verification and control of o-minimal hybrid ... - Semantic Scholar

Thèse de Doctorat de l’Université de Mons-Hainaut Académie Universitaire Wallonie-Bruxelles

Spécialité: Mathématiques

VERIFICATION AND CONTROL OF O-MINIMAL HYBRID SYSTEMS AND WEIGHTED TIMED AUTOMATA, présentée par

Thomas Brihaye pour l’obtention du grade de Docteur en Sciences réalisée sous la direction de Mme Véronique Bruyère et M. Christian Michaux soutenue le 2 juin 2006 devant le jury composé de : Mme Patricia Bouyer, LSV, CNRS et ENS de Cachan Mme Véronique Bruyère, Université de Mons-Hainaut M. Christian Michaux, Université de Mons-Hainaut Mme Fran¸coise Point, Université de Mons-Hainaut M. Jean-Fran¸cois Raskin, Université Libre de Bruxelles Mme Marie-Fran¸coise Roy, IRMAR, Rennes 1 M. Charles Steinhorn, Vassar College M. Wolfgang Thomas, RWTH Aachen M. Christophe Troestler, Université de Mons-Hainaut M. Jef Wijsen, Université de Mons-Hainaut Année académique 2005–2006

2

Acknowledgements Je commence par remercier mes deux co-directeurs de thèse les Professeurs Véronique Bruyère et Christian Michaux qui m’ont appris les nombreuses facettes du métier de chercheur: de l’exploitation des idées a l’exposé des résultats en passant par leur rédaction. Je suis d’abord ` redevable ` a Véronique d’avoir accepté de diriger mon mémoire de licence qui m’a conduit dans ce sujet de recherche passionant qu’est la vérification et ensuite ` a Christian de m’avoir accepté en tant qu’assistant dans son service et de m’avoir permis de continuer à travailler dans le sujet initié lors de mon mémoire. Je leur suis également reconnaissant de m’avoir permis de participer ` a de nombreux congrès scientifiques et de rencontrer ainsi plusieurs spécialistes dans divers domaines de recherche. Je souhaiterais aussi exprimer ma gratitude aux membres du jury qui ont accepté de lire et de juger cette thèse. Je voudrais également remercier Jean-Fran¸cois Raskin pour m’avoir intégré dans son équipe de recherche et pour ses nombreux conseils avisés. Je suis très reconnaissant envers Patricia Bouyer qui m’a accueilli pendant dix jours au LSV de Cachan et avec qui nous avons échangé de multiples idées constructives. Merci ` a tous mes co-auteurs: Patricia Bouyer, Véronique Bruyère, Fabrice Chevalier, Nicolas Markey, Christian Michaux, Jean-Fran¸cois Raskin, Cédric Rivière et Christophe Troestler, qui m’ont permis de travailler sur des sujets divers et intéressants. Nicolas Guzy et Cédric Rivière ont été mes compagnons de route pendant ces quatres années de thèse. Ils sont en grande partie responsables 3

4 de l’excellente ambiance qui règnait dans le service de logique et je les en remercie. Merci aussi aux membres des séminaires de logique mathématique et du Centre Fédéré en Vérification pour leur écoute patiente et attentive, ainsi que pour leurs questions et commentaires lors de mes exposés. En plus des personnes mentionnées ci-dessus, je voudrais remercier toutes celles qui ont montré de l’intérêt dans mon travail et on donc contribué d’une fa¸con ou d’une autre à la rédaction de cette thèse. Je pense en particulier ` a Alexis Bès, Franck Cassez, Martin Dewulf, Laurent Doyen, Gilles Geerarts, Valentine Goranko, Axel Legay, Fran¸cois Laroussinie, Jérˆ ome Leroux, Damian Niwinski, Martin Otto, Jean-Pierre 1 Ressayre,... Je voudrais aussi remercier ma famille pour son soutien constant et pour m’avoir supporté dans tous les sens du terme. Pour terminer, je remercie Audrey pour sa patience, sa présence et son Amour.

1 Je

m’engage a ` payer un verre a ` ceux que j’aurai malencontreusement oubli´ es.

Contents Introduction

11

1 Transition systems and bisimulations 1.1 Definitions . . . . . . . . . . . . . . . . . . 1.2 Basic results on bisimulations . . . . . . . 1.3 Bisimulations and equivalence relations . 1.3.1 Reflexivity . . . . . . . . . . . . . 1.3.2 Symmetry . . . . . . . . . . . . . . 1.3.3 Transitivity . . . . . . . . . . . . . 1.4 Bisimulation equivalence . . . . . . . . . . 1.5 Predecessor operators . . . . . . . . . . . 1.6 Bisimulation Algorithm . . . . . . . . . . 1.7 Bisimulations and other equivalences . . . 1.7.1 Language equivalence . . . . . . . 1.7.2 Trace equivalence . . . . . . . . . . 1.7.3 k-bisimulation equivalence . . . . . 1.8 Motivations for the study of bisimulations 1.8.1 Reachability problems . . . . . . . 1.8.2 Control problems . . . . . . . . . .

I

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

Verification of Weighted Timed Automata

2 Introduction

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

15 16 21 24 24 24 25 26 29 33 36 37 39 40 42 43 47

53 55

5

6 3 Weighted Timed Automata 3.1 Timed Automata . . . . . . . . . . 3.2 Region graph . . . . . . . . . . . . 3.2.1 Dense Time . . . . . . . . . 3.2.2 Discrete Time . . . . . . . . 3.2.3 Time abstract bisimulation 3.3 Weighted Timed Automata . . . .

Contents

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

61 61 68 68 71 72 73

4 Optimal Reachability 4.1 Cost-optimal reachability problem . . . . . . . . . 4.1.1 Cost-optimal path reachability problem . . 4.1.2 A linear programming problem . . . . . . . 4.1.3 3-Block matrices . . . . . . . . . . . . . . . 4.1.4 ε-Semantics . . . . . . . . . . . . . . . . . . 4.2 A solution to the cost-optimal reachability problem 4.2.1 ε-Region graph . . . . . . . . . . . . . . . . ε 4.2.2 Links between TAε and RA . . . . . . . . . . 4.2.3 Weighted discrete graph . . . . . . . . . . . 4.2.4 Complexity . . . . . . . . . . . . . . . . . . 4.3 Assumptions . . . . . . . . . . . . . . . . . . . . . 4.3.1 Supremum cost . . . . . . . . . . . . . . . . 4.3.2 Any region r . . . . . . . . . . . . . . . . . 4.3.3 Any timed automaton . . . . . . . . . . . . 4.3.4 Discrete time . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

. . . . . . . . . . . . . . .

79 80 84 84 90 93 95 95 100 107 115 118 118 119 123 125

. . . . . . . . .

127 128 131 135 135 136 137 138 148 148

. . . . . .

. . . . . .

. . . . . .

. . . . . .

5 Model-Checking 5.1 Weighted CTL . . . . . . . . . . . . . . . 5.2 Model-Checking WCTL . . . . . . . . . . 5.3 Model-Checking WCTLr . . . . . . . . . . 5.3.1 Weighted CTL restricted . . . . . 5.3.2 Bisimulation and Model-Checking 5.3.3 Discrete Time . . . . . . . . . . . . 5.3.4 Dense Time . . . . . . . . . . . . . 5.4 Improved undecidability result . . . . . . 5.4.1 Shape of the Reduction . . . . . .

. . . . . .

. . . . . . . . .

. . . . . .

. . . . . . . . .

. . . . . .

. . . . . . . . .

. . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

7

Contents

5.5

5.4.2 Modules . . . . . . . . . . . . . . . . . . . . . . . . 155 Bisimulations of Automata with Stopwatch Observers . . 160

6 Control 6.1 Timed games and related cost problems 6.2 Symbolic analysis . . . . . . . . . . . . . 6.3 Dense time . . . . . . . . . . . . . . . . 6.3.1 Undecidability results . . . . . . 6.3.2 Improved undecidability result . 6.3.3 One clock . . . . . . . . . . . . . 6.4 Discrete time . . . . . . . . . . . . . . . 6.5 Using cost-optimal reachability . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

167 168 173 177 177 187 188 193 194

7 Conclusion and Future Work

197

II

201

Words, bisimulations and o-minimality

8 Introduction

203

9 Bisimulations of dynamical systems 9.1 Dynamical systems . . . . . . . . . 9.2 Transition systems associated . . . 9.3 Examples . . . . . . . . . . . . . . 9.4 Bisimulations . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

207 207 209 210 216

10 Words and dynamics 10.1 Encoding trajectories through words . . . 10.2 Dynamical types . . . . . . . . . . . . . . 10.2.1 Suffix dynamical type . . . . . . . 10.2.2 n-Subword dynamical type . . . . 10.2.3 Subword dynamical type . . . . . . 10.2.4 Dotted word dynamical type . . . 10.2.5 Multidotted word dynamical type 10.2.6 Relations between dynamical types

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

219 220 223 223 228 230 231 233 235

. . . .

. . . .

. . . .

8

Contents

11 Computing bisimulations 11.1 Iterating the partitions induced by dynamical types 11.2 Procedure Bisiω . . . . . . . . . . . . . . . . . . . . 11.3 Procedure Bisiω and bisimulations . . . . . . . . . . 11.4 Procedure Bisiω and coarsest bisimulations . . . . . 11.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . 12 The 12.1 12.2 12.3

o-minimal case O-minimal dynamical systems . . . . . . . . Definability results . . . . . . . . . . . . . . Bisimulation finiteness results . . . . . . . . 12.3.1 Suffix determinism . . . . . . . . . . 12.3.2 Loop case . . . . . . . . . . . . . . . 12.4 Decidability results . . . . . . . . . . . . . . 12.4.1 On the model of computation . . . . 12.4.2 Bisimulation construction . . . . . . 12.4.3 Complexity issues . . . . . . . . . . 12.5 Undecidability results . . . . . . . . . . . . 12.5.1 Turing undecidability . . . . . . . . 12.5.2 BSS undecidability . . . . . . . . . . 12.6 O-minimal hybrid systems . . . . . . . . . . 12.6.1 The [LPS00] case and its extensions 12.6.2 Canonical runs . . . . . . . . . . . . 12.6.3 Relaxed reset conditions . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

13 Control of o-minimal hybrid systems 13.1 Control of hybrid systems . . . . . . . . . . . . . . . 13.1.1 Hybrid games . . . . . . . . . . . . . . . . . . 13.1.2 Hybrid games and time-abstract bisimulation 13.1.3 Solving the control problem . . . . . . . . . . 13.1.4 Control problem and the suffix partition . . . 13.2 O-minimal hybrid games . . . . . . . . . . . . . . . . 13.2.1 Generalities on o-minimal games . . . . . . . 13.2.2 Computing winning states . . . . . . . . . . . 13.2.3 Synthesis of winning strategies . . . . . . . .

. . . . .

. . . . .

. . . . .

237 238 241 244 246 251

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

253 254 256 265 265 271 274 275 276 278 279 280 282 284 284 288 291

. . . . . . . . .

297 300 300 304 305 309 311 311 313 317

. . . . . . . . .

. . . . . . . . .

Contents

9

14 Conclusion and Future Work

321

Bibliography

323

10

Contents

Introduction Nowadays more and more real-life systems are (automatically) controlled by computer programs. It is of a capital importance to know whether the programs governing these systems are correct. When considering air traffic management (see for example [TPS98]), one would like to avoid crashes of airplanes, but also to ensure that a given airplane will arrive safely to destination within a given amount of time. These questions gave rise to the theory of verification. In order to handle real-life systems, various mathematical models have been introduced (finite automata [MP43], Kripke structures [Kri65], Petri nets [Kos82], timed automata [AD94], hybrid systems [Hen96],...). Together with these models, various (temporal) logics have been considered (first-order logic, CTL, µ-calculus,...). These logics capture properties of the systems which we are interested in. Let C be a class of mathematical models and Φ be a class of properties (expressed in a given logic), one can naturally ask the following question. Given M ∈ C and ϕ ∈ Φ do we have that M |= ϕ ? This question is known as the model-checking question. Clearly if ϕ expresses a security specification of a system M (like in the air traffic management) it is highly desirable to be able to decide in a very effective way the relative model checking question. This question has deep roots in the Entscheidungsproblem, one of the famous problem among the four ones asked by Hilbert in 1928 (see [Wan88, p.54]) which prompted the completeness theorem and incompleteness the11

12

Contents

orems all of them proved by Gödel around 1930. Turing’s work published in 1937 completed incompleteness famous theorem and its extensions, given by G¨ odel in his lectures in Princeton (1934), by showing that the general Entscheidungsproblem is undecidable and so the model-checking question is in general undecidable. The actual issue of model-checking is to identify classes C and sets Φ expressive enough to model interesting systems and express relevant properties for which the model-checking question is decidable. For example it is well known that the model-checking of branching logics is decidable for finite systems. Conversely one can also be interested in identifying classes C and sets Φ for which the model-checking is undecidable. One classical tool to prove the decidability of a class C for a set Φ of branching properties is the bisimulation equivalence. Indeed given M ∈ C and ∼ a bisimulation equivalence on M we have that M |= ϕ ⇔ M/∼ |= ϕ, where ϕ is a formula of Φ. In particular when given any M ∈ C, if there exists an effective bisimulation ∼ such that the quotient system M/∼ is finite, we obtain the decidability of the model-checking for C on Φ. This technique has been successfully applied several times in the literature. It has been used in [AD94] to prove the decidability of the reachability problem on timed automata and also to prove the decidability of the model-checking of TCTL again on timed automaton [ACD93]. Let us notice that this last results are in some sense very sharp. Indeed on one hand when we slightly enrich the model of timed automata we directly get the undecidability of the reachability problem (see [ACH+ 95, KPSY99, Mil00]), on the other hand considering extensions of the logic TCTL also leads to undecidability results (see [BBR04, BBR06]). The model-checking question concerns only models for closed systems, where every transition is controlled. If we want to distinguish between actions of a controller and actions of an environment we have to consider games or control on those formalisms. When modelling air traffic management it is more natural to consider that the plane (whose speed and altitude can be controlled) evolves in an (uncontrollable) environment. Indeed it is for instance impossible to control the weather conditions.

13

Contents

Let C be a class of mathematical models (with controllable and uncontrollable actions) and Φ be a class of properties (expressed in a given logic). In this context the control problem addresses the following question. Given M ∈ C and ϕ ∈ Φ can we build another system S (which can only enforce controllable actions), called the strategy (or controller), such that M k S |= ϕ ? where M k S represents “the system M guided by the strategy S”. Again the actual issue of control is to identify classes C and sets Φ expressive enough to model interesting systems and express relevant properties for which the control problem is decidable. For example it is well known that the control problem of reachability properties is decidable for finite systems. In this document we will focus on two classes of mathematical models, namely the weighted timed automata and the o-minimal hybrid systems. For both subclasses we will study some model-checking and control problems. Our main results are the following. Weighted timed automata In collaboration with Patricia Bouyer, Véronique Bruyère and Jean-Fran¸cois Raskin, we settle the exact complexity of the cost-optimal reachability problem (see [BBBR06] and Chapter 4). Together with Véronique Bruyère and Jean-Fran¸cois Raskin, we give a complete description of the decidability framework of the modelchecking for the logic W CT L problem (see [BBR04, BBR06] and Chapter 5). Finally we prove, jointly with Véronique Bruyère and JeanFran¸cois Raskin, the general undecidability of the optimal control problem on weighted timed automata (see [BBR05] and Chapter 6). Let us notice that improved undecidability concerning the two latter problems were obtained in collaboration with Patricia Bouyer and Nicolas Markey (see [BBM06] and the related chapters). The context and related works concerning the three problems described above are detailed in Chapter 2.

