timed automata Œ from theory to implementationbouyer/files/bouyer_chennai.pdf · timed automata,...
TRANSCRIPT
![Page 1: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/1.jpg)
Timed Automata – From Theory
to Implementation
Patricia Bouyer
LSV – CNRS & ENS de CachanFrance
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.1
![Page 2: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/2.jpg)
Roadmap
Timed automata, decidability issues
Some extensions of the model
Implementation of timed automata
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.2
![Page 3: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/3.jpg)
Timed automata, decidability issues
presentation of the model
decidability of the model
the region automaton construction
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.3
![Page 4: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/4.jpg)
Timed automata
x, y: clocks [Alur & Dill - 1990’s]
p q
y < 4, a, x := 0
x = 5, b
c, y := 0
guard action reset
pa−−→
3.2q
c−−→5.1
qb−−→
8.2p . . .
value of x 0 0 1.9 5 . . .
value of y 0 3.2 0 3.1 . . .
➜ timed word (a, 3.2)(c, 5.1)(b, 8.2)...
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.4
![Page 5: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/5.jpg)
Timed automata
x, y: clocks [Alur & Dill - 1990’s]
p q
y < 4, a, x := 0
x = 5, b
c, y := 0
guard action reset
pa−−→
3.2q
c−−→5.1
qb−−→
8.2p . . .
value of x 0 0 1.9 5 . . .
value of y 0 3.2 0 3.1 . . .
➜ timed word (a, 3.2)(c, 5.1)(b, 8.2)...
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.4
![Page 6: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/6.jpg)
Emptiness checking
Emptiness problem: is the language accepted by a timed automaton empty?
reachability properties (final states)
basic liveness properties (Büchi (or other) conditions)
Theorem: The emptiness problem for timed automata is decidable.It is PSPACE-complete.
[Alur & Dill 1990’s]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.5
![Page 7: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/7.jpg)
Emptiness checking
Emptiness problem: is the language accepted by a timed automaton empty?
reachability properties (final states)
basic liveness properties (Büchi (or other) conditions)
Theorem: The emptiness problem for timed automata is decidable.It is PSPACE-complete.
[Alur & Dill 1990’s]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.5
![Page 8: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/8.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 9: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/9.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 10: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/10.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
• •
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 11: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/11.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
• •
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 12: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/12.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
➜ a bisimulation property
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 13: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/13.jpg)
The region abstraction
0 1 2 3 x
1
2
y
Equivalence of finite index
region defined by
Ix =]1; 2[, Iy =]0; 1[
{x} < {y}
“compatibility” between regions and constraints
“compatibility” between regions and time elapsing
➜ a bisimulation property
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.6
![Page 14: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/14.jpg)
The region automaton
timed automaton⊗
region partition
qg,a,C:=0−−−−−−−→ q′ is transformed into:
(q,R)a−−−−→ (q′, R′) if there exists R′′ ∈ Succ∗t (R) s.t.
R′′ ⊆ g[C ← 0]R′′ ⊆ R′
L(reg. aut.) = UNTIME(L(timed aut.))
where UNTIME((a1, t1)(a2, t2) . . . ) = a1a2 . . .
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.7
![Page 15: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/15.jpg)
An example [AD 90’s]
0 1 x
1
y
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.8
![Page 16: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/16.jpg)
Partial conclusion
➜ a timed model interesting for verification purposes
Numerous works have been (and are) devoted to:
the “theoretical” comprehension of timed automata
extensions of the model (to ease the modelling)
− expressiveness
− analyzability
algorithmic problems and implementation
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.9
![Page 17: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/17.jpg)
Some extensions of the model
adding constraints of the form x− y ∼ c
adding silent actions
adding constraints of the form x+ y ∼ c
adding new operations on clocks
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.10
![Page 18: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/18.jpg)
Adding diagonal constraints
x− y ∼ c and x ∼ c
Decidability: yes, using the region abstraction
0 1 2 x
1
y
Expressiveness: no additional expressive power
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.11
![Page 19: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/19.jpg)
Adding diagonal constraints (cont.)
c is positive
x− y ≤ c
x := 0
y := 0
copy where x− y ≤ c
x := 0
y := 0
x ≤ c
x > cy := 0
x := 0
y := 0
copy where x− y > c➜ proof in [Bérard,Diekert,Gastin,Petit 1998]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.12
![Page 20: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/20.jpg)
Adding diagonal constraints (cont.)
