called Integer Reset Timed Automata (IRTA) where clock resets are restricted to occur at integer ... cation of distributed business processes and web services (e.g. see [KPP06]). ..... Our aim is to symbolically represent timed word where the time stamps of events which occur in any open ..... tomata: Closing a decidability gap.
Timed Automata with Integer Resets: Language Inclusion and Expressiveness P. Vijay Suman
Paritosh K. Pandya Shankara Narayanan Krishna Lakshmi Manasa
Technical Report TIFR-SPKM-GM-2008/1∗
.
July 2008
∗ This work was partially supported by General Motors India Science Lab sponsored project “Advanced Research on Formal Analysis of Hybrid Systems”.
1
.
2
.
Abstract In this paper, we consider a syntactic subset of timed automata called integer reset timed automata (IRTA) where resets are restricted to occur at integral time points. We argue with examples that the notion of global sparse time base used in time triggered architecture and distributed web services can naturally be modelled/specified as IRTA. As our main result, we show that the language inclusion problem L(A) ⊆ L(B) for a timed automaton A and an IRTA B is decidable with EXPSPACE complexity. The expressive power and the closure properties of IRTA are also summarized. In particular, the IRTA are (highly succinct but) expressively equivalent to 1-clock deterministic IRTA and they are closed under boolean operations.
3
.
4
Contents 1 Introduction
6
2 Integer Reset Timed Automata
8
3 Untiming Integer Reset Timed Automata
11
4 Language Inclusion problem for IRTA
12
5 Expressiveness and Closure Properties
15
6 Discussion
16
A Proofs Of Theorems
19
5
1
Introduction
Timed automata [AD94] are an extension of finite state automata with real-valued clocks. They have emerged as a standard theoretical model for real-time systems, and their formal properties have been well studied [AD94, AM04]. Unfortunately, many of the nice properties of finite state automata are lost when going to timed automata. Specifically, timed automata are not closed under complementation or determinization, and the crucial language inclusion question L(A) ⊆ L(B) is undecidable for timed automata. This prevents the effective use of timed automata themselves as property specification language in model checking. Timed automata incorporate a global notion of time where the time is dense and all the clocks are perfectly synchronized. In distributed real-time systems this assumption is unrealistic and alternative models of timed computations such as time triggered architecture [KB01] are used in practice. The main features of this model are: 1. Time is dense and global. However, all nodes in a cluster work with global but sparse time base where dense time is broken into granular intervals of time of fixed precision. 2. It is impossible to give ordering of time stamps of events at different nodes which occur within a single granule. Events occurring in different granules can be ordered based on the time stamps. Inspired by this notion of sparse time base, in this paper we propose a subclass of timed automata called Integer Reset Timed Automata (IRTA) where clock resets are restricted to occur at integer valued time points. This is achieved by requiring that all reset transitions have a condition of the form x = c as a conjunct in their guard where c is an integer. Note that in IRTA, the transitions which do not reset any clock can occur at any time point and IRTA are more general than integer timed automata. IRTA incorporate the notion of sparse time base which is taken to be the set of natural numbers and time granules are unit time intervals. The only valid quantitative time constraints on events are with respect to the integral values of time where clock resets occur. Exploiting this, we show in the paper that IRTA cannot distinguish between the time stamps of events occurring within a unit open interval (i, i + 1). Example 2 presents a case study [MRD+ 08] of modelling end-to-end latency of a vehicle control system with multiple interacting ECUs working in a time triggered fashion. The resulting model is naturally an IRTA. Sparse time bases are also used in the quantitative timing constraints which feature in the specification of distributed business processes and web services (e.g. see [KPP06]). Such constraints are typically given with respect to a sparse time base which provide globally available set of reference time points to all agents. Each such constraint can be naturally modelled as an IRTA. For example, consider the property: Once check is deposited, the balance will be cleared by the end of the third day. This can be modelled as the IRTA (with silent actions) shown in Figure 3. Here, clock x is reset every 24 hours. Once the check is deposited (at any arbitrary dense time point) a state change occurs and there are no more resets of clock x. The constraint on ‘balance cleared’ event is x ≤ 72. Note that this constraint is with respect to the start of the day on which check was deposited and not the time of depositing the check. Similarly, in the specification of business processes (see [KPP06]), we have properties such as Meeting must take place within 7 days of receiving the notification but not before 3 days. In calendar automata [DS04] too the time constraints are with reference to calendar dates which can be considered as the sparse time base. Thus, we believe that IRTA constitute a useful and interesting sub-class of timed automata.
