (M Echanized Timing/Event-O Rder Synthesizer), and the tool automatically derives timing parameter constraints under which the underlying TIA exhibits no execution that matches the identified bad event orders. The algorithm that M E TEO R S uses and a soundness theorem of the derived constraints are described in [2]. We briefly summarize the basic idea of the algorithm here. Given an event order, the tool combines the time bounds immediately derivable from the interval-bound map b of the underlying TIA (A, b), and finds a pair of a combined upper bound and a combined lower bound. For example, suppose the tool is given the event order E = e1 e2 e3 e4 , and is able to derive from b upper bounds U1 for [e1 , e3 ] and U2 for [e2 , e4 ], respectively, and a lower bound  for [e2 , e4 ]. (We use the notation [ei , ej ] to represent the time interval between events ei and ej in E.) If U1 + U2 <  holds, then E cannot be exhibited by (A, b) since the time interval between e1 and e4 in E is at most U1 + U2 and the time interval between e2 and e4 is at least , and thus e3 must appear before e4 does after e1 e2 . The algorithm that M E TEO R S uses systematically goes through all possible combinations of upper and lower bounds to find a constraint using the same reasoning described above. An IES is treated very conservatively: we basically literally ignore ignored events (except for some subtle cases). This is basically why we need decomposition of an event order with an IES, described below, for some cases to retrieve some more information of repetitive events (than just ignoring them), in order to derive more meaningful constraints. We have added a new feature of automatic decomposition of event orders to M E TEO R S after we presented [2]. With this new feature, the user can specify repetitive events specified in an IES that he/she wants to “decompose”. A decomposition of events in an

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

265

IES is sometimes needed to obtain a weaker constraint set for the correctness (representing a larger allowable parameter set) than the one that could have been obtained without decomposition. A decomposition of an event order with an IES creates two event orders such that a union of the two sets of executions that decomposed two orders match respectively is equal to the set of executions that the original event order matches. This is done by splitting the event order into the case that specified repetitive events occur at least one time and the case that no repetition occurs. For example, decomposition of event order E1 = a1 (a2 )∗ a3 a4 with respect to (a2 )∗ produces two event orders E10 = a1 a3 a4 and E1+ = a1 (a2 )∗ a2 a3 a4 , where E10 ∪ E1+ = E1 . Now the constraint for the underlying event order is derived not directly from the original one, but from the two decomposed ones. The user can basically command the tool to decompose all repetitions of events (for example failing detections in BMP), and the tool will automatically decompose them. A constraint derived from one event order by M E TEO R S has the form of a disjunction of linear inequalities over the upper and lower bound parameters (one event order may have several parameter inequalities for it to be excluded). The user typically has to exclude more than one event orders, and thus the tool needs to combine individual constraints by making a conjunction of the constraints. Thus, a parameter constraint derived from M E TEO R S forms a conjunction of disjunctions of linear inequalities. By combining the untimed model-checking result from the first step and the derived constraint from the second step, the user obtains a timing parameter constraint under which the underlying TIA model satisfies the desirable safety property.

4 Case Study: The Biphase Mark Protocol The biphase mark protocol (BMP) is a widely used lower-layer communication protocol for industrial and consumer electronics. For example, it is used in Sony/Philips Digital Interconnect Format (S/PDIF) that has been developed for carrying digital audio signals between devices and stereo components. An industrial version of S/PDIF, called AES/EBU, also uses BMP. BMP specifies a way of encoding a bit string to a digital signal, and then decoding the signal back to a bit string using the timing aspect of the encoded signal. Figure 1 shows how BMP operates. The encoder and the decoder communicate via a digital signal (a function from time to ‘high’ and ‘low’) sent on a physical wire. At the encoder side, the time frame is divided into small time windows, called cells. In each cell, the encoder encodes one bit into a digital signal at a time. The encoding rule specified in BMP is simple. At the beginning of every cell, the encoder flips the signal, creating an edge. Within one cell, when the encoder has to encode a ‘1’, it flips the signal within the cell after some time window called mark sub-cell. On the other hand, when encoding a ‘0’, the encoder simply does not flip the signal withing the cell. The decoder repeatedly checks the signal, and detects the edge by observing that the level of the signal (low or high) is different from what it observed in the last check. The decoder interprets the detected edge as the beginning of a cell, and checks the signal again after the time length called the sampling distance. If the decoder observes the level of the signal changes within the cell, it decodes a ‘1’, and otherwise a ‘0’.

266

S. Umeno Bits to be sent: Cell:

1

0

0

1

0

Time

1

: Edge is detected

Mark sub-cell

: Decode is performed

Signal: Decoding process: Decoded bits:

Sampling distance

1

0

0

1

0

1

Fig. 1. Basic execution of the biphase mark protocol

Several researchers have conducted formal verification of this protocol (for example, [1,3,6]). We compare the results from the EOA approach with related work in Section 4.3. The TIA model of a biphase mark protocol we have developed is based on the model by Vaandrager and de Groot [3]. In the model presented in [3], the authors consider two important realistic aspects of the protocol. The first aspect is differences in the clock rates of the encoder and the decoder (that is, clock drift). From this aspect, the sizes of cells (and mark sub-cells) are not uniformly consistent in the protocol execution, but have some small deviation from its ideal shape (that is, for an ideal cell size L, an actual cell has a size within [L − ε, L + ε]). The same phenomenon affects the decoder as well since its periodic checks for a signal edge detection and the sampling period depend on its local clock. The second aspect is the metastability of the signal caused by a signal edge. When a signal edge is created by the encoder, the signal level does not immediately change from a high voltage to low, or low to high, but needs some settling time. When the decoder checks the signal during this metastability period, we cannot predict whether the decoder may interpret the signal level as high or low. Thus, as in the model of [3], the observation of the signal by the encoder is nondeterministically decided as either high or low within a metastability period, so that we cover all possible scenarios that arise from this metastability issue. 4.1 Modeling BMP in the TIA Framework Figure 2 (Encoder automaton) shows TIA code for the model of the encoder in BMP. This automaton performs the following simple job: it repeatedly and nondeterministically chooses the next bit to send (expressed by choose(sending0,sending1S)). It first outputs Edge0 or Edge1S, depending on the next bit to send. If it chooses to send a ‘1’, then it outputs Edge1T, representing the “toggling” of the signal within the current cell, before choosing the next bit to send. The automaton has three bounds. The first bound represents that the size of mark sub-cell (the time it waits between the edge starting a cell and the toggling of the signal to encode a ‘1’) is within [m1 , M1 ]. The second and the third bound represent that the entire cell length is within [c, C]. Figure 4 (Decoder automaton) shows TIA code for the model of the decoder in BMP. This automaton also models signal settling (Settle action) on the wire as well as the behavior of the decoder (Detect and Decode actions). The code is a straightforward translation of the decoder behavior explained earlier in this Section 4. We use the temporary variable sampledVoltage to represent a sampled voltage of the signal on the wire at the decoder side. When the signal has not yet settled after an edge is created by the encoder, the value of sampledVoltage is nondeterministically determined (expressed

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

267

————————————————— ————————————————— EncoderState = enumeration of sending0, sending1S, sending1T Automaton Encoder(m1 , M1 , c, C: Real) where 0 ≤ m1 ≤ M1 ∧ 0 ≤ c ≤ C signature output Edge1S, Edge1T, Edge0S states senderPC: EncoderState := choose(sending0, sending1S); transitions output Edge1S pre senderPC = sending1S; eff senderPC := sending1T; output Edge1T pre senderPC = sending1T; eff senderPC := choose(sending0, sending1S); output Edge0 pre senderPC = sending0; eff senderPC := choose(sending0, sending1S); bounds: b(Edge1S, {Edge1T}) = [m1 , M1 ]; b(Edge1S, {Edge0, Edge1S}) = [c, C]; b(Edge0S, {Edge0, Edge1S}) = [c, C];

————————————————— Fig. 2. Encoder automaton of the biphase mark protocol

————————————————— BitWithBottom = enumeration of 1, 2 ⊥ Automaton SPM signature input Edge1S, Edge0S, Decode(decodedBit:Bit) states buffer1: BitWithBottom := ⊥ buffer2: BitWithBottom := ⊥ decoding error: Boolean := false buffer overflow: Boolean := false buffer underflow: Boolean := false transitions input Edge0 if buffer2 = ⊥ then buffer overflow := true endif; if buffer1 = ⊥ then buffer1 := 0 else buffer2 := 0 endif; input Edge1S if buffer2 = ⊥ then buffer overflow := true endif; if buffer1 = ⊥ then buffer1 := 1 else buffer2 := 1 endif; input Decode(decodedBit) if buffer1=⊥ then buffer underflow := true endif; if buffer2 = ⊥ and buffer2 = decodedBit ∨ buffer2 = ⊥ and buffer1 = decodedBit then decoding error := true endif; if buffer2 = ⊥ then buffer1 = ⊥ endif; buffer2 := ⊥;