Open question: is this construction “optimal”?In the sense that timed automata with diagonal constraints
are explonentially more concise than diagonal-free timed automata.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.12
![Page 21: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/21.jpg)
Adding silent actions
g, ε, C := 0
[Bérard,Diekert,Gastin,Petit 1998]
Decidability: yes (actions has no influence on the previous construction)
Expressiveness: strictly more expressive!
x = 1a
x := x− 1 0 < x < 1, b
x = 1, ε, x := 0
a
0 1
a b
2
b
3 4
a
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.13
![Page 22: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/22.jpg)
Adding constraints of the form x + y ∼ c
x+ y ∼ c and x ∼ c [Bérard,Dufourd 2000]
Decidability: - for two clocks, decidable using the abstraction
0 1 2 x
1
2
y
- for four clocks (or more), undecidable!
Expressiveness: more expressive! (even using two clocks)
{(an, t1 . . . tn) | n ≥ 1 and ti = 1− 12i}
x+ y = 1, a, x := 0
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.14
![Page 23: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/23.jpg)
The two-counter machine
Definition. A two-counter machine is a finite set of instructions over twocounters (x and y):
Incrementation:(p): x := x+ 1; goto (q)
Decrementation:(p): if x > 0 then x := x− 1; goto (q) else goto (r)
Theorem. [Minsky 67] The emptiness problem for two counter machines isundecidable.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.15
![Page 24: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/24.jpg)
Undecidability proof
20 21 22 23 24 25 26 time
c c c c c c c c ccd ddd d dd d dd
c is unchanged c is incremented
d is decremented
➜ simulation of • decrement of d• increment of c
We will use 4 clocks: • u, “tic” clock (each time unit)• x0, x1, x2: reference clocks for the two counters
“xi reference for c” ≡ “the last time xi has been reset isthe last time action c has been performed”
[Bérard,Dufourd 2000]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.16
![Page 25: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/25.jpg)
Undecidability proof (cont.)
Increment of counter c:
u = 1, ∗, u := 0
x2 := 0
x0 ≤ 2, u+ x2 = 1, c, x2 := 0
u+ x2 = 1
x0 > 2, c, x2 := 0
ref for c is x0 ref for c is x2
Decrement of counter c:
u = 1, ∗, u := 0
x2 := 0
x0 < 2, u+ x2 = 1, c, x2 := 0
u+ x2 = 1
x0 = 2, c, x2 := 0
u = 1, x0 = 2, ∗, u := 0, x2 := 0Chennai – january 2003 Timed Automata – From Theory to Implementation – p.17
![Page 26: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/26.jpg)
Adding constraints of the form x + y ∼ c
Two clocks: decidable! using the abstraction
0 1 2 x
1
2
y
Three clocks: open question
Four clocks (or more): undecidable!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.18
![Page 27: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/27.jpg)
Adding constraints of the form x + y ∼ c
Two clocks: decidable! using the abstraction
0 1 2 x
1
2
y
Three clocks: open question
Four clocks (or more): undecidable!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.18
![Page 28: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/28.jpg)
Adding new operations on clocks
Several types of updates: x := y + c, x :< c, x :> c, etc...
The general model is undecidable.(simulation of a two-counter machine)
Only decrementation also leads to undecidability
− Incrementation of counter x
z = 1, z := 0 z = 0, y := y − 1z = 0
− Decrementation of counter x
x ≥ 1 z = 0, x := x− 1z = 0
x = 0
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.19
![Page 29: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/29.jpg)
Adding new operations on clocks
Several types of updates: x := y + c, x :< c, x :> c, etc...