14

Contents

O-minimal hybrid systems In collaboration with Christian Michaux, Cédric Rivière and Christophe Troestler we introduce a word encoding technique in order to prove the existence of finite bisimulation for a subclass of o-minimal hybrid systems (see [BMRT04]). Then with Christian Michaux we extend the previous results and discuss the decidability and the complexity of our construction (see [BM05, Bri06a]). Afterwards we made a systematic study of the word encoding technique and show how it can be used to build a symbolic “procedure” that “computes” bisimulations of dynamical systems (see [Bri06b]). Finally, together with Patricia Bouyer and Fabrice Chevalier, we study the control problem on o-minimal hybrid systems and give decidability results (see [BBC06]). Further information concerning related works and the presentation of the above results can be found in Chapter 2. The rest of the document is organized as follows. First in Chapter 1 we recall folk results concerning bisimulations between transition systems and we try to motivate the study of bisimulation in the verification framework. The careful reader will notice that the notion of bisimulation is in fact present throughout the document. The rest of thesis is divided into two parts. Part I is dedicated to weighted timed automata and Part II studies the o-minimal hybrid systems. The two parts have been written with the purpose that they can be read independently. In order to satisfy this requirement, some redundancy can not be avoided. Moreover as the thesis is at the hinge of two different topics we decided to try to make it readable for specialists of both sides, this implies that some written details can seem superfluous to experts.

Chapter 1

Transition systems and bisimulations The notion of bisimulation (in one form or another) appeared in various fields in the scientific literature. It is nearly impossible to list all of them. Some of them are model theory [Fra50, Ehr61], modal logic [Ben76], set theory [FH83, Acz88], concurrency theory [Par81, Mil90], formal verification [CGP99]... Depending of the field it is considered bisimulation is known as zig-zag relation, back and forth... In this chapter we only want to study the notion of bisimulation between transition systems. Our motivation for this is the following. Nowadays transition systems are universally recognized as a mathematical model of real life systems. Unfortunately the transition systems modelling real life systems are not always that easy to handle, the main problem being their infinite (or very big) size. One way to solve this problem is to reduce these systems to smaller systems in such a way that enough information is preserved. It is known that bisimulations are a “reduction” of particular interest since they preserve a lot of interesting properties (reachability problem, model-checking branching logic, control problem...). The main three goals of the chapter are the following: (i) to illus15

16

Chapter 1 — Transition systems and bisimulations

trate the notion of bisimulation through elementary examples, (ii) to put together “folk” results on bisimulations with their proofs, coming from the different fields where the notion of bisimulation (or one of its synonymous) is used, (iii) to give motivations for the study of bisimulations in the context of formal verification. We do not aim to be exhaustive, this chapter is just a modest collection of the facts we learned and found relevant during the past four years. The rest of the chapter is organized as follows. The definitions of transition system, (bi)simulation are given in Section 1.1 together with illustrations of the different notions. In section 1.2, we recall that bisimulations are closed under union and composition. This allow to define the notion of coarsest bisimulation on a transition system. In Section 1.3 we emphasize the fact that in general bisimulations on a transition system are not equivalence relations. Then in Section 1.4 we study properties of bisimulations that are equivalence relations. Sections 1.5 and 1.6 are devoted to the so-called bisimulation algorithm. This pseudo-algorithm “calculates” the coarsest bisimulation on a given transition system. In Section 1.7 we compare the bisimulation equivalence with other well known equivalences, namely the language equivalence, the trace equivalence and the notion of k-bisimulation. We end this chapter with Section 1.8 which is devoted to explain why it is relevant to study bisimulation in the context of verification. In particular we make precise and proof the “folk result” stating that “bisimulation preserves the reachability problem”. In the sequel of this document we assume that the reader is familiar with classical notions of computability. Notions such as (un)decidability, PSpace-completeness will not be defined in the sequel. We refer to the literature for their definitions, see for Example [HU79, Pap94].

1.1

Definitions

In this section we start with the classical definitions of transition system and run. Then we give and illustrate the notions of (bi)simulation between two transition systems.

17

1.1 — Definitions

Definition 1.1.1. A (labelled) transition system T = (Q, Σ, →) consists of a set of states Q (which may be uncountable), a finite alphabet of events Σ, and a transition relation → ⊆ Q × Σ × Q. a

A transition (q1 , a, q2 ) ∈ → is denoted by q1 − → q2 . A transition system is finite if Q is finite. If the alphabet of events is reduced to a singleton, Σ = {a}, we will denote the transition system (Q, →) and omit to mention the event a. Definition 1.1.2. Given a transition system T = (Q, Σ, →), an infinite run (or an infinite path or an infinite execution) of T is an infinite sequence of states (qi )i∈N such that for all i ∈ N0 there exists ai ∈ Σ such ai qi . We denote it as follows: that qi−1 −→ a

a

a

i 2 1 qi · · · q2 · · · −→ q1 −→ ρ = q0 −→

We define in the same way the notion of finite run (or a finite path or a finite execution) of length n of T and denote it by (qi )0≤i≤n . Definition 1.1.3. Given two transition systems on the same alphabet of events, T1 = (Q1 , Σ, →1 ) and T2 = (Q2 , Σ, →2 ), a partial simulation of T1 by T2 is a binary relation R ⊆ Q1 × Q2 which satisfies the following condition: ∀q1 , q1′ ∈ Q1 , ∀q2 ∈ Q2 , ∀a ∈ Σ, a a →2 q2′ and (q1′ , q2′ ) ∈ R . →1 q1′ ⇒ ∃q2′ ∈ Q2 , q2 − (q1 , q2 ) ∈ R and q1 − (1.1) This condition is read T2 partially simulates T1 (see Figure 1.1). Definition 1.1.4. Given R a partial simulation of T1 by T2 , we say that R is a simulation of T1 by T2 if, for each q1 ∈ Q1 , there exists q2 ∈ Q2 such that (q1 , q2 ) ∈ R. In this case, we say that T2 simulates T1 . Remark 1.1.5. The definition of simulation of T1 by T2 implies that a → q1′ in T1 is simulated by a corresponding transition any transition q1 − a → q2′ in T2 (i.e. (q1 , q2 ) ∈ R and (q1′ , q2′ ) ∈ R). q2 −

18


T1

a q1

q1′

R

R

T2

a q2

q2′

Figure 1.1: Partial simulation of T1 by T2 Definition 1.1.6. Given two transition systems on the same alphabet of events, T1 = (Q1 , Σ, →1 ) and T2 = (Q2 , Σ, →2 ), a bisimulation between T1 and T2 is a binary relation R ⊆ Q1 × Q2 such that R is a simulation of T1 by T2 and the converse relation 1 R−1 is a simulation of T2 by T1 . We say that T1 and T2 are bisimilar, or that T1 bisimulates T2 (or T2 bisimulates T1 by symmetry). Definition 1.1.7. Given R a bisimulation between T1 and T2 , if R is the graph of a function from Q1 to Q2 , we call R a functional bisimulation from T1 to T2 . Notations 1.1.8. In this chapter2 , we introduce some specific notations for the binary relation which are partial simulations, simulations and (functional) bisimulations: • if R is a partial simulation, it will be denoted Simp , 1 If R = {(q , q ) ∈ Q × Q | (q , q ) ∈ R}, then R−1 = {(q , q ) ∈ Q × 1 2 1 2 1 2 2 1 2 Q1 | (q1 , q2 ) ∈ R}. 2 We only use theses notations in this chapter. In the next chapters we will introduce other notations in adequacy with the context.

19

1.1 — Definitions • if R is a simulation, it will be denoted Sim, • if R is a bisimulation, it will be denoted β, • if R is a functional bisimulation, it will be denoted βf .

Examples 1.1.9. Here are some examples of partial simulations, simulations and bisimulations between the transition systems T0 , T1 , T2 , T3 and T4 corresponding to Figure 1.2 to Figure 1.6: • A partial simulation Simp 0 of T1 by T0 is given by Simp 0 = {(p1 , q1 ), (p2 , q2 )}, this is not a simulation since p3 is in relation with none of the qi ’s. • A simulation Sim1 of T2 by T0 is given by Sim1 = {(r1 , q1 ), (r2 , q2 ), (r3 , q3 )}. There is no simulation of T0 by T2 . Let us suppose there exists a simulation, Sim, of T0 by T2 . By Remark 1.1.5, the transition b → q1 of T0 should be simulated by a corresponding transition in q2 − b → r3 . This implies (q1 , r3 ) ∈ T2 . The only possible transition is r1 − Sim which is impossible. • A simulation Sim2 of T0 by T3 is given by Sim2 = {(q1 , s1 ), (q2 , s2 ), (q3 , s3 )}, and a simulation Sim3 of T3 by T0 is given by Sim3 = Sim−1 2 ∪ {(s4 , q3 )}. There is only one simulation of T3 by T0 , it is Sim3 as it can be easily checked. Since Sim3−1 is not a simulation then T0 and T3 are not bisimilar. • A bisimulation β4 between T0 and T4 is given by β4 = {(q1 , u1 ), (q2 , u2 ), (q3 , u3 ), (q3 , u4 )}, moreover, β4−1 : Q4 → Q0 is a functional bisimulation from T4 to T0 , but β4 is not functional.

20

Chapter 1 — Transition systems and bisimulations a

a

q1

q2 b

b

p1

p2 b

a

a

q3 Figure 1.2: Transition system T0

p3

Figure 1.3: Transition system T1

a

a

r1

r2

s1

s2 b a

b

a

b

b

r3

s3


b

s4


Definition 1.1.10. Given a transition system T = (Q, Σ, →), we can look at bisimulations on Q × Q; they are called bisimulations on T . Definition 1.1.11. Given T a transition system and P a partition of Q, β ∈ Q × Q a bisimulation on Q, we say that the bisimulation β respects the partition P if and only if ∀p, q ∈ Q , (p, q) ∈ β ⇒ there exists P ∈ P such that p, q ∈ P. We will speak of bisimulation w.r.t. P. Remark 1.1.12. Given T a transition system, the finest partition of Q is given by Pf = {{q} | q ∈ Q}. The identity bisimulation (or equality bisimulation), given by β1 = {(q, q) | q ∈ Q}, always respects Pf . This implies that the identity bisimulation β1 respects any partition of Q. Remark 1.1.13. If T is reflexive for every event of the finite alphabet3 then T is bisimilar to a one-state system; T0 where T0 = (Q0 , →0 ) with 3 i.e.

a

∀q ∈ Q ∀a ∈ Σ we have q − → q.

21

1.2 — Basic results on bisimulations a u1

u2 b a

b u3

b

a u4


Q0 = {q0 } and →0 = {(q0 , a, q0 ) | a ∈ Σ}. The bisimulation between T and T0 is given by β0 = {(q, q0 ) | q ∈ Q}. Remark 1.1.14. One could consider a different notion of bisimulation, let us call it back-bisimulation or backward bisimulation (see [HKPV98]). This would come from the notion of partial backward-simulation defined as partial simulation (Definition 1.1.3) where the condition (1.1) is replaced by: ∀q1 , q1′ ∈ Q1 , ∀q2′ ∈ Q2 , ∀a ∈ Σ, a a →2 q2′ and (q1 , q2 ) ∈ R →1 q1′ ⇒ ∃q2 ∈ Q2 , q2 − (q1′ , q2′ ) ∈ R and q1 − (1.2) We say that a bisimulation is a forward stable relation and that the backbisimulation is a backward stable relation. The difference between these two notions is illustrated on Figures 1.7 and 1.8.

1.2

Basic results on bisimulations

For the sake of completeness we give some elementary results on bisimulations (see [Acz88]). We also define the notion of coarsest bisimulation w.r.t. a partition. Lemma 1.2.1. Given T1 , T2 two transition systems on the same alphabet of events and {Simi | i ∈ I} a family of partial simulations of T1 by T2 , S we have that their union, i∈I Simi is a partial simulation of T1 by T2 .

22

Chapter 1 — Transition systems and bisimulations T1

T1

a

a

q1

q1′

q1

q1′

R

R

R

R

T2

T2

a q2

q2′

Figure 1.7: Forward stable

a q2

q2′

Figure 1.8: Backward stable

Proof. It follows easily from definitions. The previous lemma implies the immediate following corollary. Corollary 1.2.2. Given T1 , T2 two transition systems on the same alphabet of events and {βi | i ∈ I} a family of bisimulations between T1 S and T2 , we have that their union i∈I βi is a bisimulation between T1 and T2 . Corollary 1.2.2 gives sense to the following definition. Definition 1.2.3. Given T1 , T2 two transition systems, the coarsest bisimulation between T1 and T2 denoted by βc is defined by: [ βc = βi where the βi ’s are the bisimulations between T1 and T2 .

Lemma 1.2.4. Given T1 , T2 , T3 three transition systems on the same alphabet of events, Sim1 ⊆ Q1 × Q2 a simulation of T1 by T2 , Sim2 ⊆ Q2 × Q3 a simulation of T2 by T3 , we have that their composition4 Sim1 ◦ Sim2 is a simulation of T1 by T3 . Proof. Given T1 , T2 , T3 three transition systems, Sim1 ⊆ Q1 × Q2 a simulation of T1 by T2 , and Sim2 ⊆ Q2 × Q3 a simulation of T2 by T3 , we have to prove that their composition is a simulation of T1 by T3 . Given 4 If

R1 ⊆ Q1 × Q2 and R2 ⊆ Q2 × Q3 then R1 ◦ R2 is given by {(q1 , q3 ) ∈ Q1 × Q3 | there exits q2 ∈ Q2 s.t. (q1 , q2 ) ∈ R1 and (q2 , q3 ) ∈ R2 }.