—————————————————

Bit = enumeration of 0, 1; SignalVoltage = enumeration of HIGH, LOW; DecoderState = enumeration of detecting, decoding; flip(v:SignalVoltage): SignalVoltage = if v = HIGH then LOW else HIGH endif; Automaton Decoder(δ, Δ, τ, T, h, H: Real) where 0≤δ ≤Δ∧0≤τ ≤T ∧0≤h≤H signature input Edge1S, Edge1T, Edge0S output Settle output Detect(succeed: Boolean) output Decode(decodedBit: Bit) states decoderState: DecoderState := detecting; signalVoltage: SignalVoltage := LOW; signalSettled: Boolean := true; oldVoltage: SignalVoltage := LOW; transitions input Edge1S eff signalVoltage := flip(signalVoltage); signalSettled := false; input Edge1T eff signalVoltage := flip(signalVoltage); signalSettled := false; input Edge0 eff signalVoltage := flip(signalVoltage); signalSettled := false; output Settle pre signalSettled = false eff signalSettled := true output Detect(succeed) pre decoderState = detecting ∧ let sampledVoltage: SignalVoltage = if signalSettled then signalVoltage else choose(HIGH,LOW) endif in succeed = (oldVoltage = sampledVoltage); eff oldVoltage = if succeed then flip(oldVoltage) else oldVoltage endif; decoderState = if succeed then decoding else detecting endif; output Decode(decodedBit) pre decoderState = decoding ∧ let sampledVoltage: SignalVoltage = if signalSettled then signalVoltage else choose(HIGH,LOW) endif in decodedBit = if oldVoltage = sampledVoltage then 0 else 1 endif; decoderState = detecting; bounds: b(⊥, {Detect(true), Detect(false)}) = [δ, Δ]; b(Detect(false),{Detect(true),Detect(false)})=[δ, Δ]; b(Decode, {Detect(true), Detect(false)}) = [δ, Δ]; b(Detect(true), {Decode}) = [τ, T ]; b(Edge1S, {Settle}) = [h, H]; b(Edge1T, {Settle}) = [h, H]; b(Edge0, {Settle}) = [h, H];

Fig. 3. Safety property monitor for the biphase ————————————————— mark protocol Fig. 4. Decoder automaton of the biphase mark protocol

268

S. Umeno

by choose(HIGH,LOW)). Detect(true) and Detect(false) respectively represents that the decoder succeeds in detecting, and fails to detect a signal-level change. Decoder has seven time-interval bounds.2 The first bound specifies that the very first detection of an edge is performed within the time interval [δ, Δ] after the system execution starts. The second bound specifies that after the failing detection of an edge, the next detection is performed within [δ, Δ]. The third bound specifies that the decoder resumes an edge detection within [δ, Δ] after decoding a bit. The fourth bound specifies that the sampling distance is within [τ, T ]. The remaining three bounds specify that the signal on the wire settles within [h, H] after an edge is created by the encoder.3 Informally, the safety property we want to check is that the decoder correctly decodes encoded bits from the signal. To formally define the above described informal property, we use the safety property monitor SPM (Figure 3). SPM has a FIFO buffer of size two, representing encoded bits in the signal. When the encoder performs Edge0 or Edge1S, SPM stores a corresponding bit (0 or 1) to its buffer. When the decoder decodes the signal, SPM removes the first bit in its buffer, and compares this bit with the decoded bit by the decoder. SPM sets its decoding error flag to be true when the buffered bit (which might be a special empty symbol when the buffer is empty) and the decoded bit do not match. SPM sets its buffer overflow flag to true when the buffer overflow occurs, and sets its buffer underflow flag to true when the buffer underflow occurs. We say that the protocol is correct under a certain event-order constraint if any of the above described three flags are not raised in all execution of the protocol under the event-order constraint. 4.2 Parameter Constraint Synthesis of BMP Using EOA In this section, we present parameter constraint synthesis of BMP using EOA. Step 1. Identifying bad event orders: We first need to identify bad event orders in the protocol execution that would lead to safety property violation. Here we illustrate how the user can identify bad event orders by model-checking the untimed model of BMP. If the user does not know a clue what kind of event orders exist, then he/she can start model-checking the untimed model without any event-order assumption. In this case, he/she obtains the following counterexample: Edge1S - Detect(true) - Decode(0). This execution is bad since decoding is performed too fast and therefore a zero is decoded even though the encoder is sending a one. By excluding only this exact sequence cannot prevent similar scenarios from occurring. This is because an arbitrary number of Detect(false) can appear before Detect(true), and a Settle action can appear any time after Edge1S. Therefore, the user must specify Edge1S - Detect(true) - Decode(0): insert {Detect(false)} in [1,2]; {Settle} in[1,3], in order to exclude all similar executions. (The above event order with an IES is actually E4 that we describe later in this section.) With an event-order constraint for the above event order, the user obtains the following 2

3

We are treating Decode(0) and Decode(1) (representing decoding a ‘0’ and a ‘1’, respectively) as the same symbol. The authors of [3] uses different parameters from ours. Namely, they explicitly model clocks in the system (for example, m1 becomes mark · min, where min is the lower bound for the clock cycle, and δ becomes 2min.) We can retrieve the same clock-cycle information by using equalities between parameters. Therefore, we call our model fully parameterized.

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol E2_0 Voltage high

Voltage low

E4 Voltage high

E3

E2_1S Edge0S Edge0S/Edge1S

Voltage high

Edge starting 0 is completely missed.

...

Voltage low

Edge1S Edge1T

Voltage high

Voltage low

Voltage low

Decoding occurs too early, and 0 may be incorrectly decoded. E6_1S Voltage high

Voltage low

Edge1S Edge1T Edge0S/Edge1S

...

Signal toggling for 1 is completely missed.

Edge1S

: Failing Detection (an edge is not detected)

Edge1T

Voltage low ...

E5

Edge1S

Voltage high

E7_0 Voltage high

Voltage low

Edge starting 1 is completely missed. Edge0S

Decoding occurs too early, and 0 may be incorrectly decoded. E6_0S Voltage high

Voltage low Decoding occurs too early, and 1 may be incorrectly decoded. Edge0S

Edge0S/Edge1S

Edge0S

E7_1S Voltage high

Flat signal for 0 is completely missed.

Edge0S/Edge1S

Flat signal for 0 is completely missed.

...

269

: Successful Detection (an edge is detected) : Decode : Signal metastability period (the signal has not settled yet)

Edge1S Edge1T Edge0S/Edge1S

Voltage low

Signal toggling for 1 is completely missed.

Fig. 5. Bad scenarios of a biphase mark protocol

counterexample: Edge0 - Edge0 - Edge 1S. This execution is bad since the SPM buffer overflows. We can actually observe that this execution is bad also in terms of decoding: the decoder completely misses the first Edge0. Thus the prefix Edge0 - Edge 0S of the counterexample is a bad event order. There are actually two more similar scenarios: Edge0 - Edge 1S (Edge0 is missed by the decoder) and Edge1S - Edge 1T (Edge1S is missed). Therefore, the user wants to specify all of the above three event orders as bad orders. The user can continue identifying bad scenarios until he/she succeeds in model-checking. We repeated the process of bad event order identification described above, and found nine bad scenarios. Now we list all bad scenarios and explain why they are bad. The first scenario is the same as the second bad scenario described above. E1 1: Edge0-Edge0 E1 2: Edge0-Edge1S E1 3: Edge1S-Edge1T The rest of the scenarios are depicted in Figure 5. E2 0 and E2 1S describe similar scenarios: in these scenarios, the edge starting 0 or 1, respectively, is completely missed because the next edge occurs before the decoder observes the edge. E2 0: Decode-Edge0-Settle-Edge0: insert {Detect(false)} in [1,3] E2 1S: Decode-Edge1S-Settle-Edge1T: insert {Detect(false)} in [1,3] Detect(false) is inserted in the above event orders since it can possibly occur unbounded number of times before an edge settles. We also have slightly different versions of the above two event orders. These different versions basically describes the same situation as the originally described two. For example, E2 0 can end with Edge1S instead of Edge0, as described in Figure 5. The first Decode in E2 0 and E2 1S can be replaced by ⊥ symbol, representing the same situation as the original one just after the system execution starts (not after at least one Decode have already been performed). Therefore, we had four versions (including the one represented above) for E2 0 and two versions for E2 1S. E3 describes the case that the sampling distance of the decoder is so short that the decoder decodes the signal before the signal settles after toggling for a ‘1’. E3: Edge1S-Detect(true)-Edge1T-Decode: insert {Detect(false)} to [1,2]; {Settle} to [1,3]