The general model is undecidable.(simulation of a two-counter machine)
Only decrementation also leads to undecidability
− Incrementation of counter x
z = 1, z := 0 z = 0, y := y − 1z = 0
− Decrementation of counter x
x ≥ 1 z = 0, x := x− 1z = 0
x = 0
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.19
![Page 30: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/30.jpg)
Adding new operations on clocks
Several types of updates: x := y + c, x :< c, x :> c, etc...
The general model is undecidable.(simulation of a two-counter machine)
Only decrementation also leads to undecidability
− Incrementation of counter x
z = 1, z := 0 z = 0, y := y − 1z = 0
− Decrementation of counter x
x ≥ 1 z = 0, x := x− 1z = 0
x = 0
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.19
![Page 31: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/31.jpg)
Decidability
y := 0 y := 1 x− y < 1
1
1
0
image by y := 1
➜ the bisimulation property is not met
The classical region automaton construction is not correct.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.20
![Page 32: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/32.jpg)
Decidability (cont.)
A Diophantine linear inequations system
is there a solution?
if yes, belongs to a decidable class
Examples:
constraint x ∼ c c ≤ maxx
constraint x− y ∼ c c ≤ maxx,y
update x :∼ y + c maxx ≤ maxy +c
and for each clock z, maxx,z ≥ maxy,z + c, maxz,x ≥ maxz,y − c
update x :< c c ≤ maxx
and for each clock z, maxz ≥ c+ maxz,x
The constants (maxx) and (maxx,y) define a set of regions.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.21
![Page 33: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/33.jpg)
Decidability (cont.)
y := 0 y := 1 x− y < 1
maxy ≥ 0
maxx ≥ 0 + maxx,y
maxy ≥ 1
maxx ≥ 1 + maxx,y
maxx,y ≥ 1
=⇒
maxx = 2
maxy = 1
maxx,y = 1
maxy,x = −1
The bisimulation property is met.1 2
1
0 x
y
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.22
![Page 34: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/34.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 35: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/35.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
••
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 36: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/36.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
••
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 37: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/37.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
••
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 38: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/38.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
••
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 39: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/39.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 40: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/40.jpg)
What’s wrong when undecidable?
Decrementation x := x− 1
maxx ≤ maxx − 1
etc...
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.23
![Page 41: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/41.jpg)
Decidability (cont.)
Diagonal-free constraints General constraints
x := c, x := y PSPACE-complete
x := x+ 1 PSPACE-complete
x := y + c Undecidable
x := x− 1 Undecidable
x :< c
PSPACE-complete
PSPACE-complete
x :> c
Undecidablex :∼ y + c
y + c <: x :< y + d
y + c <: x :< z + d Undecidable
[Bouyer,Dufourd,Fleury,Petit 2000]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.24
![Page 42: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/42.jpg)
Implementation of Timed Automata
analysis algorithms
the DBM data structure
a bug in the forward analysis
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.25
![Page 43: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/43.jpg)
Notice
The region automaton is not used for implementation:
suffers from a combinatorics explosion(the number of regions is exponential in the number of clocks)
no really adapted data structure
Algorithms for “minimizing” the region automaton have been proposed...[Alur & Co 1992] [Tripakis,Yovine 2001]
...but on-the-fly technics are preferred.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.26
![Page 44: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/44.jpg)
Notice
The region automaton is not used for implementation:
suffers from a combinatorics explosion(the number of regions is exponential in the number of clocks)
no really adapted data structure
Algorithms for “minimizing” the region automaton have been proposed...[Alur & Co 1992] [Tripakis,Yovine 2001]
...but on-the-fly technics are preferred.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.26
![Page 45: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/45.jpg)
Notice
The region automaton is not used for implementation:
suffers from a combinatorics explosion(the number of regions is exponential in the number of clocks)
no really adapted data structure
Algorithms for “minimizing” the region automaton have been proposed...[Alur & Co 1992] [Tripakis,Yovine 2001]
...but on-the-fly technics are preferred.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.26
![Page 46: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/46.jpg)
Reachability analysis
forward analysis algorithm:compute the successors of initial configurations
F
I
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.27
![Page 47: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/47.jpg)
Reachability analysis
forward analysis algorithm:compute the successors of initial configurations