23

1.2 — Basic results on bisimulations a

→ q1′ and (q1 , q3 ) ∈ Sim1 ◦Sim2 , we q1 , q1′ ∈ Q1 and q3 ∈ Q3 such that q1 − a → q3′ and (q1′ , q3′ ) ∈ Sim1 ◦ Sim2 . Since need to find q3′ ∈ Q3 such that q3 − (q1 , q3 ) ∈ Sim1 ◦ Sim2 , we can find q2 ∈ Q2 such that (q1 , q2 ) ∈ Sim1 and (q2 , q3 ) ∈ Sim2 , by definition of the composition. Since Sim1 is a → q2′ and a simulation of T1 by T2 , we can find q2′ ∈ Q2 such that q2 − (q1′ , q2′ ) ∈ Sim1 . Now we use the fact that Sim2 is a simulation of T2 a → q3′ and (q2′ , q3′ ) ∈ Sim2 . So we by T3 in order to find q3′ such that q3 − have that (q1′ , q3′ ) ∈ Sim1 ◦ Sim2 which proves that Sim1 ◦ Sim2 is a simulation of T1 by T3 . The previous lemma implies the immediate following corollary. Corollary 1.2.5. Given T1 , T2 , T3 three transition systems on the same alphabet of events, β1 ⊆ Q1 × Q2 a bisimulation between T1 and T2 , β2 ⊆ Q2 × Q3 a bisimulation between T2 and T3 , we have that their composition β1 ◦ β2 is a bisimulation between T1 and T3 . An interesting particular case of Corollary 1.2.5 is the following. Corollary 1.2.6. Given T1 , T2 two transition systems on the same alphabet of events and β ⊆ Q1 × Q2 a bisimulation between T1 and T2 , the kernel of this bisimulation: Ker(β) = β ◦ β −1 is a bisimulation on T1 . Remark 1.2.7. Corollary 1.2.5 implies that the transitivity of the relation “T1 is (bi)similar to T2 ”. Lemma 1.2.8. Given T a transition system, P a partition of Q, β1 and β2 two bisimulations on T w.r.t. P, we have that: 1. the union of β1 and β2 , β1 ∪ β2 is a bisimulation on T w.r.t. P, 2. the composition of β1 and β2 , β1 ◦ β2 is a bisimulation on T w.r.t. P. Proof. It follows easily from definitions, Corollary 1.2.2 and 1.2.5. Lemma 1.2.8 gives sense to the following definition. Definition 1.2.9. Given T a transition system and P a partition of Q, the coarsest bisimulation on T w.r.t. P also denoted by βc is defined by: [ βc = βi where the βi ’s are the bisimulations on T w.r.t. P.

24

Chapter 1 — Transition systems and bisimulations a

a a

q1

q1

q2

q2

a Figure 1.9: Transition system T5

1.3

a

a

q3

a


Bisimulations and equivalence relations

In the literature, bisimulations on T are often equivalence relations, but in general it is far to be the case. This section illustrates this fact. However we also explain why in some sense it is sufficient to study bisimulations on T which are equivalence relations.

1.3.1

Reflexivity

Bisimulations are not necessarily reflexive binary relation. For example consider the relation β = {(q1 , q2 ), (q2 , q1 )}, β is clearly a bisimulation on T5 (see Figure 1.9) which is not reflexive. However we can make any bisimulation reflexive, this is formalized in the following lemma. Lemma 1.3.1. Given T a transition system, P a partition of Q and β a bisimulation on T w.r.t. P, the reflexive closure5 of β is still a bisimulation w.r.t. P. Proof. By definition of the reflexive closure.

1.3.2

Symmetry

Bisimulations are not in general symmetric binary relation although the definition seems rather symmetric. For example consider the relation β = {(q1 , q1 ), (q2 , q2 ), (q1 , q2 )}, β is clearly a bisimulation on T5 (see Figure 1.9) which is not symmetric. 5 If

R ⊆ Q × Q is a binary relation, its reflexive closure is given by R ∪ {(q, q) | q ∈ Q}.

1.3 — Bisimulations and equivalence relations

25

However we can turn any bisimulation into a symmetric relation which is still a bisimulation as shown by the following lemma. Lemma 1.3.2. Given T a transition system, P a partition of Q and β a bisimulation on T w.r.t. P, we can construct from β a symmetric bisimulation w.r.t. P. Proof. We consider the binary relation given by β ∪ β −1 . Since β is a bisimulation w.r.t. P, it is also the case of β −1 by definition of a bisimulation. So β ∪ β −1 is a bisimulation by Corollary 1.2.2 and it respects P by Corollary 1.2.8.

1.3.3

Transitivity

Bisimulations are not in general transitive binary relation. For example consider the relation β = {(q1 , q2 ), (q2 , q3 ), (q3 , q1 )}, β is clearly a bisimulation on T6 (see Figure 1.10) which is not transitive6 . However we can make transitive any bisimulation as it is shown in the following lemma. Lemma 1.3.3. Given T a transition system, P a partition of Q and β a bisimulation on T w.r.t. P, the transitive closure7 β + of β is still a bisimulation w.r.t. P. Proof. We have that β + is still a bisimulation by Corollary 1.2.2 and Corollary 1.2.5. Moreover β + respects P by Lemma 1.2.8. Corollary 1.3.4. Given T a transition system, P a partition of Q and β a bisimulation on T w.r.t. P, we can construct from β a bisimulation β˜ w.r.t. P which is an equivalence relation. Proof. We apply Lemmas 1.3.1, 1.3.2 and 1.3.3 to the bisimulation β. + ∗ Explicitly, β˜ = β ∪ β −1 ∪ β1 = β ∪ β −1 . 6 note

that β is nor reflexive nor symmetric. R ⊆ Q × Q is a binary relation, its transitive closure denoted R+ is given by ∪n≥1 Rn and its reflexive transitive closure denoted R∗ is given by ∪n≥0 Rn , where R0 is β1 . 7 If

26


Notations 1.3.5. A bisimulation which is an equivalence relation will ˜ be denoted β. Corollary 1.3.6. Given T a transition system, P a partition of Q, let βc be the coarsest bisimulation w.r.t. P, this is an equivalence relation. Proof. We need to prove that βc is a reflexive, symmetric and transitive binary relation. Reflexivity: β1 is a bisimulation on T respecting P (see Remarks 1.1.12). So by definition of βc we have that β1 ⊆ βc which means that βc is reflexive. Symmetry: Since βc is a bisimulation on T w.r.t. P, it is also the case of βc ∪ βc−1 (using Lemma 1.3.2). Clearly, βc ⊆ βc ∪ βc−1 and by definition of βc we have that βc ∪ βc−1 ⊆ βc . Hence βc ∪ βc−1 = βc which implies that βc is symmetric. Transitivity: Since βc is a bisimulation on T w.r.t. P, it is also the case of its transitive closure βc+ (using Lemma 1.3.3). By definition of the reflexive closure βc ⊆ βc+ and by definition of βc we have that βc+ ⊆ βc . Hence βc+ = βc which implies that βc is transitive.

Remark 1.3.7. Corollaries 1.3.4 and 1.3.6 explain, in some sense, why the study of bisimulations on a transition system can be reduced to the study of bisimulations which are equivalence relations, such bisimulations are called bisimulation equivalences.

1.4

Bisimulation equivalence

We now study some properties of bisimulation equivalences. Most of the results and their proof can be found in [Cau95]. We first define the quotient of a transition system by an equivalence relation. Definition 1.4.1. Given a transition system T = (Q, Σ, →) and ∼ an equivalence relation on Q. We can consider the quotient of T by ∼, denoted by T /∼ = (Q/∼ , Σ, →∼ ) and defined as follows:

27

1.4 — Bisimulation equivalence • Q/∼ = {[q]∼ | q ∈ Q} where [q]∼ = {q ′ | (q, q ′ ) ∈ ∼} a

→∼ [q2 ]∼ if and only if there exists q1′ ∈ [q1 ]∼ and q2′ ∈ [q2 ]∼ • [q1 ]∼ − a → q2′ . such that q1′ − Let us notice that T /∼ is a transition system on the same alphabet of events than T . In this context, we say that an equivalence relation ∼ is finite if and only if Q/∼ is finite. The previous definition directly implies the following Lemma which requires no condition on the equivalence relation ∼. Lemma 1.4.2. Given a transition system T = (Q, Σ, →) and ∼ an equivalence relation on Q. We have that T /∼ simulates T . The simulation is given by graph of the natural map sending q on its equivalence class [q]∼ . The converse of Lemma 1.4.2 is false in general. Let us consider transition system T7 on Figure 1.11 and the equivalence relation ∼ induced by the partition {q1 }, {q2 , q3 }, {q4 } . The quotient of T7 by ∼ is depicted on Figure 1.11. Clearly there is no simulation of T7 /∼ by T7 . Indeed q2 ∈ [q3 ]∼ but there is no move possible from q2 . Notice also that in the quotient T7 /∼ , there is a path from [q1 ]∼ to [q4 ]∼ although there is no path from q1 to q4 in T7 . However the converse of Lemma 1.4.2 holds when ∼ is a bisimulation on T (see Lemma 1.4.4). a q1

q2

a [q3 ]∼

a q3

[q1 ]∼

q4

a [q4 ]∼

Figure 1.11: Transition system T7 Figure 1.12: Transition system T7 /∼ Remark 1.4.3. Given P a partition, β˜ a bisimulation equivalence w.r.t. ˜ This is just P, then any P ∈ P is an union of equivalence classes for β. a reformulation of Definition 1.1.11.

28


The notion of a partition respected by a bisimulation equivalence naturally extends to any equivalence relation. In the same way we say that a subset P of Q is respected by an equivalence relation ∼ (or equivalently by a partition) if P is an union of equivalence classes for ∼. Given T a transition system and β˜ a bisimulation equivalence on T , we have that T and its quotient by β˜ are bisimilar; as already announced previously. This result seems rather natural however we formalize it in the following lemma. Lemma 1.4.4. Given T a transition system, β˜ a bisimulation equivalence on T , then there exists a functional bisimulation from T to its quotient transition system T /β˜ , it is given by βf : q → [q]β˜ (see [Cau95, Lemma A.1]). Proof. We have that βf is a simulation of T by T /β˜, by Lemma 1.4.2. Clearly, βf is a function from T to T /β˜. The proof that βf −1 is a simulation of T /β˜ by T is sketched in the two diagrams (see Figure 1.13 and 1.14). We have to prove that given a → [q2 ]β˜ and q1′′ ∈ Q with q1′′ ∈ [q1 ]β˜ , we can find q2′′ ∈ Q such that [q1 ]β˜ − a

→ q2′′ and q2′′ ∈ [q2 ]β˜ . We proceed in two steps. First we use the q1′′ − a

→ q2′ (see the first diagram on Figure 1.13). definition of T /β˜ to find q1′ − ′ ′′ ˜ Since q1 and q1 both belong to [q1 ]β˜ , we have that (q1′ , q1′′ ) ∈ β. ˜ The second step uses the fact that β is a bisimulation to find q2′′ with a → q2′′ and (q2′ , q2′′ ) ∈ β˜ (see the second diagram on Figure 1.14). Hence q1′′ − we have that q2′′ ∈ [q2 ]β˜ which concludes the proof. a [q1 ]β˜ βf β˜

a [q1 ]β˜

[q2 ]β˜ a

βf

q1′

q2′

q1′′ Figure 1.13: Diagram 1

βf β˜

q1′

[q2 ]β˜ a

βf

a

q1′′

q2′ q2′′

Figure 1.14: Diagram 2

β˜

1.5 — Predecessor operators

29

The following lemma exactly characterizes the bisimulations which are equivalence relations. Lemma 1.4.5. Given T a transition system, the class of bisimulations on T which are equivalence relations is the class of the kernels of the functional bisimulations from T (see [Cau95, Lemma A.2]). Proof. Given β˜ a bisimulation on T which is an equivalence relation, by Lemma 1.4.4, βf : q → [q]β˜ is a functional bisimulation. Moreover, we have that o n ˜ Ker(βf ) = (q1 , q2 ) | [q1 ]β˜ = [q2 ]β˜ = β.

So β˜ is the kernel of the functional bisimulation βf . Conversely, if βf is a functional bisimulation from T1 to T2 , we have that Ker(βf ) is a bisimulation on T1 (using Corollary 1.2.6). By definition of the kernel, we have that Ker(βf ) is a reflexive and symmetric relation. Since βf is functional, we have that Ker(βf ) is a transitive relation. This proves that the kernel of any functional bisimulation is an equivalence relation. Remark 1.4.6. The result of Lemma 1.4.5 is no more true if the bisimulation is not functional. Let us consider Figures 1.15 and 1.16 and β the bisimulation between T8 and T9 given by: β = (q1 , p1 ), (q2 , p1 ), (q2 , p3 ), (q3 , p3 ), (q4 , p4 ) . The kernel Ker(β) of this bisimulation is given by: (q1 , q1 ), (q2 , q2 ), (q3 , q3 ), (q4 , q4 ), (q1 , q2 ), (q2 , q1 ), (q2 , q3 ), (q3 , q2 ) .

We remark that Ker(β) is not an equivalence relation, since it not transitive. Indeed, we have that (q1 , q2 ) ∈ β and (q2 , q3 ) ∈ β but (q1 , q3 ) ∈ / β.

1.5

Predecessor operators

Given a transition system T and a partition P, we are interested to know if the exists a finite bisimulation on T w.r.t. P (see Section 1.8 for motivations). If such a finite bisimulation exists, the next step would be to

30


q1 q2

a a a

q3

p1

a

q4

p4 p3

a

Figure 1.15: Transition system T8 Figure 1.16: Transition system T9 compute it. In order to consider an algorithmic approach to this question (see Section 1.6), we need to consider an alternative definition of bisimulation equivalences. This definition can be found in [AHLP00, Dav99] for example. In order to give this equivalent definition of bisimulation, we first need to define two predecessor operators. We also give some properties of these operators (see [Cou00]). Definition 1.5.1. Given T = (Q, Σ, →) a transition system, X ⊆ Q and a ∈ Σ the a-existential predecessor of X is given by a Pre∃a (X) = q ∈ Q | ∃q ′ (q − → q ′ ) ∧ (q ′ ∈ X) .

Definition 1.5.2. Given T = (Q, Σ, →) a transition system, X ⊆ Q and a ∈ Σ the a-universal predecessor of X is given by a Pre∀a (X) = q ∈ Q | ∀q ′ (q − → q ′ ) ⇒ (q ′ ∈ X) .

When the set X reduces in a single element q, we write Pre∃a (q) instead of Pre∃a ({q}). We adopt the same convention for the universal predecessor. Remark 1.5.3. Let us notice that due to its definition the universal predecessor have sometimes “unexpected” behaviour. Indeed let us consider Figure 1.17. We have that q1 ∈ Pre∀a (q2 ). This makes the universal predecessor a little less intuitive than the existential predecessor. Let us give some immediate properties of the predecessor operators. Lemma 1.5.4. Given T = (Q, Σ, →) a transition system, X1 , X2 ⊆ Q and a ∈ Σ we have that

31

1.5 — Predecessor operators

a

q1

q2

Figure 1.17: q1 ∈ Pre∀a (q2 ) 1. Pre∃a (X1 ∪ X2 ) = Pre∃a (X1 ) ∪ Pre∃a (X2 ), 2. Pre∀a (X1 ∩ X2 ) = Pre∀a (X1 ) ∩ Pre∀a (X2 ). Let us notice that the “dual” of Lemma 1.5.4 is false in general. Let us consider Figure 1.18 with X1 = {q1 } and X2 = {q2 }. We have that 1. q ∈ / Pre∃a (X1 ∩ X2 ) but q ∈ Pre∃a (X1 ) ∩ Pre∃a (X2 ), 2. q ∈ Pre∀a (X1 ∪ X2 ) but q ∈ / Pre∀a (X1 ) ∪ Pre∀a (X2 ).

a

q1

q a q2 Figure 1.18: X1 = {q1 } and X2 = {q2 } The existential and universal predecessor operators are related by the following lemma. Lemma 1.5.5. Given T = (Q, Σ, →) a transition system, X ⊆ Q and a ∈ Σ we have that Pre∀a (X) = Q \ Pre∃a (Q \ X).