270

S. Umeno

E4 describes the case that a signal toggling for a ‘1’ has not been done yet when the sampling distance for the decoder elapses, and thus a ’0’ is incorrectly decoded. E4: Edge1S-Detect(true)-Decode: insert {Detect(false)} in [1,2]; {Settle} in [1,3] E5 describes the case that the sampling distance is so short that the decoding for a ‘0’ is done before the signal settles, and thus a ‘1’ can be incorrectly decoded. E5: Edge0-Detect(true)-Decode: insert {Detect(false)} in [1,2] E6 0, E6 1S, E7 0 and E7 1S describe similar situations: the sampling distance is long relative to the cell size, and thus decoding for the current has not been done before the next edge occurs. E6 0: Decode-Edge0-Settle-Detect(true)-Edge0: insert {Detect(false)} in [1,3] E6 1S: Decode-Edge1S-Settle-Detect(true)-Edge1T-Edge0: insert {Detect(false)} to [1,3]; {Settle} in [5,6]

E7 0: Edge0-Detect(true)-Settle-Edge0: insert {Detect(false)} in [1,2] E7 1S: Edge1S-Detect(true)-Settle-Edge1T-Edge0: insert {Detect(false)} to [1,2]; {Settle} in [4,5]

As in the case of E2 event orders, E6 0, E6 1S, E7 0, and E7 1S also have slightly different versions that describes the same situation – Edge1S instead of Edge0 at the end of E6’s and E7’s, ⊥ instead of Decode in E6 0 and E6 1S. Therefore, we had four event orders for E6 0 and E6 1S, respectively, and two for E7 0 and E7 1S, respectively. In total, we had 24 event orders ( 3 E1, 6 E2, 1 E3, 1 E4, 1 E5, 8 E6, and 4 E7). We were able to combine event order monitors for multiple event orders into one monitor (for example, we can easily construct a monitor that monitors four event orders of the type of E6 0 at the same time). We had 11 monitors in total for 24 event orders. We confirmed by untimed model-checking that the safety property described earlier in this subsection holds at any reachable state of our model under the assumption that the above specified event orders do not occur in system executions. We also examined how many encoded bits can exist on the wire as the same time (by counting the number of bits in the buffer of SPM), and confirmed that under the same ordering assumption, only one bit is encoded on the wire at the same time. Step 2. Deriving timing parameter constraints using METEORS: We specified in our tool M E TEO R S all of Detect(false) events in IES’s of the specified event orders as those that must be decomposed. M E TEO R S derived (after an automatic linear arithmetic simplification) a constraint, which is a conjunction of the following three inequalities. (1). m1 > H + Δ;

(2). τ > M1 + H; and

(3). c > H + Δ + T .

These three inequalities are equivalent to the three constraints manually derived in [3]. Therefore, though we needed to identify all bad scenarios (in terms of event orders), we obtained a result equivalent to [3], without manually deriving parameter constraints from bad scenarios, and safety property verification under the event order assumption was conducted automatically using a conventional untimed model-checker built in SAL. M E TEO R S also produced the list of constraints that are sufficient to exclude each of the specified bad event orders. Table 1 shows the result.

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

271

Table 1. Sufficient constraints to exclude each bad event order E1 1, E1 2 E1 3 E2 0 (all four versions) E2 1S (both versions) E3 E4 E5 E6 0 (all four versions) E6 1S (all four versions) E7 0 (both versions) E7 1S (both versions)

c>H m1 > H c>H +Δ m1 > H + Δ τ > M1 + H τ > M1 τ >H

(subsumed by c > H + Δ + T ) (subsumed by m1 > H + Δ) (subsumed by c > H + Δ + T ) (subsumed by τ > M1 + H) (subsumed by τ > M1 + H)

c>H +Δ+T c>H+T

(subsumed by c > H + Δ + T )

The whole synthesis process took us about 12 hours: 3-4 hours to model BMP in SAL and find modeling (not design) bug in the model; 5-6 hours to identify the bad event orders and writing monitors for them; and 2-3 hours to code up the event orders as Python objects to be used by M E TEO R S and decompose event orders to obtain reasonable constraints (this time does not include the time we took to learn the basic knowledge of how BMP operates). All computer experiments are conducted on a machine with Intel CoreTM 2 Quad at 2.66 GHz and 2 GB memory. Each untimed model-checking for badevent-order identification using SAL (as well as the successful model-checking) took less than one second.4 The computation time for timing synthesis using M E TEO R S took less than one second, including simplification. 4.3 Related Work and Comparison of Approaches In this subsection, we compare case studies of BMP using other approaches with ours. Fully Automated Timing-Parameter Constraint Synthesis Using Model-Checker: A first attempt of parametrically model-checking BMP using H Y T ECH was reported by Ivanov and Griffioen [8]. They succeeded to verify a model of BMP, but the model was restrictive compared to our model. (for example, sampling of the signal by the decoder was only allowed at particular time points). In [7] by Henzinger et al., the application of H Y T ECH to BMP is briefly reported. They succeeded to conduct partial timing synthesis (they had to fix a subset of parameters). To do so, they had to modify a model of [3] so that only successful detections of the edge appear in the execution. This modification prevented the model from non-terminating fix-point calculation due to unbounded number of failing detections. Parameterized Verification Using Inductive Reasoning: Parameterized verification is a different problem from parameter-constraint synthesis, since the user has to provide parameter constraints first. However, since our approach also needs human interaction in order to specify bad event orders, it is interesting to compare the results using the inductive-reasoning approach. In [3], the authors presented parametric verification of a biphase mark protocol using the UPPAAL model-checker and the PVS theorem prover. They first used UPPAAL to identify bad scenarios by using several fixed combinations 4

We are stating the computation time not to compare it with a fully automatic approach (since our approach needs bad event order identification by the user), but to show that adding an event-order monitor does not significantly degrade the speed of model-checking.

272

S. Umeno

of parameters. They then identified three bad scenarios, depicted a diagram of them, and manually derived linear inequality constraints from the diagram. Then, to verify the correctness of the system under the derived constraints, they conducted a mechanical theorem-proving using PVS [16], by translating the UPPAAL model into PVS code. Though they succeeded in proving the correctness of the protocol under the derived constraints, they required 37 inductive invariants, consisting of several group of invariants that they needed to prove together. Their first verification attempt needed more than 4000 steps of human interactions with PVS. From our experience of a similar type of problem – inductive proof of safety properties for an I/O automaton (thought not timed) using PVS [17], we estimate that the total verification process took them considerably long time, probably in the order of one month. In [6], Brown and Pike presented semi-automated parametric verification of a biphase mark protocol using the SAL model-checker [15] and the Calendar Automata approach ([18,19]). By using the Calendar Automata approach, the user can embed the timing constraints of the system behavior in the real-time system using what the authors of [18] call the “calendar” which specifies the time of occurrence of events in the future. Since the model contains uninterpreted constants (timing parameters), the user cannot directly model-check this model, but the verification has to be done by finding inductive properties (though the proving process is completely automated). Brown and Pike [6] manually derived timing parameter constraints in a way similar to [3]. They then had to come up with five supporting inductive lemmas in order to prove the correctness of the protocol under the derived constraints.

5 Conclusion In this paper, we reported timing-parameter-constraint synthesis of the biphase mark protocol (BMP) using event order abstraction (EOA). BMP has repetitions of events with timing constraints (repeated detections of an edge) and 10 parameters, and these aspects of BMP disable a direct application of existing timed/hybrid model-checkers. By using EOA, we successfully synthesized the parameter constraints equivalent to those manually derived in [3]. The process was machine assisted in two ways: 1. Safety property verification under identified event order assumption was automatically conducted by the untimed model-checker built in SAL; and 2. Parameter constraint was automatically derived by out tool M E TEO R S using event order information from the first step. We compared the EOA approach with the inductive-reasoning approach, which is the only other approach that is successfully applied to BMP. For the inductive-reasoning approach, the user first needs to identify bad event orders (which are not necessarily all bad orders), and then manually derive sufficient timing-parameter constraints to exclude all bad scenarios. In addition, the properties to be proved or checked must be strengthened or the user needs auxiliary properties to be proved or checked, so that the reasoning becomes inductive. In general, constructing inductive properties requires human insights and some prior training on the inductive-proof methodology. Indeed, the lemmas presented in [6] include non-trivial inequalities over variables of the calendar. Identifying bad event orders is, in contrast, closer to constructing informal operational arguments, and needs less training than constructing inductive properties.