6
In this paper, we mainly focus on the decision problems and closure properties of IRTA. We show that the timed language of an IRTA over an alphabet Σ can be precisely represented symbolically by a regular language over an extended alphabet Σ∪{δ, X}. Such languages are called regular delta-tick languages. We also give a technique of conservatively overapproximating the timed language of a timed automaton by a regular delta-tick language. Utilizing this, we give a decision procedure with EXPSPACE complexity to check whether L(A) ⊆ L(B) for a timed automaton A and an IRTA B. This is achieved by reducing the question to language containment of two regular delta-tick languages. We also remark that the method extends immediately to ǫ-IRTA which are IRTA with silent transitions [BPGD98], with the same complexity. The ǫ-IRTA are quite useful in modeling periodic clock constraints that occur in time triggered systems. We also investigate the expressive power of IRTA. We can show that the IRTA are expressively equivalent to deterministic 1-clock IRTA. However, the known reduction from IRTA to 1-clock deterministic IRTA seems to result into a three exponent blowup in the automaton size [SPKM07]. We also show that IRTA are closed under boolean operations. Related work We propose a subclass IRTA of timed automata which are suitable for modelling distributed real-time systems working with global and sparse time base. Such a notion of time occurs in time-triggered architecture [KB01] and timing specification of business processes and web services [KPP06]. In a more comprehensive treatment of time triggered architecture, Krc´al et al [KMTY04] have proposed a model of network of timed automata working in time triggered fashion which directly incorporates the buffering of signals between nodes. Moreover, they deal with the sparse time base using a notion of digitization. Our treatment of time is quite different where we give a weak subclass of timed automata and investigate its properties. Example 2 illustrates modelling of timed triggered systems using IRTA. A work closer to our approach uses the calendar automata to model and verify timed triggered protocol [DS04]. However, calendar automata are like discrete event simulation systems with event queues and infinite state verification techniques have to be used in their analysis. By comparison IRTA fit well within the theoretical framework for timed automata. It is also useful to have silent transitions in IRTA, giving ǫ-IRTA. Silent transitions in timed automata were investigated by [BPGD98]. Decision problems for timed automata with silent transitions have also been studied [BHR07]. We have shown that the language inclusion question L(A) ⊆ L(B) is decidable with EXPSPACE complexity for timed automaton A and ǫ-IRTA B. This question is undecidable for timed automata in general and it has been shown to be decidable but with non-primitive-recursive complexity when B is a 1-clock timed automaton. [OW04, OW05]. For the class of deterministic timed automata [AD94] the language inclusion question is decidable and in PSPACE. However, the question whether a given timed automaton is determinizable is undecidable [Tri06, Fin06]. In general, finding determinizable sub-classes of timed automata is an interesting but difficult quest. In their pioneering work Alur et al [AFH99] have shown that a subclass of timed automata called Event Recording Automata (ERA) can indeed be determinized with one exponential blowup in the automaton size. This has been extended to the semantic model of input-determined automata [DT04]. We show with examples that in terms of expressive power ERA and IRTA are incomparable. While, IRTA can also be determinized to 1-clock deterministic IRTA, the available method [SPKM07] seems to result in a blowup of the automaton size by 3 exponents! The rest of the paper is organized as follows. Section 2 introduces IRTA as a subclass of timed automata. The delta-tick word representation of timed words is given in Section 3. The construction of the delta-tick automaton RMA for a given timed automaton A is presented in Section 4. The decidability of language inclusion L(A) ⊆ L(B) for IRTA B is also shown in Section 4. The
7
expressiveness and closure properties of IRTA are explored in Section 5. The paper ends with a discussion.
2
Integer Reset Timed Automata
Definition 1 (Timed Word). A finite timed word over Σ is defined as ρ = (σ, τ ), where σ = σ1 . . . σn is a finite sequence of symbols in Σ and τ = τ1 . . . τn is a finite monotone sequence of real numbers. τi represents the time stamp of the occurrence of the event corresponding to the symbol σi . A timed language L is a set of timed words. Let untime(L) = {σ | (σ, τ ) ∈ L}. The set of all timed words over a set of symbols S is denoted by T WS . For convenience of presentation we assume a default initial time stamp τ0 = 0, prefixed to any sequence of time stamps τ = τ1 . . . τn . Definition 2 (Timed Automata). A timed automaton A is a tuple (L, L0 , Σ, C, E, F ) where (i) L is a finite set of locations, (ii) L0 ⊆ L is the set of initial locations, (iii) Σ is a finite set of symbols (called alphabet), (iv) C is a finite set of real valued clocks, (v) E ⊆ L × L × Σ × Φ(C) × 2C is the set of transitions. An edge e = (l, l′ , a, ϕ, λ) represents a transition from the source location l to the target location l′ on input symbol a. The set λ ⊆ C gives the set of clocks that are reset with the transition and, ϕ is a guard over C, and (vi)F ⊆ L is the set of final locations. Let x represent a clock in C and c represent a natural number. Φ(C) is the set of constraints ϕ defined by ϕ