32


Proof. a Pre∀a (X) = q ∈ Q | ∀q (q − → q ′ ) ⇒ (q ′ ∈ X) a = Q \ q ∈ Q | ∃q (q − → q ′ ) ∧ (q ′ ∈ / X) = Q \ Pre∃a (Q \ X).

We now define what it means for an equivalence relation to be stable under the action of a predecessor. Definition 1.5.6. Given T = (Q, Σ, →) a transition system, P a finite partition of Q and ∼ an equivalence relation on Q, we say that ∼ is stable under the action of Pre∃ w.r.t. P if the two following conditions are satisfied. 1. for all P ∈ P, P is an union of equivalence classes for ∼, 2. for each a ∈ Σ and for each equivalence class A of ∼, the existential predecessor Pre∃a (A) is an union of equivalence classes of ∼. In a similar way we can define the stability of an equivalence relation under the action of Pre∀ . Remark 1.5.7. Given T = (Q, Σ, →) a transition system, P a finite partition of Q and ∼ an equivalence relation on Q. By Lemma 1.5.5 and Lemma 1.5.4 we have that if ∼ is stable under the action of Pre∃ w.r.t. P then ∼ is stable under the action of Pre∀ w.r.t. P. The converse of the previous affirmation is false, indeed consider Figure 1.17 with the equivalence relation ∼ induced by the partition P = {q1 , q2 } . We have that ∼ is stable under the action of Pre∀ but not under the action of Pre∃ . We are now able to give an alternative definition of bisimulation equivalence in term of existential predecessors. This alternative definition is stated in the following lemma. Lemma 1.5.8. Given T = (Q, Σ, →) a transition system, P a finite partition of Q and β˜ an equivalence relation on Q we have that β˜ is a

1.6 — Bisimulation Algorithm

33

bisimulation on T w.r.t. P if and only if β˜ is stable under the action of Pre∃ w.r.t. P. Proof. We first prove the only if implication. We have to prove that β˜ satisfies point 1. and point 2. of Definition 1.5.6. The first point is true by Remark 1.4.3. Let us now prove the second point. Let us consider ˜ we have to prove that Pre∃ (A) is an union A an equivalence class for β, a ˜ We take q1 ∈ Pre∃ (A) hence there exists of equivalence classes for β. a a ˜ we can → q1′ . Given any q2 ∈ Q with (q1 , q2 ) ∈ β, q1′ ∈ A such that q1 − a ′ ′ → q2 , by definition of a bisimulation. In other find q2 ∈ A such that q2 − ˜ we have that q2 ∈ Pre∃ (A). words, given any q2 ∈ Q with (q1 , q2 ) ∈ β, a ˜ Hence Pre∃a (A) is an union of equivalence classes for β. We now prove the if implication. Let us take q1 , q1′ ∈ Q, q2 ∈ Q and a → q1′ , we have to prove that there a ∈ Σ such that (q1 , q2 ) ∈ β˜ and q1 − a → q2′ . Let A be the equivalence exists q2′ such that (q1′ , q2′ ) ∈ β˜ and q2 − ∃ ˜ we have class of β˜ such that q1′ ∈ A, so q1 ∈ Prea (A). Since (q1 , q2 ) ∈ β, ∃ ∃ that q2 ∈ Prea (A) by using the hypothesis that Prea (A) is an union of a ˜ We can thus find q ′ ∈ A such that q2 − → q2′ , by equivalence classes for β. 2 ˜ definition of Pre∃a (A). Since q2 , q2′ ∈ A, we have that (q2 , q2′ ) ∈ β. This proves that β˜ is a bisimulation. It respects clearly P by the point 1. of Definition 1.5.6. Remark 1.5.9. On Figure 1.17 we have that q1 and q2 are distinguished by the existential predecessor (see Remark 1.5.7). Using Lemma 1.5.8 one can equivalently see that (q1 , q2 ) ∈ / βc where βc is the coarsest bisim ulation on the transition system of Figure 1.17 w.r.t. P = {q1 , q2 } .

1.6

Bisimulation Algorithm

Given a transition system T and a partition P, under the assumption of the existence of a finite bisimulation on T w.r.t. P, we would like to compute this finite bisimulation (see Section 1.8 for motivations). In this section we present a “pseudo-algorithm” which computes the coarsest bisimulation on T w.r.t. P, if it is finite. This pseudo-algorithm is known as the bisimulation algorithm (a.k.a. Paige Tarjan algorithm) and can

34


be found in [PT87, BFH90, KS90, Hen95, HMR05]. Let us notice that finding efficient algorithms to determine a bisimulation on a system is still an active field of research (see [DPP04]). The bisimulation algorithm is based on Lemma 1.5.8. Let us recall this algorithm. ˜ := P Initialization: Q ˜ such that ∅ 6= P ∩ Pre∃a (P ′ ) 6= P While ∃a ∈ Σ ∃P, P ′ ∈ Q ∃ ′ Set P1 = P ∩ Prea (P ) and P2 = P \ Pre∃a (P ′ ) ˜ := (Q ˜ \ {P }) ∪ {P1 , P2 } Refine Q End while Table 1.1: Bisimulation Algorithm The algorithm starts with an initial partition given by P and refine this partition into a finer partition at each step. It stops if the obtained partition is stable under the action of Pre∃ . By Lemma 1.5.8 this means that the obtained partition is a bisimulation. In fact, if the algorithm stops, the bisimulation obtained is the coarsest bisimulation w.r.t. P. In order to formalize this result, we need to introduce the notion of “separating two points by the algorithm” (see Figure 1.19). Definition 1.6.1. Given q1 , q2 ∈ Q, we say that the algorithm separates q1 and q2 at step (i + 1) if and only if ˜ such that q1 ∈ P and q2 ∈ P , • at step (i), ∃P ∈ Q ˜ with P1 6= P2 such that q1 ∈ P1 and • at step (i + 1), ∃P1 , P2 ∈ Q q2 ∈ P2 . We can now prove an interesting property of the bisimulation algorithm. Lemma 1.6.2. Given T a transition system, P a finite partition of Q, q1 , q2 two states of T , if (q1 , q2 ) belongs to the coarsest bisimulation w.r.t. P then no step of the algorithm separates q1 and q2 . Proof. Let βc be the coarsest bisimulation w.r.t. P. Suppose that q1 and q2 are the two first points such that (q1 , q2 ) ∈ βc and which are separated

35

1.6 — Bisimulation Algorithm P

′

P q2

q1 Pre∃a (P ′ )

Figure 1.19: Separation of q1 and q2 by a step of the algorithm by the algorithm. If they are separated at step i + 1, then at step i every ˜ is an union of equivalence classes for βc . set of Q Since the algorithm separates q1 and q2 we have that there exists a ∈ Σ ˜ such that ∅ = and P , P ′ ∈ Q 6 P ∩ Pre∃a (P ′ ) 6= P with q1 ∈ P ∩ Pre∃a (P ′ ) ∃ ′ / and q2 ∈ P \ Prea (P ) (see Figure 1.19). So q1 ∈ Pre∃a (P ′ ) and q2 ∈ a ∃ ∃ ′ ′ ′ ′ ′ → q1 , Prea (P ). Since q1 ∈ Prea (P ) we can find q1 ∈ P such that q1 − a also since q2 ∈ / Pre∃a (P ′ ) it is impossible to find q2′ ∈ P ′ such that q2 − → q2′ . Since (q1 , q2 ) ∈ βc and P ′ is an union of equivalence classes for βc , this contradicts the fact that βc is a bisimulation. Remark 1.6.3. In other words Lemma 1.6.2 shows that at every step of ˜ is respected by the the bisimulation algorithm, the build in partition Q coarsest bisimulation βc . This means that an invariant of the algorithm ˜ is an union of equivalence classes for is: “every piece of the partition Q βc ”. Corollary 1.6.4. Given T a transition system, P a finite partition of Q, the coarsest bisimulation on T w.r.t. P is finite if and only if the algorithm terminates. Proof. The if direction is proved by Lemma 1.5.8. The only if direction is proved by Lemma 1.6.2.

36


1.7

Bisimulations and other equivalences

The notion of bisimulation seems to be related to the notion of language equivalence, well-known by the automata theorists (see for example [Eil74, Eil76, HU79]) and to the notion of trace equivalence as defined in [Gla90, HMR05]. We first recall briefly some notions in order to define the two equivalence relations. We compare these two notions in the case of finite transition systems. The reader interested in infinite transition systems should refer to the interesting paper [HMR05]8 . We also compare the bisimulation to the notion of k-bisimulation. Notations 1.7.1. In this section we use some classic notations from automata theory. Given Σ a finite alphabet, we denote by Σ∗ the set of finite words on Σ. Given ω1 , ω2 ∈ Σ∗ we denote by ω1 · ω2 the concatenation of ω1 with ω2 . We denote by ε the empty word. Given ω ∈ Σ∗ we denote by |ω| the length of the word ω. Given L ⊆ Σ∗ and a ∈ Σ we denote by a−1 L the subset of Σ∗ given by {a · ω | ω ∈ L}. Let T = (Q, Σ, →) be a finite transition system, P be a finite partition of Q and ρ be a finite run of T given by a

a

a

n 2 1 → qn . · · · qn−1 −− q1 −→ ρ = q0 −→

We naturally associate two finite words with ρ as follows. • ωΣ (ρ) = a1 a2 · · · an ∈ Σ∗ , • ωP (ρ) = A1 A2 · · · An ∈ P ∗ , where Ai is the piece of P containing qi . Example 1.7.2. Let us consider the transition system T = (Q, Σ, →) together with the partition P = {A, B, C, D} (see Figure 1.20). The two c a → q3 are ωΣ (ρ) = ac and → q1 − words associated with the path ρ = q0 − ωP (ρ) = ABD. 8 In [HMR05] the authors give a classification of infinite transition systems admitting a finite bisimilarity quotient, equivalence trace quotient, and they also study other relevant equivalence relations.

37

1.7 — Bisimulations and other equivalences C A q0

a

q2

b

B q1

B A

c

q4 D q3

q5

a a

C b

B q6

q7

D c

q8

Figure 1.20: L(q0 ) = L(q4 ) and T (q0 ) = T (q4 )

1.7.1

Language equivalence

In order to define the language equivalence, we need to consider a transition system T = (Q, Σ, →) together with two subsets of Q respectively denoted Q0 and QF . They represent respectively the initial and final states of the transition system. The 5-tuple (Q, Σ, →, Q0 , QF ) is nothing more than a finite automaton (see [Eil74, Eil76, HU79]), we denote such a 5-tuple by A. We can now define the language associated with a state. Definition 1.7.3. Given a finite transition system (Q, Σ, →), a set of final state QF ⊆ Q and a state q ∈ Q, the language associated with q, denoted L(q), is given by: L(q) = {ωΣ (ρ) | ρ starting in q and ending in QF }9 . We can also define the language associated with a finite automaton. Definition 1.7.4. Given a finite automaton A = (Q, Σ, →, Q0 , QF ) the language associated with A, denoted L(A), is given by: [ L(A) = L(q). q∈Q0

We are now ready to define the language equivalence. Definition 1.7.5. Given a finite transition system T = (Q, Σ, →), a set of final states QF ⊆ Q. The language equivalence denoted ∼L is defined 9 i.e.

a

a

a

n 1 2 ρ = q0 −−→ q1 −−→ q2 · · · −−→ qn with q0 = q and qn ∈ QF .

38


as follows. Given q, q ′ ∈ Q we have that q ∼L q ′

L(q) = L(q ′ ).

⇔

We now want to compare the language equivalence with bisimulation. Lemma 1.7.6. Given a finite transition system T = (Q, Σ, →), a set of final state QF ⊆ Q and a bisimulation β˜ which respects the partition P = {QF , Q \ QF }. Given q, q ′ ∈ Q, we have that (q, q ′ ) ∈ β˜

⇒

L(q) = L(q ′ ).

˜ we have to prove that Proof. Given q, q ′ ∈ Q such that (q, q ′ ) ∈ β, L(q) = L(q ′ ). We first prove that L(q) ⊆ L(q ′ ). Let us take ω ∈ L(q) with ω = a1 ...an . Hence there exists a finite path a

a

a

n 2 1 → qn q2 · · · −− q1 −→ ρ = q −→

˜ we can find a finite path with qn ∈ QF . Since (q, q ′ ) ∈ β, a

a

a

n 2 1 − → qn′ q2′ · · · − q1′ −→ ρ′ = q ′ −→

˜ with (qi , qi′ ) ∈ β˜ for i = 1, ..., n. In particular we have that (qn , qn′ ) ∈ β, ′ ′ since β˜ respects {QF , Q\QF } this implies that qn ∈ QF . Hence ω ∈ L(q ), proving that L(q) ⊆ L(q ′ ). We prove that L(q) ⊇ L(q ′ ) in the same way. Remark 1.7.7. By looking more accurately at the proof of Lemma 1.7.6 we can see that we in fact have proved a more precise result. In fact we proved that given Sim ⊆ Q2 a simulation on T , given q, q ′ ∈ Q, we have that (q, q ′ ) ∈ Sim ⇒ L(q) ⊆ L(q ′ ). The converse of Lemma 1.7.6 is false in general. Indeed, let us consider Figure 1.20 and assume that QF = {q2 , q3 , q7 , q8 }. We clearly have that L(q0 ) = L(q4 ) = {ab, ac}. However one can easily proof that there is no ˜ bisimulation β˜ respecting QF such that (q0 , q4 ) ∈ β. In order to obtain a partial converse of Lemma 1.7.6 we need to introduce the notion of Σ−determinism, which is the classical notion of determinism in the classical automata theory.

1.7 — Bisimulations and other equivalences

39

Definition 1.7.8. Given a finite transition system T = (Q, Σ, →), we say that T is Σ−deterministic if and only if the transition relation →⊆ Q × Σ × Q is the graph of a function from Q × Σ to Q. If T is not Σ−deterministic it is said Σ−non deterministic. Let us notice that the transition system of Figure 1.20 is Σ−non deterministic. We can now state the partial converse of Lemma 1.7.6. Lemma 1.7.9. Given T = (Q, Σ, →) a Σ−deterministic transition system, the language equivalence ∼L is a bisimulation on T . a

→ q1′ and L(q1 ) = L(q2 ), we have Proof. Given q1 , q1′ and q2 ∈ Q with q1 − a ′ ′ → q2 and L(q1′ ) = L(q2′ ). to find q2 ∈ Q such that q2 − a ′ → q1 and L(q1 ) = L(q2 ), we clearly can find a state q2′ ∈ Q Since q1 − a → q2′ . Then using the Σ−determinism assumption, we have such that q2 − that L(q1′ ) = a−1 L(q1 ) = a−1 L(q2 ) = L(q2′ ). This proves that ∼L is a bisimulation. Remark 1.7.10. We could also have considered infinite run and B¨ uchi acceptance condition. We would have obtained the same kind of results.