Machine-Assisted Parameter Synthesis of the Biphase Mark Protocol

273

We consider that identifying bad event orders is useful not only for the verification/synthesis process of EOA, but also for implementation engineers to understand what kind of undesirable scenarios can occur in the underlying system/protocol when parameters are badly tuned. With our tool M E TEO R S, the user can also know what constraint is sufficient to exclude each of the bad scenarios. For future work, we want to seek a way of automating identification of bad event orders. This automation requires the tool to find subsequences of counterexamples that are sufficient to exclude all bad executions, yet have enough information to derive reasonable constraints. Acknowledgment. First of all, I thank my supervisor, Prof. Nancy Lynch, for her patient guidance and fruitful advice on this research work. I also thank anonymous reviews for their helpful comments.

References 1. Moore, J.S.: A formal model of asynchronous communication and its use in mechanically verifying a biphase mark protocol. Formal Aspects of Computing 6(1), 60–91 (1994) 2. Umeno, S.: Event order abstraction for parametric real-time system verification. In: EMSOFT 2008: The 8th ACM & IEEE International Conference on Embedded Software, 1–10 (2008) A technical report version appears as MIT-CSAIL-TR-2008-048, Massachusetts Institute of Technology (July 2008) 3. Vaandrager, F.W., de Groot, A.: Analysis of a biphase mark protocol with UPPAAL and PVS. Formal Asp. Comput. 18(4), 433–458 (2006) 4. Zhang, D., Cleaveland, R.: Fast on-the-fly parametric real-time model checking. In: Proceedings of the 26th IEEE Real-Time Systems Symposium, pp. 157–166 (2005) 5. Lynch, N.A.: Distributed Algorithms. Morgan Kaufmann Publishers Inc., San Francisco (1996) 6. Brown, G.M., Pike, L.: Easy parameterized verification of biphase mark and 8N1 protocols. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 58–72. Springer, Heidelberg (2006) 7. Henzinger, T., Preussig, J., Wong-Toi, H.: Some lessons from the HYTECH experience. In: Proc. of the 40th Annual Conference on Decision and Control, pp. 2887–2892. IEEE Computer Society Press, Los Alamitos (2001) 8. Ivanov, S., Griffioen, W.: Verification of a biphase mark protocol. Technical report (1999) 9. Hune, T., Romijn, J., Stoelinga, M., Vaandrager, F.W.: Linear parametric model checking of timed automata. In: Tools and Algorithms for Construction and Analysis of Systems, pp. 189–203 (2001) 10. Wang, F.: Symbolic parametric safety analysis of linear hybrid systems with BDD-like datastructures. Transactions on Software Engineering 31, 38–51 (2005) 11. Annichini, A., Bouajjani, A., Sighireanu, M.: TReX: A tool for reachability analysis of complex systems. In: Computer Aided Verification, pp. 368–372 (2001) 12. Spelberg, R., Toetenel, W.: Parametric real-time model checking using splitting trees. Nordic Journal of Computing 8, 88–120 (2001) 13. Collomb-Annichini, A., Sighireanu, M.: Parameterized reachability analysis of the ieee 1394 root contention protocol using trex. In: RT-TOOL 2001 (2001) 14. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurent Systems: Specification. Springer, Heidelberg (1993)

274

S. Umeno

15. de Moura, L.M., Owre, S., Rueß, H., Rushby, J.M., Shankar, N., Sorea, M., Tiwari, A.: SAL 2. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 496–500. Springer, Heidelberg (2004) 16. Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992) 17. Umeno, S., Lynch, N.A.: Proving safety properties of an aircraft landing protocol using I/O automata and the PVS theorem prover: A case study. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 64–80. Springer, Heidelberg (2006) 18. Dutertre, B., Sorea, M.: Timed systems in SAL. Technical Report SRI-SDL-04-03, SRI International (2004) 19. Dutertre, B., Sorea, M.: Modeling and verification of a fault-tolerant real-time startup protocol using calendar automata. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS 2004 and FTRTFT 2004. LNCS, vol. 3253, pp. 199–214. Springer, Heidelberg (2004)

Exploiting Timed Automata for Conformance Testing of Power Measurements Matthias Woehrle, Kai Lampka, and Lothar Thiele Computer Engineering and Networks Lab, ETH Zurich, 8092 Zurich, Switzerland [email protected]

Abstract. For software development, testing is still the primary choice for investigating the correctness of a system. Automated testing is of utmost importance to support continuous integration and regression tests on actual hardware. For embedded systems, power consumption is a chief performance metric, which is tightly coupled to the hardware used and the software exploiting low power modes. Automated testing of power consumption requires to investigate its conformance to a specification. We employ timed automata for specifying the expected behavior of a real sensor node application, as well as for describing the power measurements obtained from its real-world implementation. Introducing computational optimizations, the presented approach allows to utilize standard model checkers for automated conformance testing of modeled systems and monitored power consumption of their implementations.

1

Introduction

This paper aims to develop a methodology for utilizing non-intrusive power measurements of low-power embedded systems to reason about their correctness. In the following, employed measurements are referred to as power traces, i. e., as timed traces [1] annotated with power measurements. Visual inspection of power traces or reference measurement-based methods are not suitable for the large amount of tests required for analyzing the various properties of software on several hardware platforms or in different test environments. Rather we aim at employing formal methods for an automated approach. However, we have to consider two challenges which often hamper exhaustive verification, if not making it infeasible in practice: (1) formal verification may suffer from the state space explosion problem and (2) power consumption of a system is a nonfunctional property with intrinsic uncertainty of measurements, i. e., variance in power consumption of hardware components, e. g., due to noise. Nevertheless formal methods support an expressive, concise and often compositional formulation of expected system behaviors. In this paper we employ timed automata 

We would like to thank Marius Mikucionis and Kim Larsen for their support on Uppaal and Simon Perathoner for interesting discussions. The work presented here was supported by the National Competence Center in Research on Mobile Information and Communication Systems (NCCR-MICS), a center supported by the Swiss National Science Foundation under grant number 5005-67322.

J. Ouaknine and F. Vaandrager (Eds.): FORMATS 2009, LNCS 5813, pp. 275–290, 2009. c Springer-Verlag Berlin Heidelberg 2009 

276

M. Woehrle, K. Lampka, and L. Thiele

for specifying a sensor node application and cross-check it with power traces obtained from a real-world implementation of the modeled system. Overall this targets to verify the conformance of a real system and its expected behavior by using standard model checkers. In case of a fail of such conformance tests, a diagnostic (debugging) trace is presented to the test engineer, who needs to determine whether the error is due to an implementation flaw or a modeling error in the specified expected behavior. Errors in the latter are exploited for incremental improvements on the model of expected behavior and refine the understanding of the actual system. The main objective of the here presented methodology is to non-intrusively detect implementation errors within the running system’s hard- and software by exploiting power measurements. However, especially when it comes to embedded system this is challenging: – The concrete state of the system is hidden, often it can solely be guessed, e. g., that all components are switched off. – The individual hardware components have different power modi, but it is only the sum of the individual power consumptions which can be measured. – Hardware components have differing non-functional properties, e. g., power consumption depends on manufacturing or environmental conditions. – Power consumption is continuous and closely coupled to interaction with the environment, e. g., if there is communication with neighboring sensor nodes. – Power measurements and the complexity of a system yields a high-degree of non-determinism, ruling out a comparison of pre-defined power traces and scenarios with the actual power consumption measured over time. – Measurements are subject of uncertainty and measurement inaccuracy. Our ultimate goal is to investigate the conformance between a power trace of a wireless sensor network application running on actual hardware and a specification of the expected behavior of the system. We exploit timed automata [2] for the power measurements and the specification and utilize a standard model checker for proving conformance, namely Uppaal [1]. To this end, the main contribution of this work can be summarized as follows: – We demonstrate the feasibility of conformance tests of power measurements of an embedded system, e. g., a sensor node running a standard wireless sensor network (WSN) application [3], to a specification of its assumed behavior. – We present our timed automata-based approach, which allows for automating the conformance test. – We discuss optimizations towards computational efficiency which is required when dealing with realistic scenarios as described in our case study.