F
I
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.27
![Page 48: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/48.jpg)
Reachability analysis
forward analysis algorithm:compute the successors of initial configurations
F
I
backward analysis algorithm:compute the predecessors of final configurations
I
F
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.27
![Page 49: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/49.jpg)
Reachability analysis
forward analysis algorithm:compute the successors of initial configurations
F
I
backward analysis algorithm:compute the predecessors of final configurations
I
F
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.27
![Page 50: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/50.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z [C ← 0]−1(Z ∩ (C = 0))←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 51: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/51.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z
[C ← 0]−1(Z ∩ (C = 0))←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 52: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/52.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z [C ← 0]−1(Z ∩ (C = 0))
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 53: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/53.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z [C ← 0]−1(Z ∩ (C = 0))
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 54: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/54.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z [C ← 0]−1(Z ∩ (C = 0))←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 55: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/55.jpg)
Note on the backward analysis of TA
` `′g, a, C := 0
←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g Z
Z [C ← 0]−1(Z ∩ (C = 0))←−−−−−−−−−−−−−−−−−−−−−[C ← 0]−1(Z ∩ (C = 0)) ∩ g
The exact backward computation terminates and is correct!
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.28
![Page 56: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/56.jpg)
Note on the backward analysis of TA (cont.)
IfA is a timed automaton, we construct its corresponding set of regions.
Because of the bisimulation property, we get that:
“Every set of valuations which is computed along the backwardcomputation is a finite union of regions”
But, the backward computation is not so nice, when also dealing withinteger variables...
i := j.k + `.m
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.29
![Page 57: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/57.jpg)
Note on the backward analysis of TA (cont.)
IfA is a timed automaton, we construct its corresponding set of regions.
Because of the bisimulation property, we get that:
“Every set of valuations which is computed along the backwardcomputation is a finite union of regions”
But, the backward computation is not so nice, when also dealing withinteger variables...
i := j.k + `.m
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.29
![Page 58: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/58.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
A zone is a set of valuations defined by a clock constraint
ϕ ::= x ∼ c | x− y ∼ c | ϕ ∧ ϕ
Z −→Z
−→Z ∩ g [y ← 0](
−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 59: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/59.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
Z
−→Z
−→Z ∩ g [y ← 0](
−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 60: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/60.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
Z−→Z
−→Z ∩ g [y ← 0](
−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 61: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/61.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
Z−→Z
−→Z ∩ g
[y ← 0](−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 62: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/62.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
Z−→Z
−→Z ∩ g [y ← 0](
−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 63: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/63.jpg)
Forward analysis of TA
` `′g, a, C := 0
Z [C ← 0](−→Z ∩ g)zones
Z−→Z
−→Z ∩ g [y ← 0](
−→Z ∩ g)
➜ a termination problem
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.30
![Page 64: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/64.jpg)
Non Termination of the Forward Analysis
y := 0,x := 0
x ≥ 1 ∧ y = 1,y := 0
0 1 2 3 4 5 x
1
2
y
➜ an infinite number of steps...
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.31
![Page 65: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/65.jpg)
“Solutions” to this problem
(f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998])
inclusion checking: if Z ⊆ Z ′ and Z ′ still handled, then we don’t needto handle Z
➜ correct w.r.t. reachability
activity: eliminate redundant clocks [Daws,Yovine 1996]
➜ correct w.r.t. reachability
qg,a,C:=0−−−−−−−→ q′ =⇒ Act(q) = clocks(g) ∪ (Act(q′) \ C)
. . .Chennai – january 2003 Timed Automata – From Theory to Implementation – p.32
![Page 66: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/66.jpg)
“Solutions” to this problem
(f.ex. in [Larsen,Pettersson,Yi 1997] or in [Daws,Tripakis 1998])
inclusion checking: if Z ⊆ Z ′ and Z ′ still handled, then we don’t needto handle Z
➜ correct w.r.t. reachability
activity: eliminate redundant clocks [Daws,Yovine 1996]
➜ correct w.r.t. reachability
qg,a,C:=0−−−−−−−→ q′ =⇒ Act(q) = clocks(g) ∪ (Act(q′) \ C)
. . .