1.7.2

Trace equivalence

The trace equivalence is, in some sense, the dual of the language equivalence, as the states are the duals of the transitions. Moreover we consider that all the states are final, i.e. with the notations of the previous subsection, we have that Q = QF . That is why we obtain results very similar to the ones obtained in the case of language equivalence. We omit the proofs since they only consist in easy adaptation of the one given in the previous subsection. Definition 1.7.11. Given a finite transition system (Q, Σ, →), a finite partition P of Q and a state q ∈ Q, the trace associated with q, denoted T (q), is given by: T (q) = {ωP (ρ) | ρ starting in q}. We are now ready to define the trace equivalence.

40


Definition 1.7.12. Given a finite transition system T = (Q, Σ, →), a set of final state QF ⊆ Q. The trace equivalence denoted ∼T is defined as follows. Given q, q ′ ∈ Q we have that q ∼T q ′

⇔

T (q) = T (q ′ ).

Lemma 1.7.13. Given a finite transition system T = (Q, Σ, →), a finite partition P and a bisimulation β˜ which respects the partition P. Given q, q ′ ∈ Q, we have that (q, q ′ ) ∈ β˜

⇒

T (q) = T (q ′ ).

Again the converse of Lemma 1.7.13 is false in general. Indeed, let us consider Figure 1.20 with the partition P = {A, B, C, D}. We clearly have that T (q0 ) = T (q4 ). However one can easily proof that there is no ˜ bisimulation β˜ respecting P such that (q0 , q4 ) ∈ β. In order to obtain a partial converse of Lemma 1.7.13 we need to introduce the notion of P−determinism. Definition 1.7.14. Given a finite transition system T = (Q, Σ, →), we say that T is P−deterministic if given any q ∈ Q such that q → q ′ , q → q ′′ and q ′ , q ′′ ∈ P for some P ∈ P then q ′ = q ′′ . If T is not P−deterministic it is said P−non deterministic. Let us notice that the transition system of Figure 1.20 is P−non deterministic. We can now state the partial converse of Lemma 1.7.13. Lemma 1.7.15. Given T = (Q, Σ, →) a P−deterministic transition system, the trace equivalence ∼T is a bisimulation on T .

1.7.3

k-bisimulation equivalence

In this subsection we consider the notion of k-bisimulation. This subsection is inspired from a talk of M. Otto [Ott06] given during the workshop Finite and Algorithmic Model Theory held in Durham (9-13 January 2006). Definition 1.7.16. Let T = (Q, Σ, →) be a transition system and P be a partition of Q. A family {≡i | i ∈ N} of equivalence relations on Q is called a steps bisimulations family w.r.t. P if the following holds.

1.7 — Bisimulations and other equivalences

41

• ≡0 refines P, • for all q1 , q2 ∈ Q we have that q1 ≡i+1 q2 ⇒ (q1 ≡i q2 ) ∧

a a → q2′ ) ∧ (q1′ ≡i q2′ ) → q1′ ) ⇒ ∃q2′ (q2 − ∀q1′ ∈ Q ∀a ∈ Σ (q1 −

An equivalence ≡k in such a family is called a k-steps bisimulation or k-bisimulation w.r.t. P . Definition 1.7.17. Let T = (Q, Σ, →) be a transition system and P be a partition of Q. The family {∼i | i ∈ N} of equivalence relations on Q is called the coarsest steps bisimulations family w.r.t. P if the following holds. • ∼0 is the partition induced by P, • for all q1 , q2 ∈ Q we have that q1 ∼i+1 q2 ⇔ (q1 ∼i q2 ) ∧

a a → q2′ ) ∧ (q1′ ∼i q2′ ) → q1′ ) ⇒ ∃q2′ (q2 − ∀q1′ ∈ Q ∀a ∈ Σ (q1 −

The equivalence ∼k in this family is called the coarsest k-steps bisimulation or k-bisimulation w.r.t. P . Let us illustrate these new notions on an example. Example 1.7.18. Let us consider the transition system T = (Q, Σ, →) together with the partition P = {A, B, C, D, E, F } as described on Figure 1.21. The coarsest steps bisimulations family w.r.t. P is illustrated on Figures 1.22, 1.23 and 1.24 (the equivalence classes for ∼i are given by the rectangular boxes). Let us notice that in this family ∼2 = ∼n , for n ≥ 2 and is a bisimulation. An other steps bisimulations family w.r.t. P is illustrated on Figures 1.25, 1.26 and 1.27. Let us denote by {≡i | i ∈ N} this family. We have that ≡i refines ∼i for each i ∈ N. Again we observe that ≡2 = ≡n , for n ≥ 2 and is a bisimulation. This phenomenon is stated and proved in Lemma 1.7.19.

42


A

B

C

D

B

C

E

B

C

F

Figure 1.21: P = {A, B, C, D, E, F }

Figure 1.22: ∼0

Figure 1.23: ∼1

Figure 1.24: ∼2

The k-bisimulations are related to classical bisimulation by the following interesting (folk) result. Lemma 1.7.19. Given T = (Q, Σ, →) a transition system, P a partition of Q and {≡i | i ∈ N} a steps bisimulations family w.r.t. P. If there exists i ∈ N such that ≡i = ≡i+1 we have that ≡i is a bisimulation. a

→ q1′ and q1 ≡i q2 we have Proof. Given q1 , q2 and q1′ ∈ Q such that q1 − a → q2′ and q1′ ≡i q2′ . By to prove that there exists q2′ ∈ Q such that q2 − hypothesis since q1 ≡i q2 we also have that q1 ≡i+1 q2 . By definition of a → q2′ and q1′ ≡i q2′ . ≡i+1 one can find q2′ ∈ V2 such that q2 −

1.8

Motivations for the study of bisimulations

In the previous sections we have defined the notion of bisimulation between two transition systems, we have studied several properties of this notion and compared the notion of bisimulation equivalence with different

43

1.8 — Motivations for the study of bisimulations

Figure 1.25: ≡0

Figure 1.26: ≡1

Figure 1.27: ≡2

other equivalences. In this section we want to motivate why the notion of bisimulation is relevant in the context of verification when studying model-checking or control problems.

1.8.1

Reachability problems

As already mentioned a motivation for the study of bisimulation is the reachability problem. In order to make this problem more precise let us introduce some vocabulary. Definition 1.8.1. Given a transition system T = (Q, Σ, →), two subsets of states Init, F in ⊆ Q, we say that F in is reachable from Init within k steps if there exists a finite path a

a

a

n 2 1 −→ qn , q2 · · · − q1 −→ ρ = q0 −→

with q0 ∈ Init, qn ∈ F in and n ≤ k. We say that F in is reachable from Init if F in is reachable from Init within k steps for some k ∈ N. We can now sate the reachability problem. Problem 1.8.2. Reachability Problem Given T = (Q, Σ, →) a transition system, Init ⊆ Q and F in ⊆ Q two subsets of states, decide if F in is reachable from Init. Let us mention the important well-known following fact: “In the case of finite systems, the reachability problem is decidable.” In the framework of finite automata this fact is known as the decidability of the emptiness problem (see [HU79, Theorem 3.7] for example).

44


We are now interested in solving the reachability problem on infinite transition systems. Given an instance of the reachability problem on an infinite transition system T = (Q, Σ, →) (i.e. Init ⊆ Q and F in ⊆ Q), a natural question is: “Can we reduce the reachability problem on T to a reachability problem on some finite system ? ” In more precise terms, given an instance of the reachability problem on an infinite transition system T = (Q, Σ, →), we want to “build” a finite system Tf = (Qf , Σ, →f ) and two subsets Initf and F inf of Qf such that F in is reachable from Init in T ⇔ F inf is reachable from Initf in Tf . Under the assumption that the construction of the system Tf is “effective” one could solve the reachability problem on T . It appears that bisimulation “preserves the reachability problem”. We will formalize this in the sequel of this subsection. First let us explain why the notion of bisimulation w.r.t. a partition (Definition 1.1.11) is necessary in order to study the reachability problem. If T = (Q, Σ, →) is a transition system reflexive for every event of the finite alphabet then there is a bisimulation ∼0 between T and T0 , a onestate system (see Remark 1.1.13). Regarding the reachability problem, the bisimulation ∼0 is completely irrelevant. One can have a bisimulation between a completely disconnected reflexive transition system and a single state system (T0 ). This is an a posteriori motivation for the definition of bisimulation w.r.t. a partition (see Definition 1.1.11). Indeed we can now make precise the folk result stating that “bisimulation preserves the Reachability Problem”. Lemma 1.8.3. Let T , Init, F in be as in the Reachability Problem 1.8.2, P be a partition of Q respecting Init and F in and β˜ be a bisimulation equivalence on T w.r.t. P. Given q, q ′ ∈ Q such that (q, q ′ ) ∈ β˜ we have that F in is reachable from {q} ⇔ F in is reachable from {q ′ }


45

We do not prove Lemma 1.8.3 since it is a direct consequence of Lemma 1.8.12 that we will prove later in this section. Lemma 1.8.3 implies the following corollary. Corollary 1.8.4. Let T , Init, F in be as in the Reachability Problem 1.8.2, P be a partition of Q respecting Init and F in and β˜ be a bisimulation equivalence on T w.r.t. P. We have that F in is reach. from Init in T ⇔ [F in]β˜ is reach. from [Init]β˜ in T /β˜. Remark 1.8.5. Let us notice that given T a transition system and any equivalence relation ∼, the definition of the quotient of T by ∼ directly implies that F in is reach. from Init in T ⇒ [F in]∼ is reach. from [Init]∼ in T /∼ . Remark 1.8.6. Corollary 1.8.4 holds also for language equivalence, trace equivalence and back-bisimulation. Remark 1.8.7. Corollary 1.8.4 can be used to prove that the reachability problem is decidable for subclasses of transition systems admitting finite bisimulation quotient (with effectiveness properties10 ). Moreover in the case of finite system; Lemma 1.8.4 can be used for complexity purpose. Indeed if we want to solve reachability problem on “big” systems one can reduce their size via bisimulation. The negation of the reachability problem is known as the safety problem. Roughly speaking reachability problem want to know if some “final states” (F in) are reachable from some ““initial states” (Init) although safety problem want to know if some “bad states” (Bad) can be “avoided” from some “initial states” (Init). Thus the safety problem can be defined as follows. Problem 1.8.8. Safety Problem Given T = (Q, Σ, →) a transition system, Init and Bad ⊆ Q two subsets of states, decide if every run starting from Init remains in (Q \ Bad). 10 This

kind of considerations will be discussed into details in the case of o-minimal dynamical systems (see Section 12).

46


Given T a transition system, Init and Bad ⊆ Q we will say that the transition system is safe if Bad is not reachable from Init. Thus clearly Corollary 1.8.4 can also be used to prove that the safety problem is decidable for subclasses of transition systems admitting finite bisimulation quotient (with effectiveness properties). Remark 1.8.9. Bisimulation preserve more than reachability and safety properties. They preserve the so-called “branching logics” (such as CTL, µ−calculus,...) see [AHLP00, CGP99, HMR05, SBB+ 99, BBF+ 01]. This technique will be used in Chapter 5. In the next example we (informally) express a property that can be distinguished by bisimulation equivalence but neither by language equivalence nor by trace equivalence. Example 1.8.10. We consider again the transition system T = (Q, Σ, →) together with the partition P of Figure 1.20. Consider also the informal following property to be satisfied by a state q ∈ Q: “For all execution starting from q, whenever we meet some state q ′ labelled with B there exists an execution starting from q ′ that will eventually reach a state labelled with C.” This property is shortly expressed using CTL11 by the following formula ϕ ≡ ∀2 B ⇒ (∃3C) .

Let us notice that q0 satisfies the property ϕ although q4 does not. This shows that bisimulation allow to distinguish ϕ−like property, since there ˜ However we have that is no bisimulation β˜ w.r.t. P such (q0 , q4 ) ∈ β. q0 ∼L q4 (resp. q0 ∼T q4 ) showing that the language equivalence (resp. trace equivalence) is not fine enough in order to distinguish ϕ−like properties. One can be interested in other variants of the reachability problem, namely k-Steps Reachability Problem. Let us define this problem. 11 We

do not give here the syntax and semantic of CTL but the reader can find it in Section 5.1 since WCTL is an extension of CTL.


47

Problem 1.8.11. k-Steps Reachability Problem Given T = (Q, Σ, →) a transition system, Init and F in ⊆ Q two subsets of states, is Init reachable from F in within k steps? The natural tool to study the k-Steps Reachability Problem is the notion of k-bisimulation as formalized below. Lemma 1.8.12. Let T = (Q, Σ, →), Init, F in be as in the Reachability Problem 1.8.2, P be a partition of Q respecting Init and F in and {≡i | i ∈ N} be a steps bisimulations family on T w.r.t. P. Given q, q′ ∈ Q such that q ≡k q ′ we have that F in is reachable from {q} within k steps if and only if F in is reachable from {q ′ } within k steps. Proof. Assume that F in is reachable from {q} within k steps, i.e. there exists a finite run a

a

a

n 2 1 − → qn , q2 · · · − q1 −→ ρ = q −→

such that qn ∈ F in and n ≤ k. Since q ≡k q ′ we can build (step by step) a finite run a

a

a

n 2 1 → qn′ , q2′ · · · −− q1′ −→ ρ′ = q ′ −→

such that qi ≡k−i qi′ for i = 1, ..., n. Since n ≤ k we have in particular that qn ≡k−n qn′ , with k − n ≥ 0. Thus qn′ ∈ F in since qn ∈ F in, P respects F in and ≡k−n respects P. The other implication is proved exactly in the same way. Thus by using Lemmas 1.7.19 and 1.8.12 one can prove Lemma 1.8.3.

1.8.2

Control problems

Another motivation for the study of bisimulation is the problem of control. We present here the definitions of the problem of control on a finite transition system (also called finite game12 ) and the notion of strategy (see [GTW02] for an overview on games). These definitions slightly differ from the one given in [GTW02], indeed our problem of control 12 We

only focus on reachability game.

48


is an asymmetric game. Moreover we only focus on reachability winning conditions, there exists many various interesting winning conditions (see [GTW02, Tho95]). Definition 1.8.13. A finite game is a finite transition system together with a subset of Q called Goal, we denote it by G = (Q, Σ, →, Goal) where Σ is partitioned into the controllable actions denoted by Σc and the uncontrollable actions denoted by Σu . Without loss of generality we can assume that the set of uncontrollable actions contains a single action denoted u, i.e. Σu = {u}. Let us give an example of a finite game. Example 1.8.14. Let us consider the finite game G = (Q, Σ, →, Goal) of Figure 1.28 where Σ = {a, b, u}, Σc = {a, b}, Σu = {u} and Goal = {q4 , q6 , q11 }. On Figure 1.28 the transition labelled with the uncontrollable action are dashed. a q4

a

u

q5

a

a

q6

a a

q2

a

b

u

a

a b

q7

q12

u

a

q3

a

q9

q8

q1

q11

a

q10 u

Figure 1.28: A finite game Definition 1.8.15. Given G = (Q, Σ, →, Goal) a finite game. An infinite a2 a1 . . . is said winning if qi ∈ Goal for some i ∈ N. q1 −→ run ρ = q0 −→ We note Runs(G, q) the set of runs which start in q, and Runs(G) = q∈Q Runs(G, q). Similarly we define the set of finite runs Runsf (G).