2

Main Ideas

Power Trace Testing (PTT) as presented in this paper is the first approach to exploit physical attributes for testing the conformance of an embedded system implementation to a specification of its assumed behavior. In the following we

Exploiting Timed Automata for Conformance Testing




y==70

10

crrValue=100

5000

6000

7000

8000

9000

10000

11000

12000

y<=70

Sys on!

initial==true z=0, initial=false

z>=48000 z=0

y==117

send?

crrValue=200

sending!

receive?

y<=117 and ready == 2

off!

z=0 Receive

Time (ms)

No

Automatic Trace Generation Monitoring

Yes

event? ready++

RadioUp = 4000, RadioLow = 200, a=0

OFF

Counterexample

a<=50

RadioUp = 200, RadioLow = 0

a<

event? ready++

4

Power Measurement

Implementation

event? ready++

off?

Model Checker 2

Send

z=0

RadioOn z<=2000

IDLE z <= 50000

Automated Power Trace Verification

HW

HW

SW

?

- Power Consumption - Timing Annotations

SW - Component Usage - Control Flow - Timing Constraints

Description of expected behavior

0

y=0, ready=0, stateTrace = 2 IsInBounds() event!

SW-oriented

Current (mA)

20

HW-oriented

PT

Power Trace

277

Test description Environment

Fig. 1. Power Trace based Testing overview

outline the main ideas and mechanisms, which allow for fully automatizing the proposed procedure. Figure 1 provides an overview of PTT. It requires a formal model of the actually monitored power consumption and of the system. The system to be analyzed consists of its physical realization and embedding (lower left) and a specification of the assumed behavior (lower right). From the system’s implementation we can obtain measurements describing its power consumption over time, which can be automatically transformed into a formal model (left part) P T . Analogously, the specification of the assumed behavior can be formalized, yielding the system model (right part) Sys. Rather than a specification defined at design time, the formal model of the system specifies the behavior of the system as it is assumed by the design or test engineer. Investigating whether an execution of the system’s implementation complies to this formal specification requires to check if the monitored power trace (PT) is a valid behavior included in the system model. Hence, a joint analysis on the combined models is carried out which allows for testing the conformance between power trace and modeled behavior. 2.1

Foundations

In general, an embedded system including its power consumption is a hybrid system. The power consumption constitutes the continuous behavior and the discrete behavior are state transitions of hardware (HW) and software (SW). HW and SW additionally include timing constraints for individual states. Different to hybrid systems, power consumption cannot be simply described by single trajectories as their descriptions need to include state-dependent variances. These variances are introduced by noise inherent in measurements and HW variances imposed by manufacturing and environmental conditions. Hence, expected power consumption of HW modes is better specified by bounded intervals

278

M. Woehrle, K. Lampka, and L. Thiele

rather than single values. We propose the usage of timed automata (TA) [2] extended with data variables [1] mainly for the following reasons: – Reachability on timed automata is decidable, – Mature tools for timed automata verification are available and – Data variable annotations on locations allow a straight-forward formulation of upper and lower bounds on power consumption. In the following we detail on the employed models and their composition for executing the conformance test on the basis of a reachability query. System model. For structuring the system model Sys, we assume that it consists of a HW-oriented specification, capturing all states with varying power consumptions and a SW-oriented specification including the SW running on the target system and a specification of the system environment and specific tests. By composition of these models, we obtain a system model which describes all possible runs of the system under test. This includes the required timing behavior and the power consumption in different system states. 1. The HW-oriented parts of the model capture the essential states of the HW including the power consumption bounds of different operational modi and physical timing attributes. It may also include the associated low-level SW, e. g., HW component drivers, which refines the HW-oriented model by defining specific HW sequences and corresponding timing behavior. Our compositional modeling style supports a partitioning of the HW according to its different physical and low-level, logical units, e. g., by separately modeling a radio component and the microcontroller as described in the case study. In the following we denote such components, the corresponding TA respectively, as HW modules. 2. For the SW-oriented models, one approach would be to split the corresponding specification into SW automata that capture the behavior of different logical units of an application running on a target platform and into environment automata that capture the test specification and the behavior of the system environment. However, this strategy may result in a highly complex system model, the size of which hampers an efficient analysis. Therefore, we advocate the usage of a SW model which integrates the environment and the test specification in form of dedicated testcases. Employing testcase automata yields the advantage that one may restrict reachability to a subset of locations of the SW automata, yielding a lower complexity of the system model. It additionally tightens the specification of the expected behavior, i. e., it reduces the possible behaviors of the system. As an example the timed automaton in Fig. 7 models the application’s communication requirements to periodically turn on the radio for sending, receiving and otherwise, listen on its radio channel. For a testcase which does not allow for sending nor receiving as shown in Fig. 2, this reduces the SW automaton to mere wake-ups and hence can detect excessive radio on-time. HW modules and SW automata cooperate by synchronizing over dedicated transitions.

Exploiting Timed Automata for Conformance Testing

279

Power Trace model. The core of our approach is the automatic generation of a timed automaton P T from a time series of power measurements. The measurement instrument provides a time series of discrete samples at equidistant sample points. This time series can be converted into a state-based representation (cf. Sec. 2.4), i. e., a sequential timed automaton where sequential denotes that the model solely provides a single (timed) path of transitions leading from the initial to a terminal location. Testing for conformance. As pointed out above Sys is modeled as a network of co-operating timed automata extended with data variables. We define allowed up power consumption for each component in Sys as an interval hs = [hlow s , hs ] using variables for the lower and the upper bound. Power consumption and hence power bounds of the composed overall system Sys are the additive composition of the lower and upper bounds of the individual components (cf. Sec. 2.3 for details). For carrying out the conformance test, we jointly execute P T and Sys, where power measurements are introduced in P T using a variable, p. Hence, location changes within the concurrently executed P T and Sys model are only possible as long as the value of p complies with the upper and lower bound of the composed overall system Sys. This is achieved by making variable p global and employing location invariants for the HW modules of Sys. With respect to the semantics of Uppaal’s timed safety automata [1] this yields the following possibilities for the overall system to evolve: 1. The current system state accepts the current power consumption as defined by p, i. e., all location invariants are satisfied. 2. The set of potential target locations, connected to the currently held locations by an enabled transition, satisfy the current power consumption. Non-deterministically any TA of Sys may move to such a location. It is interesting to note, that this “unconstrained concurrency” is the reason that we do not employ synchronization for composing P T and Sys. Consequently Sys may freely change locations as long as the power consumption invariant holds. 3. The measured power consumption changes, which is implemented by enforcing a respective transition within TA P T and thereby updating p. (a) Either the invariants of the currently held locations are still valid, i. e., the HW modules reside in locations which conform to the update in power consumption. (b) Or a change of p would violate at least one location invariant of Sys, forbidding the execution of the respective transition within P T . For avoiding a deadlock HW modules make use of update locations which we implement with Uppaal’s urgent locations (cf. Fig. 6), where no time is allowed to pass. While being in an update location and experiencing an update of p, i. e., a change in location in P T , the respective HW module may traverse to the next location, as long as the invariant of the target location is satisfied. Otherwise the overall system deadlocks which is either imposed by preventing P T from executing its next transition or by Sys being trapped in an update location.

Current (mA)

280

M. Woehrle, K. Lampka, and L. Thiele 20 15 10 5 0 0

Wakeup pulse from 11.608s - 11.618s

2

4

6

8

10 Time (s)

12

14

Fig. 2. Harvester PT: (Large Peaks): Periodic wake-up of the radio every 1000 binaryms listening for ongoing traffic. (Small Peaks): Timer interrupts.

This allows for executing a reachability analysis on the composed overall model (P T ||Sys), where we check for the reachability of the terminal location of PT. A negative outcome may imply typical design and implementation flaws, but it can also be due to misconceptions in the modeled behavior. For negative answers model checkers commonly provide the fastest or shortest counterexample. However, in case of the Power Trace Testing we are interested in counterexamples of maximal length w. r. t. P T . Such a counterexample represents the longest execution path that does not lead to an inconsistency between the system specification and the power measurements. This means all previous power measurements are explained by specified states, so the error most probably happened after this execution as exemplified in the testcases in Sec. 3.4. A possible method to receive this information is to first label the locations of P T , and subsequently repeatedly check for the reachability of a state carrying the label of the next location utilizing some search strategy such as binary search. 2.2

Computational Efficiency

In order to apply PTT to realistic scenarios, techniques need to be devised that allow for reasonable computational effort. The complexity of PTT is caused by the solution of the underlying reachability problem and is sensitive to the size of the input model, especially of P T . The following techniques and assumptions help to reduce the complexity: (A) Distinguishable consumers. Each power measurement in a power trace describes the power consumption of several individual components. If each individual component has a comparable power contribution, the PT values cannot be directly associated with the internal states of the system. Hence, the number of paths that need to be considered in the reachability analysis increases, as more locations must be considered as potential target locations. This is due to the fact that the power consumption of the composed model is the sum of the individual contributions of each component. In heterogeneous embedded systems such as wireless sensor nodes, there are very often components with vastly different power consumptions: The radio in a sensor node consumes an order of magnitude more power than the microprocessor. This is exploited in our radio models where the characteristic power-on pattern (cf. Fig. 5 (left)) allows for exposing internal state. Note that this is not an inherent feature of our approach