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.32
![Page 67: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/67.jpg)
“Solutions” to this problem (cont.)
convex-hull approximation: if Z and Z ′ are computed then weoverapproximate using “Z t Z ′”.
➜ “semi-correct” w.r.t. reachability
extrapolation, a widening operator on zones
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.33
![Page 68: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/68.jpg)
“Solutions” to this problem (cont.)
convex-hull approximation: if Z and Z ′ are computed then weoverapproximate using “Z t Z ′”.
➜ “semi-correct” w.r.t. reachability
extrapolation, a widening operator on zones
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.33
![Page 69: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/69.jpg)
The DBM data structure
DBM (Difference Bounded Matrice) data structure [Dill89]
(x1 ≥ 3) ∧ (x2 ≤ 5) ∧ (x1 − x2 ≤ 4)
x0 x1 x2
x0
x1
x2
+∞ −3 +∞+∞ +∞ 4
5 +∞ +∞
Existence of a normal form
3 4 9
5
2
0 −3 0
9 0 4
5 2 0
All previous operations on zones can be computed using DBMs
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.34
![Page 70: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/70.jpg)
The DBM data structure
DBM (Difference Bounded Matrice) data structure [Dill89]
(x1 ≥ 3) ∧ (x2 ≤ 5) ∧ (x1 − x2 ≤ 4)
x0 x1 x2
x0
x1
x2
+∞ −3 +∞+∞ +∞ 4
5 +∞ +∞
Existence of a normal form
3 4 9
5
2
0 −3 0
9 0 4
5 2 0
All previous operations on zones can be computed using DBMs
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.34
![Page 71: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/71.jpg)
The DBM data structure
DBM (Difference Bounded Matrice) data structure [Dill89]
(x1 ≥ 3) ∧ (x2 ≤ 5) ∧ (x1 − x2 ≤ 4)
x0 x1 x2
x0
x1
x2
+∞ −3 +∞+∞ +∞ 4
5 +∞ +∞
Existence of a normal form
3 4 9
5
2
0 −3 0
9 0 4
5 2 0
All previous operations on zones can be computed using DBMs
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.34
![Page 72: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/72.jpg)
The extrapolation operator
Fix an integer k (∗ represents an integer between−k and +k)
∗�� ��> k ∗
∗ ∗ ∗�� ��< −k ∗ ∗
∗�� ��+∞ ∗
∗ ∗ ∗�� ��−k ∗ ∗
“intuitively”, erase non-relevant constraints
2
2
II ensures termination
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.35
![Page 73: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/73.jpg)
The extrapolation operator
Fix an integer k (∗ represents an integer between−k and +k)
∗�� ��> k ∗
∗ ∗ ∗�� ��< −k ∗ ∗
∗�� ��+∞ ∗
∗ ∗ ∗�� ��−k ∗ ∗
“intuitively”, erase non-relevant constraints
2
2
II ensures termination
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.35
![Page 74: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/74.jpg)
The extrapolation operator
Fix an integer k (∗ represents an integer between−k and +k)
∗�� ��> k ∗
∗ ∗ ∗�� ��< −k ∗ ∗
∗�� ��+∞ ∗
∗ ∗ ∗�� ��−k ∗ ∗
“intuitively”, erase non-relevant constraints
2
2
II ensures termination
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.35
![Page 75: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/75.jpg)
Challenge
Propose a good constant for the extrapolation:
keep the correctness of the forward computation
Solution by the past: maximal constant appearing in the automaton
Several correctness proofs can be found
Implemented in tools like UPPAAL, KRONOS, RT-SPIN...
Successfully used on real-life examples
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.36
![Page 76: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/76.jpg)
Challenge
Propose a good constant for the extrapolation:
keep the correctness of the forward computation
Solution by the past: maximal constant appearing in the automaton
Several correctness proofs can be found
Implemented in tools like UPPAAL, KRONOS, RT-SPIN...