S


49

We will consider control games, informally there are two players in such a game: the controller and the environment. The actions of Σc belong to the controller and the action of u belong to the environment. At each step, the controller proposes a controllable action which corresponds to the action it wants to perform (we assume such action always exists); then either this action or an uncontrollable action is done and the game goes into one of the next states13 . Let us notice that the environment is “more powerful” than the controller. That is why we said that our games are asymmetric. Definition 1.8.16. Given G = (Q, Σ, →, Goal) a finite game. A strategy is a partial function λ from Runsf (G) to Σc . Definition 1.8.17. Given G = (Q, Σ, →, Goal) a finite game. A memoryless strategy is a partial function λ from Q to Σc . a

1 q1 . . . be a run, and set for every i, Definition 1.8.18. Let ρ = q0 −→ ρi the prefix of length i of ρ. The run ρ is said consistent with a strategy λ when for all i, ai+1 = λ(ρi ) or ai+1 = u.

Definition 1.8.19. A strategy λ is winning from a state q if all runs starting in q consistent with λ are winning. If such a strategy exists we say that q is a winning state. Let us illustrate the notion of (winning) strategy on Example 1.8.14. Example 1.8.20. Let us consider the finite game G = (Q, Σ, →, Goal) of Figure 1.28. Let us define a memoryless strategy λ winning from q8 : λ(q8 ) = a

;

λ(q9 ) = a.

Let us notice that there is no winning strategy from q1 . Definition 1.8.21. A game is said c-deterministic, if given q, q1 and a a q3 ∈ Q we have that if q − → q1 and q − → q2 with a a controlled action, then q1 = q2 . The game of Example 1.8.14 is c-deterministic. 13 There may be several next states as the game is not supposed to be deterministic. We indeed assume that the environment chooses the next state in case there are several.

50


Symbolic analysis A natural question in the context of control problem is to compute the set of winning states, i.e. the set of states q such that there exists a winning strategy from q. In order to do so we introduce a controllable predecessor14 that we denote π [GTW02, Tho95] (see also [MPS95]). Definition 1.8.22. Let G = (Q, Σ, →, Goal) be a finite game and X ⊆ Q, the controllable predecessor of X is given by: [ π(X) = X ∪ Pre∃c (X) ∩ Pre∀c (X) \ Pre∃u (X). c∈Σc

The interest of the controllable predecessor is the following theorem. Theorem 1.8.23. Let G = (Q, Σ, →, Goal) be a finite game and q be a state of Q. The set π ∗ (Goal) = ∪k≥0 π k (Goal) is the set of winning states of G. Proof. We first prove that if q ∈ π ∗ (Goal) then there exists a memoryless winning strategy from q. We define this strategy λ on π k (Goal) by induction on k. The case k = 0 is immediate by definition of Goal. Suppose now that λ is already defined on π k (Goal) and is winning on these states. We now define λ on π π k (Goal) . Given q ∈ π π k (Goal) , either (i) q ∈ π k (Goal) or (ii) q ∈ π π k (Goal) \ π k (Goal). In case (i) λ is already defined on q and is known to be winning by induction hypothesis. We assume now we are in case (ii) hence we have that [ Pre∃c π k (Goal) ∩ Pre∀c π k (Goal) \ Pre∃u π k (Goal) . q∈ c∈Σc

This means that there exists c0 ∈ Σc such that for all q ′ ∈ Q such that c u q− → q ′ we have that q ′ ∈ π k (Goal) and for all q ′′ ∈ Q such that q − → q ′′ we have that q ′′ ∈ π k (Goal). Thus clearly by taking λ(q) equal to c0 we make λ a winning strategy on q, hence q is a winning state. We now show that if there exists a strategy λ winning from q then q ∈ π ∗ (Goal). Let us first notice that since we are working with finite 14 Given

X ⊆ Q we denote its complement (Q \ X) by X.


51

games, there must exists n ∈ N such that π n (Goal) = π n+1 (Goal) = π ∗ (Goal). In particular π ∗ (Goal) is a fix point for the operator π, i.e. π π ∗ (Goal) = π ∗ (Goal). For a contradiction let us assume that there exists q ∈ Q and a strategy λ winning from q with q ∈ / π ∗ (Goal). We will construct a non-winning execution compatible with λ. Since q ∈ / π ∗ (Goal) there exists q1 ∈ Q such λ(q)

u

that q −−−→ q1 or q − → q1 with q1 ∈ / π ∗ (Goal). If such a q1 does not ∗ exist we would have that q ∈ π π (Goal) = π ∗ (Goal). We iterate this construction to build an infinite run a

a

2 1 q2 · · · q1 −→ ρ = q = q0 −→

such that ai = λ(qi−1 ) or u, for i ∈ N0 and qj ∈ / π ∗ (Goal) for j ∈ N. In particular the run ρ, starting from q, is compatible with λ and is clearly not winning (since Goal ⊆ π ∗ (Goal)). This contradicts the fact that λ is a winning strategy from q. Remark 1.8.24. If we assume that there is a loop15 labelled with each controllable action on each state then the controllable predecessor has a simpler form, indeed [ π(X) = X ∪ Pre∀c (X) \ Pre∃u (X). c∈Σc

Remark 1.8.25. An other manner to obtain a simpler for of the controllable predecessor is to assume that the game is c-deterministic. In this case the controllable predecessor becomes [ π(X) = X ∪ Pre∃c (X) \ Pre∃u (X). c∈Σc

In this framework the notion of bisimulation is a commonly used technique to study abstract games: bisimilar states can be identified in the control problem as stated by the next theorem. 15 This

is not a restriction when considering reachability games.

52


Theorem 1.8.26. Let G = (Q, Σ, →, Goal) be a finite game, q, q ′ ∈ Q and β˜ a bisimulation equivalence compatible with Goal. If (q, q ′ ) ∈ β˜ then, there is a winning strategy from q iff there is a winning strategy from q ′ . Proof. Using the duality of Pre∃ and Pre∀ we can write the controllable predecessor as follows: [ π(X) = X ∪ Pre∃c (X) \ Pre∃c (X) \ Pre∃u (X). c∈Σc

By hypothesis β˜ is compatible with Goal, i.e. Goal is a union of equivalence classes for ∼. Moreover by Lemma 1.5.8, since β˜ is a bisimulation, it is stable under the action of Pre∃ . Hence we clearly have that π ∗ (Goal) ˜ By using Theorem 1.8.23 we is an union of equivalence classes for β. obtain the desired result. This theorem remains true for infinite-state discrete games [HHM99, AHM01] and can be used to solve these games: if an infinite-state game has a bisimulation of finite index, the control problem can be reduced to a control problem over a finite graph. Remark 1.8.27. In Remark 1.8.6 we noticed that the reachability problem is equivalently preserved by bisimulation, language and trace equivalence. This is not the case for problem of control. Indeed let us consider the finite game of Figure 1.28. We have that q1 and q8 are both language equivalent (q1 ∼L q8 ) and trace equivalent (q1 ∼T q8 ). However q8 is winning although q1 is not. This shows in some sense that the bisimulation equivalence is the adequate tool in order to study problem of control. We could also imagine a notion of strategy “winning within k steps” for which the notion of k-bisimulation would be relevant. Later in this thesis we will consider time control problems. These time control problems cannot be seen as classical infinite-state games because of the special nature of a time-elapsing action, which does not belong to one of the players. It seems nevertheless natural to try to adapt the bisimulation approach to solve real-time control problems. This problem will be treated in Chapter 6, in the case of weighted timed automata and in Chapter 13 in the case of o-minimal hybrid systems.

Part I

Verification of Weighted Timed Automata

53

Chapter 2

Introduction Historical context. Nowadays timed automata [AD90, AD94] (see also [AM04] for a survey) are a well-established formalism for the modeling and analysis of timed systems. Roughly speaking timed automata are finite state automata enriched with clocks and clock constraints. A large number of important and interesting theoretical results have been obtained on timed automata. Let us mention two of them. In [AD94], the reachability problem on timed automata has been proved PSpaceComplete. In [ACD93], in order to verify more complex properties, the authors introduce the “quantitative” temporal logic T CT L. For instance this logic allows to express “response properties” i.e. demands of the form: “If every request reaches the server within two time units, then every request must be accepted or rejected within four time units”. The model-checking of T CT L is proved PSpace-Complete in [ACD93]. In parallel with these theoretical results, efficient verification tools have been implemented and successfully applied to industrial relevant case studies [HHWT95, LPY97]. Weighted timed automata and related cost problems Recently a very useful extension of timed automata has been proposed: weighted (or priced) timed automata [ALP01, BFH+ 01]. Weighted timed 55

56

Chapter 2 — Introduction

automata are natural models for embedded systems where, often, resources consumptions have to be modeled. Weighted timed automata extend classical timed automata with a cost function C that maps every location and every edge to a nonnegative integer number. For a location l, C(l) represents the cost per time unit for staying in location l. For an edge e, C(e) represents the cost of crossing the edge. As a consequence, an accumulated cost can be associated to each run of a weighted timed automaton and optimization problems can be defined. The cost-optimal reachability problem asks, given a weighted timed automaton A and a location l of A, what is the minimal accumulated weight of runs for reaching l in A ? Two different algorithmic solutions have been proposed independently to solve the cost-optimal reachability problem. First, in [ALP01], the authors propose a non-trivial extension of the region automaton to solve the cost-optimal reachability problem. This construction is the basis for an ExpTime solution to the problem. The optimality of the proposed solution is not studied there. Second, in [BFH+ 01], the authors propose a symbolic algorithm that manipulates priced (weighted) extensions of zones. This second solution does not provide a complexity result: the termination of the algorithm is ensured by a well-quasi order for which the length of descending chains is not studied. Let us also mention the work of [LR05] where Larsen and Rasmussen consider the problem of determining the minimal cost of reaching a given target location, with respect to some primary cost variable, while respecting upper bound constraints on the remaining (secondary) cost variables. The proposed algorithm is an extension of the algorithm presented in [BFH+ 01]. Let us notice that some restricted version of weighted timed automata appeared first in [ACH93] (with no cost on the edges). In this context the reachability problem is the following. Given such a (restricted) weighted timed automaton A, an initial location l0 , a final location lf of A, and two numbers m, M ∈ N (with m ≤ M ), decide if there exists a run starting from l0 and ending in lf whose accumulated cost is between m and M . The authors of [ACH93] prove the PSpace-Completeness of the latter problem. The paper ends with the important open problem of

57 model-checking weighted timed automata. Weighted timed games Timed automata and weighted timed automata are models for closed systems, where every transition is controlled. If we want to distinguish between actions of a controller and actions of an environment we have to consider timed games on those formalisms. In one round of the timed game played on a (weighted) timed automaton, Player 1 (the controller) chooses an action a and a time τ ≥ 0, Player 2 (the environment) updates the state of the automaton either by playing the action a at time τ as proposed by Player 1, or by playing an uncontrollable action at time τ ′ ≤ τ . We say that Player 1 has a winning strategy to reach a set T of target locations if it can force Player 2 to update the automaton in a way that the control of the automaton eventually reaches a location of T . When the timed game is played on a weighted timed automaton, we can ask if Player 1 can force Player 2 to update the control of the automaton in a way to reach T with a cost bounded by a given value. We can also ask to compute the optimal cost for Player 1 winning such a game. While games on timed automata are already well studied, see for example [MPS95], [AHM01] and [AFH+ 03], and reachability in this framework is known to be decidable, only partial results about games on weighted timed automata are known. First results on reachability with an optimal cost appear in [AM99], where the cost is equal to the time spent to reach a target location in a timed automaton. Optimal reachability is also studied in [LMM02] with any costs and weighted automata that are acyclic. In [ABM04], the authors study the k-bounded optimal game reachability problem, i.e. given an initial location l of a weighted timed automaton A, a cost bound C and a set T of locations, determine if Player 1 has a strategy to enforce the game started in location l into a location of T within k rounds, while ensuring that the cost is bounded by C. Their algorithmic solution has an exponential-time worst case complexity. In [BCFL04], the authors study winning strategies to reach a set of target locations with an optimal cost in a weighted timed automaton A. To compute the optimal cost and to synthesize an optimal winning

58


strategy, they provide a semi-algorithm for which they can guarantee the termination under a condition called strict non-zenoness of cost. The general case where this condition is not imposed, is left open in both papers [ABM04] and [BCFL04]. Our contribution. In this thesis we contribute to complete the previously described framework within three steps. Optimal reachability Firstly we further study the cost-optimal reachability problem. We show that the cost-optimal reachability problem can be solved for a more general class of weighted timed automata: positive as well as negative costs on edges and locations can be handled simultaneously. As a consequence, we study the computation of the infimum and the supremum of costs for reachability. This extension is of practical interest. In fact, assume that a weighted timed automaton A models the behaviors of an embedded controller and its environment. Assume that the objective of the controller is to force the system to reach a given location with an optimal cost whatever does the environment. To measure the quality of the controller, we have to establish what is the supremum of costs of runs that the controller can force against any behavior of the environment. We show that this problem can be solved. Moreover we settle the exact complexity of the cost-optimal reachability problem in weighted timed automata with positive and negative costs. We show that this problem is PSpace-Complete1 . The key ingredient of our proof is similar to the one used in [BBL04]. These results are based on [BBBR06] and can be found in Chapter 4. Model-Checking Secondly we answer the open problem of model-checking timed automata augmented with costs proposed in [ACD93]. The properties of weighted timed automata that we want to check are formalized by formulas of the 1 This

result was announced in [AM04], but a complete proof never appeared.

59 weighted CTL logic, WCTL for short. This logic is close to the DTL logic of [BES93] and the ICTL logic of [AHH96]. Our first result is the undecidability of the model-checking problem for both discrete and dense time. Then we limit our study to a restriction of the WCTL logic, namely the WCTLr logic. In this context we prove that for discrete time, when working with the WCTLr logic, the model-checking problem for weighted timed automata is PSpace-Complete. However for dense time, the panorama completely changes. In this case, we first prove that the WCTLr model-checking problem becomes undecidable in general. This is no longer true with 1 clock and 1 stopwatch2 since in this particular case the WCTLr model-checking problem is decidable. We also identify the precise frontier between finite and infinite bisimulations for automata with stopwatch observers. These results are based on [BBR04, BBR06, BBM06] and can be found in Chapter 5. Control Finally, we consider timed games played on a weighted timed automaton as they are introduced in [ABM04], and following the lines of [BCFL04] we study the two problems of the existence of a winning strategy with a bounded cost, and of the existence of a winning strategy with an optimal cost. We prove the unexpected negative result that for weighted timed automata, the existence of a winning strategy with a cost bounded by a given value is undecidable. On the positive side, we show that if we restrict the number of clocks to one and we limit the cost rate to 0 or d where d is a fixed integer, then the two problems mentioned above are decidable. These results are based on [BBR05, BBM06] and can be found in Chapter 6. Other relevant related works. Since they have been introduced in [AD90] timed automata and their extensions have been widely studied. In the previous paragraphs we only mention works concerning weighted (priced) timed automata [ALP01, BFH+ 01]. There exists several other interesting extensions of timed automata. Let us first mention the careful 2A

stopwatch is a cost variable whose values are in {0, 1}.