Exploiting Timed Automata for Conformance Testing

281

but rather a characteristic of a given class of systems the considered sensor nodes are a part of. (B) Annotating the PT. A system residing for most of its lifetime in a dedicated lower-power state provides a dedicated system state, which we can use for annotating the PT. In addition, further measurements, e. g., externally accessible input/output signals, may be used to restrict the set of potential system states. This information can either be collected in an additional timed trace or to directly annotate the PT. The size of the composed timed automata models is dominated by the PT model. The size of a measured power trace is prohibitive as (a) typical lab instruments provide a resolution in the order of microseconds (us) down to nanoseconds (ns), (b) the measurement noise leads to frequent changes of the power level which leads to frequent state transitions. As a result, compressing millions of data points into a processable number of locations in P T is substantial for utilizing a standard model checker. In order to reduce the number of locations in the sequential PT, we segment the value range of power measurements into intervals and use for representation only the average value of the interval in which a particular measurement is included. We show a technique for minimizing such an interval-based representation in Sec. 2.3. An additional benefit is that consecutive readings inside an interval can be represented by a single power consumption value and the number of readings. We refer to these 2-tuples of value representation and according duration as power locations. Each power location creates one location in P T , where the power consumption annotation is assigned on its entering transition. The duration is annotated by clock invariants on the location and its exit transition. An example is shown in Fig. 4, where the first power location holds a value of 100uA for 70 consecutive samples, i. e., 1.4ms. 2.3

Bounded Power Consumption of Composed HW Modes

We annotate each HW mode with an interval in order to allow for variances in power consumption. Each location of a TA modeling some HW component is associated with a respective interval. The intervals of TA j build a a set of power up intervals Hj with members Hj,k := [hlow j,k , hj,k ], where k is the index of the respective component-local interval. When executing the network of TA describing the HW of a system, the overall system state must be annotated with its power consumption interval. This is achieved by summing over the upper and lower bounds of the locations currently held by the composed system. As an example, in our case study we compose two concurrent components, a microcontroller and a radio component. Additive composition for these two components is straightforward, up up low e.g. in case of the two modules we have: H1,j + H2,k := [hlow 1,j + h2,k , h1,j + h2,k ], where j and k are the indices of the power intervals to be composed. This is used in our case study for a sensor node with two components, a radio and a microcontroller as depicted in the invariant function in the upper left of Fig. 6. Since

282

M. Woehrle, K. Lampka, and L. Thiele 1 HW interval : i=1

2 HW intervals: i=2

hHW,1

GCI11

GCI21

2 HW intervals: i=2

hHW,2 hHW,1

GCI31

GCI12

GCI22

GCI32

GCI42 GCI52

GCI12

GCI22 GCI32

GCI42

hHW,2 hHW,1

GCI52

Fig. 3. Adding a HW interval hHW,2 to 3 greatest common intervals always creates 5 intervals if there is no coincidence of bounds

bounds are additively composed, power intervals may not be disjoint. Hence, the number of power intervals is  bounded by the product of the cardinality of each component model: nHW ≤ 1≤j≤ncomp |Hj |, where ncomp is the number of HW-modules, or TAs respectively, to be composed. The intervals need to be determined before generating the P T automaton. The intervals and in particular their bounds are an input to Alg. 1 (GCI), which generates P T from the measurements. For keeping the number of power intervals as small as possible we exploit the concept of greatest common intervals (GCIs) [5], whereby a set of non-disjoint intervals is transformed into a (minimal size) set of disjoint intervals. Fig. 3 exemplifies the procedure when transforming a non-disjoint partitioning of a finite domain into a disjoint partitioning by introducing GCIs. The (possibly) non-disjoint power intervals are indicated by solid lines, i. e., in the left picture we have a single power interval hHW,1 , and two non-disjoint power intervals in the middle and right part. By introducing a set of GCIs we can transform the non-disjoint into a disjoint partitioning, where the GCIs are indicated by dashed lines; superscripts and iteration variable i refer to the number of added power intervals. As exemplified by Fig. 3 and easily proven by induction the number of GCIs is bounded by 2nHW + 1. If we further consider the number of boundary coincidences ncoinc , which can be determined by simply counting the number of coincidences in power interval boundaries, we can refine the bound to 2nHW + 1 − ncoinc . Power measurements are in principle samples from a continuous domain but analog-to-digital conversion of measurement equipment provide a discrete representation. This results in a transformation of the obtained measurements, resulting in a granularity of step-width δ and yielding a finite discrete domain D for the power values (D ⊂ N0 ), where the introduced power intervals need to up respect this, i.e. hlow j,k = u · δ and hj,k = v · δ, for some u, v ∈ D : u < v and the chosen step-width δ. Power intervals and δ typically have a unit such as mW , but we can safely abstract from this, justified by a consistent transformation of power intervals bounds and obtained measurements. As shown in our case study, we can significantly reduce the size of the representation of a power trace utilizing a GCI-based interval approach. Table 1 in Sec. 3.4 shows the significant difference to a simple segmentation representation using discrete steps with δ = 100 and D = {x : x ∈ N ∧ 0 ≤ x ≤ 30000} (in uA)), which results in significantly larger models (3 to 6.7-times larger).

Exploiting Timed Automata for Conformance Testing

2.4

283

Power Trace Automaton P T

In order to decrease variance introduced by noise, we perform moving average filtering.1 The techniques described in Section 2.2 and 2.3 have been used to construct P T from the filtered samples. In particular, the mentioned abstraction mechanisms allow for reducing the complexity of a trace, which compresses millions of data points into a processable number of locations. For automating this procedure we employ the following algorithm, which creates a list of power locations given the measurement samples and the GCI boundaries discussed in Sec. 2.3. Each power location, consisting of the value representation (crrV alue) and its duration (crrDuration) yields a location of P T . The array of power locations is added to a given Uppaal model using ruby and REXML. For exemplification please refer to Fig. 4. Algorithm 1. Generating power trace automaton P T powerV alue, crrV alue ← 0, crrDuration ← 0, powerLocations = [], j ← 0 for all measurements m do i←0 while m > GCI[i] do i← i+1 end while powerV alue ← 0.5 · (GCI[i] + GCI[i − 1]) if j == 0 then crrV alue ← powerV alue end if if crrV alue == powerV alue then crrDuration ← crrDuration + 1 else powerLocations[j] = newpowerLocation(crrV alue, crrDuration) crrV alue ← powerV alue, crrDuration ← 1, j ← j + 1 end if end for

crrValue=100, y=0, stateTrace = 1 crrValue=100, y=0, stateTrace = 0 y<=0

y==0

crrValue=200, y=0, stateTrace = 2 y<=70

y==70

y<=117

y==117

Fig. 4. Extracted example trace. Current draw in uA, clock ticks represent 20 us.

3

A Sensor Node Case Study

In this case study, we consider a typical wireless sensor node, a Tmote Sky, featuring a TI MSP430 low power microcontroller and a packet-based, TI CC2420 radio. We choose a standard WSN application, Harvester [3], which collects data from individual sensor nodes to one or more data sinks for monitoring. Harvester is an open-source project running on the TinyOS 2 operating system. Harvester 1

The moving average filter is optimal for reducing random noise yet maintaing sharp step responses. The parameterization of a window of 16 consecutive samples is chosen based on the ratio of hardware operation lengths to the short sample time of 20 us.