Successfully used on real-life examples
However...
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.36
![Page 77: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/77.jpg)
A problematic automaton
x3 ≤ 3
x1, x3 := 0
x2 = 3
x2 := 0
x1 = 2, x1 := 0
x2 = 2, x2 := 0
x1 = 2
x1 := 0
x2 = 2
x2 := 0
x1 = 3
x1 := 0
x2 − x1 > 2
x4 − x3 < 2Error
The loop
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.37
![Page 78: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/78.jpg)
A problematic automaton
x3 ≤ 3
x1, x3 := 0
x2 = 3
x2 := 0
x1 = 2, x1 := 0
x2 = 2, x2 := 0
x1 = 2
x1 := 0
x2 = 2
x2 := 0
x1 = 3
x1 := 0
x2 − x1 > 2
x4 − x3 < 2Error
The loop
v(x1) = 0
v(x2) = d
v(x3) = 2α+ 5
v(x4) = 2α+ 5 + d
x1
x2
x3 x4
[1; 3]
[1; 3]
[2α+ 5]
[2α+ 5]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.37
![Page 79: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/79.jpg)
A problematic automaton
x3 ≤ 3
x1, x3 := 0
x2 = 3
x2 := 0
x1 = 2, x1 := 0
x2 = 2, x2 := 0
x1 = 2
x1 := 0
x2 = 2
x2 := 0
x1 = 3
x1 := 0
x2 − x1 > 2
x4 − x3 < 2Error
The loop
v(x1) = 0
v(x2) = d
v(x3) = 2α+ 5
v(x4) = 2α+ 5 + d
x1
x2
x3 x4
[1; 3]
[1; 3]
[2α+ 5]
[2α+ 5]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.37
![Page 80: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/80.jpg)
The problematic zone
x1
x2
x3 x4
[1; 3]
[1; 3]
[2α+ 5]
[2α+ 5]
[2α+ 2; 2α+ 4]
[2α+ 6; 2α+ 8]
implies x1 − x2 = x3 − x4.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.38
![Page 81: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/81.jpg)
The problematic zone
x1
x2
x3 x4
[1; 3]
[1; 3]
[2α+ 5]
[2α+ 5]
[2α+ 2; 2α+ 4]
[2α+ 6; 2α+ 8]
implies x1 − x2 = x3 − x4.
If α is sufficiently large, after extrapolation:
x1
x2
x3 x4
[1; 3]
[1; 3]
> k
does not implyx1 − x2 = x3 − x4.
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.38
![Page 82: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/82.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 83: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/83.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 84: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/84.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 85: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/85.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 86: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/86.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 87: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/87.jpg)
General abstractions
Criteria for a good abstraction operator Abs:
easy computation [Effectiveness]Abs(Z) is a zone if Z is a zone
finiteness of the abstraction [Termination]{Abs(Z) | Z zone} is finite
completeness of the abstraction [Completeness]Z ⊆ Abs(Z)
soundness of the abstraction [Soundness]the computation of (Abs ◦ Post)∗ is correct w.r.t. reachability
For the previous automaton,no abstraction operator can satisfy all these criteria!
[Bouyer03]Chennai – january 2003 Timed Automata – From Theory to Implementation – p.39
![Page 88: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/88.jpg)
Why that?
Assume there is a “nice” operator Abs.
The set {M DBM representing a zone Abs(Z)} is finite.
➜ k the max. constant defining one of the previous DBMs
We get that, for every zone Z,
Z ⊆ Extrak(Z) ⊆ Abs(Z)
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.40
![Page 89: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/89.jpg)
Problem!
Open questions: - which conditions can be made weaker?- find a clever termination criterium?- use an other data structure than zones/DBMs?
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.41
![Page 90: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/90.jpg)
What can we cling to?
Diagonal-free: only guards x ∼ c(no guard x− y ∼ c)
Theorem: the classical algorithm is correct for diagonal-free timedautomata.