60


examination of updatable timed automata made in [BDFP00a, BDFP00b, BDFP04]. Another famous extension of timed automata is the class of hybrid systems [Hen96] also known as hybrid automata. Numerous subclasses of hybrid systems have been defined and intensively studied. Let us list some of them: linear hybrid automata [ACH+ 95], (initialized) rectangular automata [HKPV98], o-minimal hybrid systems [LPS00] (see also Section 12.6 of this document)... Let us notice that (weighted) timed automata form also a subclass of hybrid systems. The reachability problem on hybrid automata has been extensively studied. Among the numerous results about this problem, let us mention the following ones. The important class of initialized rectangular automata has a decidable reachability problem; however several slight generalizations of these automata lead to an undecidable reachability problem, in particular for timed automata augmented with one stopwatch [HKPV98]. The reachability problem is also undecidable for the simple class of constant slope hybrid systems [KPSY99]. There are few results on the model-checking of hybrid automata. Indeed, as discussed above, the wide study of the particular case of the reachability problem has already identified a frontier between decidability and undecidability. Concerning the model-checking problem of hybrid systems, let us mention two references. In [AHH96], a model-checking procedure and its implementation in the HyTech tool are proposed for linear hybrid automata and the ICT L logic. This procedure is not guaranteed to terminate. In [BES93], the model-checking problem is proved to be decidable for some fragments of the DT L logic and a restrictive class of weighted timed automata.

Chapter 3

Weighted Timed Automata In this chapter, we first recall the classical notions of timed automaton [AD90, AD94], see also [Yov98, AM04]. Timed automata are now considered as a natural, powerful and interesting model of real time systems. Roughly speaking a timed automaton is a finite automaton enriched with clocks. Then we recall the more recent concept of weighted timed automaton [ALP01, BFH+ 01] also known as priced timed automaton. Weighted timed automata are timed automata enriched with cost variables (also called observers) and are natural models for embedded systems where, often, resources consumption have to be modelled.

3.1

Timed Automata

In this section we define and illustrate the notion of timed automaton. Let us first introduce some notations in order to define formally this notion. Notations 3.1.1. We denote by X = {x1 , . . . , xn } a set of n clocks. A clock valuation is a map ν : X → T, where T is equal to the set R+ of nonnegative reals or the set N of natural numbers, depending on whether the time is dense or discrete. Given a clock valuation ν, for 61

62

Chapter 3 — Weighted Timed Automata

i = 1, ..., n, we denote by νi the image of the clock xi by the function ν, i.e. ν(xi ) = νi . In the sequel both notations ν(xi ) and νi will be used. Given a clock valuation ν, when no confusion is possible we also denote by ν the element of Tn given by (ν1 , ..., νn ). Given a clock valuation ν and τ ∈ T, ν + τ is the clock valuation defined by (ν1 + τ, . . . , νn + τ ). A guard is any finite conjunction of expressions of the form xi ∼ c or xi − xj ∼ c where xi and xj are clocks, c ∈ N is an integer constant, and ∼ is one of the symbols {, ≥}. We denote by G the set of guards. Let g be a guard and ν be a clock valuation, notation ν |= g means that (ν1 , ..., νn ) satisfies g. A reset Y ∈ 2X indicates which clocks are reset to 0. We use notation AP for the set of atomic propositions. Definition 3.1.2. A timed automaton A = (L, X, Σ, E, I, L) has the following components: (i) L is a finite set of locations, (ii) X is a finite set of clocks, (iii) Σ is a finite set of actions, (iv) E ⊆ L×Σ×G ×2X ×L is a finite set of edges, (v) I : L → G assigns an invariant to each location, and (vi) L : L → 2AP is the labeling function. Let us define the notions of diagonal-free and bounded timed automata. Definition 3.1.3. A timed automaton A is diagonal-free if the guards used in the edges and the invariants contain no expression of the form xi − xj ∼ c, with xi , xj being clocks, c ∈ N and ∼ ∈ {}. Definition 3.1.4. A timed automaton A is bounded if for each location l, the invariant I(l) is upper bounded on all clocks. Let us give examples of timed automaton. The first example is a formal illustration of Definition 3.1.2. Example 3.1.5. We consider the simple timed automaton of Figure 3.1 together with the set of atomic proposition AP given by {p1 , p2 }. In this example the set of location L is {l1 , l2 }, the set of clocks X is {x1 , x2 }, the set of action Σ is {a, b}. The set of edges E is given by {e1 , e2 , e3 , e4 } where e2 = l1 , a, x1 − x2 ≥ 1, ∅, l2 ; e1 = l1 , b, x1 = 2, ∅, l1 ; e4 = l2 , a, x2 < 2, ∅, l1 . e3 = l2 , b, x2 ≥ 1, {x2 }, l2 ;

63

3.1 — Timed Automata b ; x1 = 2

{p2 } l1

a ; x1 − x2 ≥ 1 a ; x2 < 2

(x1 ≤ 2) ∧ (x2 ≤ 2)

{p1 , p2 } l2

b ; x2 ≥ 1 x2 := 0

(x1 ≤ 2) ∧ (x2 ≤ 2)

Figure 3.1: A simple timed automaton

The invariants are given by I(l1 ) = I(l2 ) = (x1 ≤ 2) ∧ (x2 ≤ 2). The labeling function is defined by L(l1 ) = {p2 } and L(l1 ) = {p1 , p2 }. This timed automaton is bounded but not diagonal-free. The following example is inspired from [BCFL04] and will be used several times in the sequel in order to illustrate different notions related to timed automaton and their extensions. Example 3.1.6. Let us consider the timed automaton A of Figure 3.2. In this example the set of location L is {l0 , l1 , l2 , l3 , l4 }, the set of clocks X is {x1 , x2 }, the set of action Σ is {a, u}. The set of edges E is given by {e1 , e2 , e3 , e4 , e5 } where e1 = l0 , a, x1 ≤ 2, {x2 }, l1 ; e3 = l1 , u, x2 = 0, ∅, l3 ; e5 = l3 , a, x1 ≥ 2, ∅, l4 .

e2 = l1 , a, x2 = 0, ∅, l2 ; e4 = l2 , a, x1 ≥ 2, ∅, l4 ;

The invariant of l1 is (x2 = 0), i.e. I(l1 ) = (x2 = 0). When no invariant is drawn under a location we assume it is of the form x1 ≥ 0, this is the case for all the other locations. In this example we have that L(li ) = ∅ for i = 0, ..., 4. This timed automaton is diagonal-free but not bounded. The semantic of a timed automaton A is given by a labelled transition system TA . In order to define this transition system, we need to define the states of A and the transitions between two states of A. Definition 3.1.7. A state of A is a pair q = (l, ν) such that l ∈ L and ν |= I(l). Let Q denote the set of all states.

64

Chapter 3 — Weighted Timed Automata l2

a ; x2 = 0 l0

a ; x1 ≤ 2 x2 := 0

a ; x1 ≥ 2

l1

l4

x2 = 0 l3

u ; x2 = 0

a ; x1 ≥ 2

Figure 3.2: A timed automaton inspired from [BCFL04] Remark 3.1.8. When A is a bounded timed automaton, there exists a constant M such that each state (l, ν) of TA satisfies νi ≤ M for all i ∈ {1, . . . , n}. We distinguish two kinds of transitions: time-transitions and switchtransitions. Definition 3.1.9. Given q = (l, ν) and q ′ = (l′ , ν ′ ) two states of A, there is a time-transition in A between q and q ′ if there exists τ ∈ T such that l = l′ , ν ′ = ν + τ and ν + τ ′ |= I(l) for any τ ′ , 0 ≤ τ ′ ≤ τ . We denote τ this transition by q − → q′ . Definition 3.1.10. Given q = (l, ν) and q ′ = (l′ , ν ′ ) two states of A, there is a switch-transition in A between q and q ′ if there exists e = (l, a, g, Y, l′ ) ∈ E such that ν |= g and ν ′ is given by νi′

=

(

0

if xi ∈ Y

νi

if xi ∈ / Y. e

We denote this switch-transition by q − → q ′ . To emphasize on the action a a, we also use notation q − → q ′ in this case. We now define the (labelled) transition system TA . Definition 3.1.11. Given a timed automaton A, the (labelled) transition system associated with A is given by TA = Q, Σ ∪ T, → where the

65

3.1 — Timed Automata transition relation is given by → =

[

τ

− →∪

τ ∈T

[

e

− →.

e∈E

Let us now give an example of timed automaton modelling a real life system. We model a mouse producing simple or double click inspired from [KT05]. Example 3.1.12. In order to model a mouse producing simple or double click, the timed aspect is essential. Indeed the mouse produces a doubleclick when the button is pressed twice quickly enough; otherwise it just produces two simple-click. In this example we assume that the mouse produces a double-click when the button is pressed twice within 1 timed unit. This situation can be modelled by the one clock timed automata depicted on Figure 3.3 together with the set of atomic proposition AP given by {Idle, Simple, Double}. {Idle} l0

click x := 0 x=1

{Simple}

click; x < 1

{Double}

l1

l2

x≤1

x≤1

x=1 Figure 3.3: A timed automata modelling a simple-, double-click mouse

In the Idle location, when the button is pressed (for the first time), the automaton goes into location Simple and resets the clock x (to zero). If the button is pressed a second times within a time τ < 1 then the automaton reaches the location Double and thus a double-click is produced. Notations 3.1.13. Given q, q ′ two states of TA , a (time or switch) transition between q and q ′ is uniformly denoted by q → q ′ . In other words when we write q → q ′ we mean that either there is a time τ such τ e that q − → q ′ or there is an edge e such that q − → q′ .

66


Remark 3.1.14. Let us notice that notation (l, ν) → (l′ , ν ′ ) is ambiguous in some very particular cases, since it can represent both a time-transition and a switch-transition. Indeed, one could have both τ e (l, ν) → (l, ν ′ ) with τ = 0 and (l, ν) → (l, ν ′ ) for some e ∈ E. However we use it in order to avoid a too heavy notation. Remark 3.1.15. One can also define a (time-abstract) transition system t TAta = Q, Σ ∪ {t}, → , where t ∈ / Σ and q − → q ′ if and only if there exists τ → q′ . τ ∈ T such that q − We now define the notion of run of a timed automaton. Definition 3.1.16. Let A be a timed automaton. A finite run of A is a finite path ρ = (qi )i∈{0,...,l} of TA , it is denoted by ρ = q0 → q1 → · · · → ql . It is also shortly denoted ρ = q0 ; ql . Definition 3.1.17. Let A be a timed automaton. An infinite run of A is an infinite path ρ = (qk )k∈N of TA denoted by ρ = q0 → q1 → · · · → qi → · · · . Notations 3.1.18. A (finite or infinite) run is uniformly denoted by ρ = (qi )i∈I . Definition 3.1.19. A run ρ = (qk )k∈K is called initial if q0 is of the form (l, 0) with all the clock values being null. Definition 3.1.20. We say that a run ρ is canonical if it is of the form e2 τ2 e1 τ1 q4 · · · where time-transitions and switchq3 −→ q2 −→ q1 −→ q0 −→ transitions alternate. Remark 3.1.21. With any (initial) run ρ = q0 → q1 → · · · can be associated a canonical (initial) run. Indeed any two consecutive timeτ

τ′

transitions qk → qk+1 → qk+2 can be replaced by the time-transition τ +τ ′

τ

qk → qk+2 , and time-transition qk → qk+1 with τ = 0 is allowed in Definition 3.1.11.

67

3.1 — Timed Automata e

τ

e

τ

1 1 0 0 q3 −→ q2 −→ q1 −→ Definition 3.1.22. Given a canonical run q0 −→ q4 · · · , a position in ρ is any state qk , or q2k + τ with 0 < τ < τk . The set of positions in ρ is totally ordered in a natural way. Given a run ρ, q and q ′ two positions in ρ we denote q < q ′ the fact that q is “before” q ′ in ρ.

The following remark will be useful in Chapter 4. Remark 3.1.23. Let ρ be the following canonical initial run τ

τ

e

τ

e

e

2 2 1 1 k k q2′ · · · → qk → qk′ · · · . q2 → q1′ → q1 → q0′ = (l0 , 0) →

Given qk = (lk , ν k ) a state of ρ, the clock values (ν1k , . . . , νnk ) at qk depend on {τ1 , ..., τk } as follows : the value νik of the clock xi at state qk is equal to νik = τh+1 + τh+2 + · · · + τk−1 + τk e

h with 0 ≤ h ≤ k such that qh → qh′ is the last transition of ρ where the clock xi has been reset.1

Let us illustrate the notion of finite run on the timed automaton of Example 3.1.6. Example 3.1.24. If we consider the timed automaton of Figure 3.2, an example of finite run (in dense time) is: 1.7

0

e

1 (l1 , 1.7, 0) − → (l1 , 1.7, 0) ρ = (l0 , 0, 0) −−→ (l0 , 1.7, 1.7) −→

1

e

e

4 2 (l4 , 2.7, 1). −→ (l2 , 1.7, 0) − → (l2 , 2.7, 1) −→

This finite run is initial and canonical. The states (l0 , 0, 0), (l0 , 1, 1) and (l2 , 1.8, 0.1) are examples of positions in ρ. We now give an example of infinite run on the timed automaton of Example 3.1.5. Example 3.1.25. If we consider the timed automaton of Figure 3.1, an example of infinite run (in dense time) is: 0.2

e

e

0.1

3 2 (l2 , 1.7, 0) −−→ (l2 , 1.7, 0.5) −→ ρ′ = (l1 , 1.5, 0.3) −−→ (l1 , 1.7, 0.5) −→

e

0.01

e

0.001

3 3 (l2 , 1.81, 0) −−−→ · · · (l2 , 1.8, 0) −−→ (l2 , 1.81, 0.01) −→ (l2 , 1.8, 0.1) −→

This infinite run is neither initial nor canonical. 1 We

notice that h depends on i.

68


3.2

Region graph

In this section, we define the region graph [AD90, AD94] of a timed automaton A. The region graph is a finite abstraction of timed automata of particular interest, see Theorem 3.2.15.