284

M. Woehrle, K. Lampka, and L. Thiele

is based on the standard TinyOS multi-hop routing protocol and an adapted, synchronized Low Power Listening (LPL) MAC protocol. 3.1

Experimental Setup

In this paper we use a simplified version of Harvester, which does not use the analog-to-digital converter to read sensor values but simply sends a given value periodically. Thus we can reduce the components modeled to the two main contributors, the microcontroller and the radio. Other components such as LEDs, sensors or the external flash are persistently powered off and are not included within the analysis. In our tests the power consumption of a sensor node is monitored by the voltage drop across a MHP201R0F 1Ω (±1% tolerance) shunt resistor measured by a digital multimeter (Agilent 34411A). We measure current consumption under a constant supply voltage and use current draw and power consumption interchangeably in the following. A node is monitored for 20 sec, due to the limited storage depth of samples by the multimeter at 106 data points. A series of measurements is presented in Fig. 2. As can be seen from these wake-ups, Harvester is configured with a wake-up period of 1000 binary ms or approximately 0.977s. 3.2

Modeling the Harvester

We model the Harvester as networks of timed automata and use reachability queries in (T)CTL as accepted by Uppaal. The Harvester is a complex system running an intricate SW stack on top of a heterogeneous embedded system. We manage the complexity of the system through an abstract representation of expected behavior and component decomposition. In particular, we differentiate between HW-oriented models capturing the low-level behavior of individual HW components and the corresponding low-level SW, SW-oriented models, representing the application-level SW as well as the environment and testcase. Note that there is no claim on the soundness of abstraction and decomposition. As previously described, our system model is not a formal specification, but rather a specification of assumed behavior which is itself subject to refinements or improvements as pointed out in the previous section. Modeling the hardware. The sensor node HW is modeled as a network of timed automata. Each location in a HW component automaton has associated power bounds. Power consumption values for annotating the power bounds of the timed automata are based either on the data-sheet provided by the manufacturer or on characterization measurements. The system power consumption is the sum of the individual contributions as shown in the invariant in the upper left of Fig. 6. For the analysis of the Harvester, we need to model the microcontroller and the radio focussing on their power modi aspects to distinguish whether they are performing work, are idle or are powered off. The microcontroller has three locations: a low power location (OFF and LP), which represents the processor turned off or in one of the MSP430 low power modes (lpm1-4). In the IDLE location,

Exploiting Timed Automata for Conformance Testing

20

20 15

15 Current (mA)

Current (mA)

285

10

10

5 5

0 11.608 11.609 11.61 11.611 11.612 11.613 11.614 11.615 11.616 11.617 11.618 Time (s)

0

10

11

12

13

14

Fig. 5. (Left) Magnified section of a power trace where a sensor node powers on the radio (Right) Zooming out on power trace of different operations e. g., sending and periodic listening

bool IsInBounds(){ if(crrValue >= RadioUp+MCUp or crrValue < RadioLow+MCLow) return(false); return(true); }

EFD RadioUp = 20400, RadioLow = 12900 RadioUp = 16000, RadioLow = 11600

IsInBounds()

ActualTransmit

IsInBounds() RadioUp = 22800, RadioLow = 11600

SEND

IsInBounds()

sending? IsInBounds() RadioUp = 23800, RadioLow = 15000

RadioUp = 21700, RadioLow = 16000

AttemptSend

VOLTAGE_REG a <= 50 && IsInBounds()

OFF

RadioUp = 4000, RadioLow = 200, a=0

IsInBounds()

IDLE_TRANSITION a <= 100 && IsInBounds()

RadioUp = 1800, RadioLow = 0

STARTUP a<= 150 && IsInBounds()

RadioUp = 6000, RadioLow = 200

RadioUp = 16000, RadioLow = 6000

TRANSITIONING_UP a <= 200 && IsInBounds()

RadioUp = 21700, RadioLow = 16000

RadioUp = 20400, RadioLow = 12900

on? IsInBounds()

off? RadioUp = 200, RadioLow = 0

TRANSITIONING_DN a <= 50 && IsInBounds()

RadioUp = 16000, RadioLow = 200, a=0

LISTEN_and_RECEIVE

Fig. 6. Timed automaton model for the radio component (Chipcon CC2420) of the sensor node. Current consumption in uA, clock ticks represent 20 us.

the CPU is active and all clocks are enabled, but no computation is performed. The ON location denotes the power consumption of the microcontroller while performing computations. We refrain from timing models for the microcontroller as transition times between the different modes are small. Figure 6 shows the model of the CC2420 radio. On the lower left of the figure is the initial location, which represents the radio being powered off. The lower half of the automaton models the startup of the radio (cf. Fig. 5 (left)) until it reaches the default power-on location to the lower right (LISTEN AND RECEIVE).The upper half describes the power consumption during the sending of a packet. The sequencing of steps in a single transmission uses a specification of the low-level radio driver of the radio to restrict possible state sequences. The naming of the locations is chosen accordingly: AttemptSend is the location where the clear channel assessment is performed. ActualTransmit is the location where the packet is transmitted, while EFD signifies a detected End Frame Delimiter, the end of the transmission. Modeling software. In our SW model we make use of binary channels for controlling the HW model. In Uppaal binary channels implement a rendezvous

286

M. Woehrle, K. Lampka, and L. Thiele

mechanism, i. e., a sender and receiver jointly execute the respective transitions. For exemplification one may refer to Fig. 6, where turning on and off the radio is achieved by binary channels. Sending is indicated with a channel label followed by an exclamation mark, e. g., the SW turns on the radio via the symbol on! in Fig. 7. Each binary synchronization requires an enabled sender and receiver transition, i. e., when the SW requires a transition of the radio, the receiving edge in the radio model must be enabled. If this is not the case the respective transition is blocked from execution due to the Uppaal synchronization semantics. Due to the event-based, interrupt-driven nature of embedded systems, a representation of every possible program flow is difficult and error-prone. Numerous possible interleavings are incurred by SW running in a preemptable context. Moreover, differing semantics of the operating system scheduler considering HW interrupts, SW interrupts and deferred procedure calls as in TinyOS 2 make a comprehensive representation of a sensor node application impractical. Instead, we focus on certain aspects of the system, which considerably simplifies the SW modeling. In the following we therefore focus on the LPL MAC protocol of the Harvester. The MAC protocol is merely dependent on the radio HW. Its simplified operations, i. e., its use of the radio HW, may be described in a declarative way: The radio should listen to the channel every second, if it is neither receiving nor sending. The on period should maximally last for 4 ms. In any other case, the radio should be turned off. This behavior is modeled in the automaton illustrated in Fig. 7. It consists of four distinct locations OFF, RadioOn, Send and Receive. When no communication is performed, the system toggles between OFF and RadioOn which is achieved in Fig. 7 with the cycle containing the respective locations. As the specification describes, the SW is expected to exit the OFF mode about every second, which is modeled as an invariant on the OFF location. Secondly, the invariant is added to have the radio in RadioOn for at most 4 ms. Note that this cycle within Fig. 7 includes a mode switch: Strict timing requirements are only enforced on consecutive wake-ups. Initially and on intermediate send and receive operations, the requirements on being turned off for most of the period is disabled using the boolean variable initial on exiting OFF location. The remaining part for the given SW model is dedicated to the radio’s receiving or sending. This is achieved by equipping location RadioOn with two outgoing transitions send? and receive?. However, as enforced by Uppaal’s synchronization semantics, these transition can only be executed, if the signals send! and receive! are present. To do so one may specify some testcase automaton. Such a testcase automaton may non-deterministically emit the required signals or impose some restrictions on the timing. The illustrated Harvester LPL SW model is simple due to its focus on a single functionality. Nevertheless it is a representative example of a SW model in that it (1) defines the (de)activation of components (on! /off ! ), (2) defines a sequence of locations (e. g., OFF- RadioOn- OFF- . . .), (3) features an additional, restrictive time bound on HW locations (RadioOn) and (4) specifies intervals between locations. Modeling test specifications. As pointed out before we emphasize the usage of testcase automata for reducing the set of possible behaviors. For the ’Wake-up’

Exploiting Timed Automata for Conformance Testing initial==true z=0, initial=false

287

Send z=0, initial = true

on!

z>=48000 z=0 sending! send?

OFF

RadioOn z<=2000

z <= 50000

receive?

z=0, initial = true off! Receive

Fig. 7. Software formulation of the radio functionality

testcase (cf. Fig. 5 (left)), we use an empty testcase automaton, which yields that the LPL MAC protocol as specified in Fig. 7 is restricted to the locations IDLE and RadioOn. This is because the SW model never receives a signal from the environment to synchronize with. This basically models that the radio silently waits for incoming traffic. For analyzing a complex scenario (cf. Fig. 5 (right)), where packets are sent and received non-deterministically, we add testcase automata for emitting the respective send! and receive! signals. For the sake of simplicity, the HW and SW models shown exhibit a single initial location such as the OFF location for the radio SW model (cf. Fig. 7). In general, the PT may start at any system location and the system models need to accommodate for this fact. A single initial location is entered, which can unconditionally traverse to any other automaton location and setting required context along the initial transition, e. g., the power bounds for a HW automaton or the required synchronization for the SW models. 3.3

Power Trace-Based Testing

P T is coupled to the system model Sys through its power consumption annotation: crrValue in Fig. 4. The invariant IsInBounds (cf. Fig. 6) enforces that a power consumption measurement in a given power location is explained by the specification. Uppaal is used to compute whether the final location of the P T is reachable. For simplicity we enumerate the locations P T (stateTrace in Fig. 4) and define a Boolean variable traceTerminal which is set to true once P T enters its final location. The reachability query can be formulated in Uppaal as E<> traceTerminal. In case the terminal location of the P T is not reachable, Uppaal also provides a counterexample for the query. However, Uppaal provides any path, or the shortest paths in time or number of transitions leading to the respective deadlock, where traceTerminal == false holds. For debugging, we are interested in the longest counterexample which is still accepted by our model. The longest counterexample cannot be directly determined, i. e., searching for the longest counterexample is an optimization problem. We use binary search to find the longest path based on the enumeration of power locations. We employ scripted, iterative calls of Uppaal with an auto-generated query-file consisting of the reachability analysis for a location carrying the respective state enumeration.