General: both guards x ∼ c and x− y ∼ cProposition: the classical algorithm is correct for timed automata that useless than 3 clocks.
(the constant used is bigger than the maximal constant...)
[Bouyer03]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.42
![Page 91: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/91.jpg)
What can we cling to?
Diagonal-free: only guards x ∼ c(no guard x− y ∼ c)
Theorem: the classical algorithm is correct for diagonal-free timedautomata.
General: both guards x ∼ c and x− y ∼ cProposition: the classical algorithm is correct for timed automata that useless than 3 clocks.
(the constant used is bigger than the maximal constant...)
[Bouyer03]
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.42
![Page 92: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/92.jpg)
Conclusion & Further Work
Decidability is quite well understood.
A rather big problem with the forward analysis of timed automataneeds to be solved.− a very unsatisfactory solution for dealing with diagonal
constraints.− maybe the zones are not the “optimal” objects that we can deal
with.
To be continued...
Some other current challenges:
− adding C macros to timed automata
− reducing the memory consumption via new data structures
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.43
![Page 93: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/93.jpg)
Bibliography
[ACD+92] Alur, Courcoubetis, Dill, Halbwachs, Wong-Toi. Minimization of Timed TransitionSystems. CONCUR’92 (LNCS 630).
[AD90] Alur, Dill. Automata for Modeling Real-Time Systems. ICALP’90 (LNCS 443).
[AD94] Alur, Dill. A Theory of Timed Automata. TCS 126(2), 1994.
[AL02] Aceto, Laroussinie. Is your Model-Checker on Time? On the Complexity ofModel-Checking for Timed Modal Logics. To appear in JLAP 2002.
[BD00] Bérard, Dufourd. Timed Automata and Additive Clock Constraints. IPL 75(1–2), 2000.
[BDFP00a] Bouyer, Dufourd, Fleury, Petit. Are Timed Automata Updatable? CAV’00 (LNCS 1855).
[BDFP00b] Bouyer, Dufourd, Fleury, Petit. Expressiveness of Updatable Timed Automata. MFCS’00(LNCS 1893).
[BDGP98] Bérard, Diekert, Gastin, Petit. Characterization of the Expressive Power of SilentTransitions in Timed Automata. Fundamenta Informaticae 36(2–3), 1998.
[BF99] Bérard, Fribourg. Automatic Verification of a Parametric Real-Time Program: the ABRConformance Protocol. CAV’99 (LNCS 1633).
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.44
![Page 94: Timed Automata Œ From Theory to Implementationbouyer/files/bouyer_chennai.pdf · Timed automata, decidability issues presentation of the model decidability of the model the region](https://reader034.vdocuments.net/reader034/viewer/2022042213/5eb72c759284c60c6c5d6af8/html5/thumbnails/94.jpg)
Bibliography (cont.)
[Bouyer03] Bouyer. Untameable Timed Automata! To appear in STACS’03.
[Dill89] Dill. Timing Assumptions and Verification of Finite-State Concurrent Systems. Aut.Verif. Methods for Fin. State Sys. (LNCS 1989).
[DT98] Daws, Tripakis. Model-Checking of Real-Time Reachability Properties usingAbstractions. TACAS’98 (LNCS 1384).
[DY96] Daws, Yovine. Reducing the Number of Clock Variables of Timed Automata. RTSS’96.
[LPY97] Larsen, Pettersson, Yi. UPPAAL in a Nutshell. Software Tools for Technology Transfer1(1–2), 1997.
[Minsky67] Minsky. Computation: Finite and Infinite Machines. 1967.
[TY01] Tripakis, Yovine. Analysis of Timed Systems using Time-Abstracting Bisimulations.FMSD 18(1), 2001.
Hytech: http://www-cad.eecs.berkeley.edu:80/˜tah/HyTech/
Kronos: http://www-verimag.imag.fr/TEMPORISE/kronos/
Uppaal: http://www.uppaal.com/
Chennai – january 2003 Timed Automata – From Theory to Implementation – p.45