:=
x ≤ c|x ≥ c|x < c|x > c|ϕ ∧ ϕ
Note that the constraint x = c is equivalent to x ≤ c ∧ x ≥ c. Definition 3 (Clock Interpretation). Let C be the set of clocks. A clock interpretation ν : C → R≥0 maps each clock x ∈ C to a non-negative real number. A state of A is a pair (l, ν) such that l ∈ L and ν is a clock interpretation over C. The state space |C| of A is L × R≥0 . The state of a timed automaton can change in 2 ways: t
1. Due to elapse of time: for a state (l, ν) and a real-number t ≥ 0, (l, ν) −→ (l, ν + t). This kind of transition is called a timed transition. a
2. Due to a location-switch: for a state (l, ν) and an edge (l, l′ , a, ϕ, λ) such that ν |= ϕ, (l, ν) −→ (l′ , ν[λ := 0]). We call such a transition, a Σ-transition. Here (ν + t)(x) = ν(x) + t and, ν[λ := 0](x) = 0, ∀x ∈ λ, and remains unchanged ∀x ∈ (C\λ). Definition 4 (Run, Word, Language). A run r of a timed automaton is a sequence of alternate
τ
τ −τ
τn −τn−1
2 1 1 1 ′ ) −→ (l1 , ν2 ) · · · (ln−1 , νn−1 (l1 , ν1′ ) −→ (l0 , ν1 ) −→ ing timed and Σ transitions: (l0 , ν0 ) −→ en (ln−1 , νn ) −→ (ln , νn′ ) with l0 ∈ L0 and ν0 is such that ν0 (x) = 0, ∀x ∈ C. The run r is accepting iff ln ∈ F . Corresponding to each run, there is a timed word (σ1 , τ1 ), (σ2 , τ2 ), · · · , (σn , τn ) where σi is the event or symbol corresponding to ei , and τi is the time stamp of σi . A finite timed word ρ = (σ, τ ) is accepted by A iff there exists an accepting run over A, the word corresponding to which is ρ. The timed language L(A) accepted by A is defined as the set of all finite timed words accepted by A.
8
a, x = 1?x := 0
s a, x ≥ 1?
t
c, x = 1?x := 0 u
b Figure 1: An IRTA A Corresponding to a state (l, ν), we have the configuration (l, ν)t , where t is the time at which (l, ν) arises in the given run. We use the terms state and configuration interchangeably. The above run τn −τn−1 τ2 −τ1 e1 τ1 ′ (l1 , ν2 )τ2 · · · (ln−1 , νn−1 (l1 , ν1′ )τ1 −→ (l0 , ν1 )τ1 −→ can be written as (l0 , ν0 )0 −→ )τn−1 −→ e n (ln−1 , νn )τn −→ (ln , νn′ )τn . Theorem 1. [AD94] Given a timed automaton A one can build a finite state automaton RA, called the region automaton, such that L(RA) = untime(L(A)). Definition 5 (Integer Reset Timed Automata). An integer reset timed automaton (IRTA) is a timed automaton in which every edge e = (l, l′ , a, ϕ, λ) is such that λ is nonempty only if ϕ contains at least one atomic constraint of the form x = c, for some clock x. Example 1. The automaton A in Figure 1 is an IRTA. Example 2. Figure 2 shows timed automata based model (taken from [MRD+ 08]) of a system which is a chain of n tasks working under the time triggered architecture. The model is an abstraction derived for the worst-case end-to-end latency estimation of a vehicle control system with multiple ECUs. Tasks cannot directly communicate control signals to each other and they only interact through buffered messages (temporal firewalling). Each task works according to predetermined time schedule based on the sparse time base. In our example, each task i executes periodically with an integer period Ti . On being triggered, it polls its input buffer and if input is available it carries out internal computation which can require upto Ei time. It then generates output signal for the following task i + 1 which is buffered. Note that the output signal can occur at any dense time point. The model reaches an error location if there is buffer overflow or, if the end-to-end latency exceeds the deadline D. The figure gives the UPPAAl [BLL+ 95] model of the system which was used to carry out experiments on model checking worst case end-to-end latency [MRD+ 08]. It can be observed that the model naturally falls under the subclass IRTA of timed automata as the reset of clock xi occurs with the constraint xi = Ti . Thus, IRTA are useful in specifying and modelling time triggered systems. Timed automata with silent transitions were studied by [BPGD98]. We adapt them to IRTA. Definition 6 (ǫ-IRTA). An ǫ-IRTA is an IRTA which can also have edges of the form e = (l, l′ , ǫ, ϕ, λ) such that ǫ 6∈ Σ. Such an edge represents a silent or non-observable transition. We use ǫ-IRTA to represent the class of such automata. Example 3. Figure 3 shows an ǫ-IRTA which models the following property: Once check is deposited, the balance will be cleared by the end of the third day. Such properties arise in timing specification of business processes and distributed web services [KPP06]. Lemma 1. ǫ-IRTA are strictly more expressive than IRTA. 9
x1=T1
.
xi==Ti && buffi-1==0?
init1 xi=0 x1==T1 && DCNT==0? x1==T1? x1=0, x1=0, DCNT=CNT+1, CNT++ CNT++, x10?? xi