288

M. Woehrle, K. Lampka, and L. Thiele Table 1. Comparison of interval-based partitioning and for fixed 100uA steps Model Wake-up Inject Complex Trace MC state Specification

3.4

Samples 1000000 990000 310000 1000000 1000000

Compression Runtime Intervals 100uA steps Intervals 100uA steps 2089 13812 8s 182s 2040 13666 5s 167s 21811 89678 15min Fails 1086 5539 4s 22s 1478 4578 7s 22s

Results of the Case Study

We discuss five different testcases in the following section. Overall performance results are summarized in Table 1 comparing our interval-based approach to a simple segmentation of power measurement values in 100uA steps. First, the number of locations in P T is presented, which can be compared to the number of power measurement samples on the left. The interval-based approach considerably reduces the number of locations in P T , which results in a significant performance gain, i. e., a one order of magnitude speed-up for the reachability analysis. Secondly, for complex scenarios as the ’Complex Trace’ testcase, a simple representation of the power measurements yields a model, which is too large as Uppaal only allows for models with maximally 65535 locations. Only the optimized interval-based approach allows for a reachability analysis. Radio software testing. First, we test the ’Wake-up’ PT in Fig. 2. After validating the PT, we create a new trace by manually injecting an error (’Inject’). We remove a single wake-up in the trace, between 11.6 and 11.62 seconds, which is marked in the figure. This injection models differences in temporal behavior. Hence, we prolong the sleep interval representing defects such as missed interrupts or not setting the timer correctly. Uppaal verifies that this trace does not accord to its specification. We use binary search to determine the last valid state that can be reached as 11.63s. This is shortly after the missing wake-up. Hence, we can conclude that a temporal requirement of the specification is not met due to a missing wake-up. Note that we are not restricted to simple examples. The elaborate trace (’Complex Trace’) shown in Fig. 5 (right) is analyzed using our general SW model as presented in Fig. 7. In this case, we utilize additional testcase automata, which allow for receiving and sending at any instant in time. Testing microcontroller low-power states. One of the common errors in programming low power embedded systems is to forget to transfer the HW into a low power state. Given a testcase where no substantial processing is performed (’MC state’), we can formulate a declarative specification of microcontroller operation: The processor should be maximally turned on for 10 ms at a time. Subsequently it should be in a low power state for at least 2 ms. We can determine whether the microcontroller is operated correctly in a given PT. For validating

Exploiting Timed Automata for Conformance Testing

289

this approach, we inject an error into the low power scheduler by sometimes substituting lpm4 with a regular idle mode. In these specific sleep intervals, the system draws an additional current of about 1.8mA. This is detected by our PTT, since a prolonged current draw can only be explained by an idle processor, which is prohibited by the specification. Specification error. As a final testcase for our approach (’Specification’), we show an application of PTT detecting an unexpected use of a HW component which has not been modeled. This illustrates the capability of our approach to detect issues related to failures in the HW and/or SW modeling. In particular, we analyze the execution of a development version of Harvester. During the sampling routine of the sensors, the development code turns on one of the LEDs for visual inspection. Since the LED is not included in our HW model, the reachability query fails. We determine the last reachable state in interval [14.592s, 14.617s].This is exactly where the development code switches on the LED. Hence, we can identify HW model issues, which can be revealed by an unexplainable power consumption pattern as in the case of the LED.

4

Related Work

In [4], we showed a first approach for testing using power traces: By using previous measurements or a linear model of power consumption, a reference trace can be defined. By allowing for deviation in time and measured value, upper and lower bounds can be determined, where monitored power traces must be included. This approach is valid as long as there is a single, deterministic testcase or execution. However, this is a significant restriction as described in Sec. 1. Our work is related to the Uppaal-based conformance testing framework TRON [6]. TRON is a tool for black-box conformance testing of timed systems based on Uppaal. TRON checks whether the timed sequence of output symbols of a trace is producible by the specification at the same instant in time. In our approach power consumption is associated with locations, where the current level of power consumption must hold for all locations in Sys to be visited until P T changes its location, i. e., power consumption. For achieving this within TRON one would need to model power consumption as state invariant, which must hold until the PT automation defines a new level of power consumption. This can be achieved by discretizing time, possibly blowing up the complexity of the procedure. Due to this difference, we refrain from a TRON based implementation.

5

Conclusions

In this work, we have presented a new approach to automatically test the power consumption of embedded systems. We use a formal specification of the system under test. The models contain the power consumption of individual hardware components of an embedded system as well as their functional dependencies. The compliance of test runs of the embedded systems with the specification is

290

M. Woehrle, K. Lampka, and L. Thiele

analyzed by checking its conformance based on passively collected power measurements. The specification as well as the trace are described as timed automata extended with data variables. The Uppaal model checker is used for investigating the conformance of power measurements to the system model. In future work, we will attempt to remove some of the current limitations and shortcomings of the Power Trace Testing, and further improve the computational efficiency.

References 1. Bengtsson, J.E., Yi, W.: Timed automata: Semantics, algorithms and tools. In: Desel, J., Reisig, W., Rozenberg, G. (eds.) Lectures on Concurrency and Petri Nets. LNCS, vol. 3098, pp. 87–124. Springer, Heidelberg (2004) 2. Alur, R., Dill, D.L.: Automata For Modeling Real-Time Systems. In: Proc. of the 17th ICALP, pp. 322–335. Springer, Heidelberg (1990) 3. Lim, R., Woehrle, M., et al.: Poster abstract: Harvester - low-power environment monitoring out of the box. In: Roedig, U., Sreenan, C.J. (eds.) EWSN 2009. LNCS, vol. 5432, pp. 29–30. Springer, Heidelberg (2009) 4. Woehrle, M., Beutel, J.: et al.: Power monitoring and testing in wireless sensor network development. In: WEWSN 2008 (June 2008) 5. Strehl, K.: Symbolic Methods Applied to Formal Verification and Synthesis in Embedded Systems Design. PhD thesis, ETH Zurich (March 2000) 6. Hessel, A., Larsen, K.G., et al.: Testing real-time systems using UPPAAL. In: Hierons, R.M., Bowen, J.P., Harman, M. (eds.) FORTEST. LNCS, vol. 4949, pp. 77–117. Springer, Heidelberg (2008)

Author Index

Asarin, Eugene

13

Lampka, Kai 275 Lanotte, Ruggero 118 Larsen, Kim G. 73 Li, Guangyuan 228 Lime, Didier 28

Benattar, Gilles 28 Bjørner, Nikolaj 1 Bouillard, Anne 43 Braberman, V´ıctor 58 Bulychev, Peter 73

Majumdar, Rupak 164 Monteverde, Daniel 58 Moura, Leonardo de 1

Cassez, Franck 28 Chatain, Thomas 73 Chiplunkar, Ashish 88 Colombo, Christian 103

Neuh¨ außer, Martin R. Norman, Gethin 212

David, Alexandre 73 Degorre, Aldric 13 Dima, C˘ at˘ alin 118 Doyen, Laurent 133 Fr¨ anzle, Martin

Olivero, Alfredo

Jain, Chinmay

58

Pace, Gordon J. 103 Pappas, George J. 12 Parker, David 212

149

Quaas, Karin

Ganty, Pierre 164 Garbervestky, Diego 58 Gaubert, St´ephane 7 Geeraerts, Gilles 133 G´ omez, Rodolfo 179 Haar, Stefan

195

243

Raskin, Jean-Francois Reichert, Julien 133 Rosario, Sidney 43 Roux, Olivier H. 28

133

43 Schneider, Gerardo Swaminathan, Mani

88

Katoen, Joost-Pieter 195 Kicillof, Nicol´ as 58 Klink, Daniel 195 Krishna, Shankara Narayanan Kwiatkowska, Marta 212

Thiele, Lothar Umeno, Shinya

103 149

275 258

88 Woehrle, Matthias

275