3.2.1

Dense Time

In this subsection we assume that T = R+ . In order to define the region graph of a timed automaton A, we first recall the usual equivalence on clock valuations and its extension to states of TA (see [AD90, AD94]). We denote by ≈t this particular equivalence. For clock xi , let ci be the largest constant that xi is compared with in any guard of E and any invariant of I and let c be the maximum of the ci . For τ ∈ R+ , ⌊τ ⌋ denotes its integral part and τ¯ denotes its fractional part. Definition 3.2.1. Two clock valuations ν and ν ′ are equivalent, ν ≈t ν ′ , if and only if the following conditions hold • ⌊νi ⌋ = ⌊νi′ ⌋ or νi , νi′ > ci , for all i ∈ {1, . . . , n}; • ν¯i = 0 iff ν¯i′ = 0, for all i ∈ {1, . . . , n} with νi ≤ ci ; • νi − νj ∼ c iff νi′ − νj′ ∼ c, for all i 6= j ∈ {1, . . . , n} where ∼ ∈ {< , =, >} and c ∈ {0, . . . , c}. The equivalence relation ≈t is extended to the states of TA as follows q = (l, ν) ≈t q ′ = (l′ , ν ′ )

iff

l = l′ and ν ≈t ν ′ .

Let us notice that given A a timed automaton, the number of equivalence classes induced by ≈t is finite. Remark 3.2.2. When considering diagonal-free timed automata, the third condition of Definition 3.2.1 is replaced by the following. • ν¯i ≤ ν¯j iff ν¯i′ ≤ ν¯j′ , for all i 6= j ∈ {1, . . . , n} with νi ≤ ci , νj ≤ cj .

69

3.2 — Region graph

We use [ν] (resp. [q]) to denote the equivalence class to which ν (resp. q) belongs. A region is an equivalence class [q]. The set of all the regions is denoted by R. A region [q] is closed if q + τ 6≈t q for any τ > 0, otherwise it is open. A region [q] is unbounded if it satisfies q = (l, ν) with νi > ci for all i ∈ {1, . . . , n}. Remark 3.2.3. We recall [AD94] that the size |RA | of the region graph, i.e. its number of regions and edges, is in O((|L|+|E|)2|δ(A)| ) where δ(A) is the binary encoding of the constants (guards and costs) appearing in A. Thus |RA | is in O(2|A| ) where |A| takes into account the locations, edges and constants of A. Let us illustrate the equivalence relation on the timed automaton of Example 3.1.5. Example 3.2.4. In the automaton A of Figure 3.1 we have that c = c1 = c2 = 2. The partition induced by ≈t on (R+ )2 is illustrated on Figure 3.4. The partition induced by ≈t on [0, 1]2 is more precisely represented on Figure 3.5. The square [0, 1]2 is partitioned into 11 regions: 4 points, 5 segments and 2 open triangles. x2 1 2 1 0

1

2

3

x1

Figure 3.4: Equivalence relation ≈t

0

1

Figure 3.5: Zoom on [0, 1]2

Remark 3.2.5. In the automaton A of Figure 3.1 if we replace the guard x1 − x2 ≥ 1, by the guard x1 ≥ 1, we obtain a new timed automaton A′ which is diagonal-free. In this case the partition induced by ≈t on (R+ )2 is the one depicted on Figure 3.6. Remark 3.2.6. A nice representation of the regions have been introduced in [ACH93]. A region is fully specified by a location l, the integral

70

Chapter 3 — Weighted Timed Automata x2 2 1 0

1

2

3

x1

Figure 3.6: Equivalence relation ≈t on a diagonal-free timed automaton

parts of the clock values (ν1 , . . . , νn ), and the ordering of their fractional parts for the clocks xi such that νi ≤ ci . The representation proposed in [ACH93] consists in visualizing this ordering. For example, the ordering 0 < ν¯1 < ν¯2 < · · · < ν¯n < 1 (where νi ≤ ci ) is depicted on Figure 3.7. 0

ν¯1

ν¯2

···

ν¯n

1

Figure 3.7: The ordering of the fractional parts of the clock values in a region

We now define the region graph of a timed automaton A which is in the quotient of the time abstract transition TAta (see Remark 3.1.15) by the clock equivalence ≈t . Definition 3.2.7. Let A = (L, X, Σ, E, I, L) be a timed automaton. The region graph RA = (R, F ) is a finite labelled graph where • the vertex set is equal to the set of regions R, • the edge set F is composed of edges of two types: t

– r − → r′ is a time edge if there exist two states q ∈ r, q ′ ∈ r′ τ and a time-transition q − → q ′ in TA , for some τ ∈ R+ , e

– r− → r′ is a switch edge if there exist two states q ∈ r, q ′ ∈ r′ e and a switch-transition q − → q ′ in TA , for some e ∈ E.

71

3.2 — Region graph

Notations 3.2.8. Given r, r′ two regions of RA a (time or switch) edge between r and r′ is uniformly denoted by r → r′ . Given a run ρ = (qk )k∈K of TA , we denote by [ρ] the corresponding path ([qk ])k∈K in RA . We say that a path ρR in RA is canonical (resp. initial ) if ρR = [ρ] for some canonical (resp. initial) run ρ of TA . Let us give an example of run in RA . Example 3.2.9. If we consider the timed automaton of Figure 3.1, and the following finite run (illustrated on Figure 3.8) 1.1

e

3 (l2 , 1.3, 0) ρ = (l2 , 0.2, 0.3) −−→ (l2 , 1.3, 1.4) −→

0.6

0.1

−−→ (l2 , 1.9, 0.6) −−→ (l2 , 2, 0.7), we have that t

e

t

t

3 → r4 , → r3 − r2 − → r1 −→ [ρ] = r0 −

where r0 = (l2 , 0 < x1 < x2 < 1) ; r1 = (l2 , 1 < x1 < x2 < 2) ; r2 = (l2 , 1 < x1 < 2; x2 = 0) ; r3 = (l2 , 1 < x1 < 2; 0 < x2 < 1; x ¯2 < x¯1 ) ; r4 = (l2 , x1 = 2; 0 < x2 < 1), see Figure 3.9. x2

x2 r1

1

1 r0 r3

0

1

x1

Figure 3.8: The run ρ

3.2.2

0

1

r2

r4 x1

Figure 3.9: The regions r0 , . . . r4

Discrete Time

In this subsection we have that T = N. In order to define the region graph of a timed automaton A, we adapt the equivalence on clock valuations of Definition 3.2.1. We also denote by ≈t this equivalence. We only define the equivalence ≈t for diagonal-free timed automata.

72


Definition 3.2.10. Two clock valuations ν and ν ′ are equivalent, ν ≈t ν ′ , if and only if the following condition holds νi = νi′ or νi , νi′ > ci , for all i ∈ {1, . . . , n}. Thus given a clock xi , its possible values in an equivalence class are 1, 2, . . ., ci and c+ i = {n ∈ N | n > ci }. We continue Example 3.2.4 in the discrete case. Example 3.2.11. If we consider the automaton A′ of Remark 3.2.5, i.e. the automaton A of Figure 3.1 where the guard x1 −x2 ≥ 1 is replaced by x1 ≥ 1, we have that the partition induced by ≈t on (N+ )2 is illustrated on Figure 3.10. x2

x1 Figure 3.10: Equivalence relation ≈t when the time is discrete The region graph of a timed automaton A is the quotient of the time abstract transition TAta by ≈t . We omit the details but the construction is similar to the one given in Definition 3.2.7.

3.2.3

Time abstract bisimulation

We recall in this subsection the notion of time abstract bisimulation2 (see [Hen95] or [ACH+ 95]) on a timed automaton. Definition 3.2.12. Let A be a timed automaton and TA its transition system. A (time abstract) bisimulation on A is an equivalence relation ≈ ⊆ Q × Q such that for all q1 , q2 ∈ Q satisfying q1 ≈ q2 , 2 Without

loss of generality we only consider time abstract bisimulations which are equivalence relations (see Remark 1.3.7).

73

3.3 — Weighted Timed Automata τ

→ q1′ with τ ∈ • whenever q1 − τ

′

T and q1′ ∈ Q, there exist τ ′ ∈ T and

q2′ ∈ Q such that q2 −→ q2′ and q1′ ≈ q2′ ; a

→ q1′ with a ∈ Σ and q1′ ∈ Q, there exists q2′ ∈ Q such • whenever q1 − a → q2′ and q1′ ≈ q2′ . that q2 − A bisimulation ≈ is finite if it has a finite number of equivalence classes. It is said to respect a partition P0 of the set Q if any P ∈ P0 is a union of equivalence classes of ≈. The general bisimulation algorithm (see Section 1.6) applies to timed automata. In this context we distinguish two kinds of (existential) predecessors. Definition 3.2.13. Given A a timed automaton, S ⊆ Q and a ∈ Σ the switch (existential) predecessor of S by a is given by a Prea (S) = q ∈ Q | ∃q ′ (q − → q ′ ) ∧ (q ′ ∈ S) .

Definition 3.2.14. Given A a timed automaton, S ⊆ Q the timed (existential) predecessor of S is given by τ Pret (S) = q ∈ Q | ∃q ′ ∃τ (q − → q ′ ) ∧ (q ′ ∈ S) . One of the main result of [AD94] is the following theorem.

Theorem 3.2.15. [AD94] Given A a timed automaton the clock equivalence ≈t is a time abstract bisimulation on A which is finite. Using Theorem 3.2.15 and the folk result of Lemma 1.8.3 the authors of [AD94] have proved the important following result. Theorem 3.2.16. [AD94] The reachability problem for timed automata is PSpace-Complete.

3.3

Weighted Timed Automata

In this section, we recall the notion of weighted timed automaton (see [ALP01]) also known as priced timed automaton (see [BFH+ 01]), which is an extension of timed automata with costs on both locations and edges.

74


Notations 3.3.1. We denote by Z = {z1 , . . . , zm } a set of m cost variables. A cost variable valuation is a map ω : Z → T. Given a cost variable valuation ω, for i = 1, ..., m, we denote by ωi the image of the cost variable zi by the function ω, i.e. ω(zi ) = ωi . Given a cost variable valuation ω, when no confusion is possible we also denote by ω the element of Tm given by (ω1 , ..., ωm ). Given a cost variable valuation ω and τ ∈ T, ω + τ is the cost variable valuation defined by (ω1 + τ, . . . , ωn + τ ). Definition 3.3.2. A weighted timed automaton is timed automaton A = (L, X, Σ, E, I, L) augmented with a cost function C : L ∪ E → Zm which assigns an m-tuple of costs to both locations and edges. We use the same notation A for a weighted timed automaton et the underlying timed automaton. The concept of weighted timed automata has been independently introduced in [ALP01] and [BFH+ 01] (with a single cost that is nonnegative instead of m-tuples of costs). In the previous definition, we say that C(l) (resp. C(e)) is the cost of location l (resp. edge e). We will sometimes use the notation z˙1 = d1 , . . . , z˙m = dm at location l instead of C(l) = (d1 , . . . , dm )3 . Note that the cost variables z1 , . . . , zm cannot be reset nor tested in the weighted timed automaton, they are just observers. Weighted timed automata can also be seen as linear hybrid automata ([Hen95]) where all the variables which are not clocks cannot be reset nor tested. Definition 3.3.3. Let A be a weighted timed automaton. We say that A is an automaton with stopwatch observers if for every location l, C(l) ∈ {0, 1}m (instead of Zm ). When an edge e or a location l has null costs, that is, C(e) = (0, . . . , 0) or C(l) = (0, . . . , 0), we say that it has no cost. When an edge has no cost, no reset and a guard that is always true, it is called an empty edge. Let us give examples of weighted timed automata. Example 3.3.4. We enrich Example 3.1.6 with a single cost. This is illustrated on Figure 3.11. If no cost is indicated on a location of edge, 3 This

notation comes from automata with integrators, the variables z1 , . . . , zm being the integrators, see for instance [KPSY99].

75

3.3 — Weighted Timed Automata a;y=0 l0 5

a;x≤2 y := 0

l2 10

a;x≥2 1

l1

l4

y=0 u;y=0

l3 1

a;x≥2 7

Figure 3.11: A weighted timed automaton inspired from [BCFL04] we consider that the cost is null. Formally we have for the locations that C(l0 ) = 5, C(l1 ) = C(l4 ) = 0, C(l2 ) = 10 and C(l3 ) = 1; and for the edges C(ei ) = 0 for i = 1, 2, 3, C(e4 ) = 1 and C(e5 ) = 7. As for timed automaton, the semantic of a weighted timed automaton A is given by a (labelled) transition system TAw . The new transition system TAw is in some sense an extension of TA . In order to define this transition system, we need to define the extended states of A and the transitions between two extended states of A. Definition 3.3.5. A extended state of A is a triple q = (l, ν, ω) where l ∈ L, ν |= I(l) and ω ∈ Tm . Let Qe denote the set of all states. We now extend the time-transitions and the switch-transitions to extended states. Definition 3.3.6. Given qe = (l, ν, ω) and qe′ = (l′ , ν ′ , ω ′ ) two extended states of A, we say there is a time-transition in A between qe and qe′ if τ → (l′ , ν ′ ) and ω ′ = ω + C(l) · τ . We there exists τ ∈ T such that (l, ν) − τ → qe′ . also denote this transition by qe − Definition 3.3.7. Given qe = (l, ν, ω) and qe′ = (l′ , ν ′ , ω ′ ) two extended states of A, we say there is a switch-transition in A between qe and qe′ e if there exists e ∈ E such that (l, ν) − → (l′ , ν ′ ) and ω ′ = ω + C(e). We e → qe′ . denote this transition by qe − We now define the (labelled) transition system TAw .

76


Definition 3.3.8. Given a weighted timed automaton A the (labelled) transition system associated with A is given by TAw = (Qe , Σ∪ T, →) where the transition relation is given by [ τ [ e → = − →∪ − →. τ ∈T

e∈E

The following example is an adaptation of the well known gas burner (see for example [ACH+ 95]). This gas burner example is in fact an automaton with stopwatch observers. Example 3.3.9. The weighted timed automaton of Figure 3.12 represents a gas burner system with two locations l and l′ , one where the system is leaking and the other where it is not leaking. There is 1 clock variable x to express that a continuous leaking period cannot exceed 1 time unit and two consecutive leaking periods are separated by at least 30 time units. There are 3 costs variables z1 , z2 , z3 such that z1 describes the total elapsed time, z2 the accumulated leaking time and z3 the number of leaks. x ≤ 1 x := 0 leak (0, 0, 1) l l′ (1, 1, 0) (1, 0, 0) x ≥ 30 x := 0 x≤1

(0, 0, 0)

Figure 3.12: The gas burner system.

Notations 3.3.10. Given qe , qe′ two extended states of TAw a (time or switch) transition between qe and qe′ is uniformly denoted by qe → qe′ . One could also define a time abstract transition system as done in Remark 3.1.15. The notion of a run of a weighted timed automaton is a natural extension of the run of timed automaton, such an (extended) run is denoted ρw . Let us give an example of a finite run on the weighted timed automaton of Figure 3.11.

77

3.3 — Weighted Timed Automata

Example 3.3.11. The following run on the weighted timed automaton of Figure 3.11 extends the run of Example 3.1.24. 1.7

0

e

1 (l1 , 1.7, 0, 8.5) − → (l1 , 1.7, 0, 8.5) ρw = (l0 , 0, 0, 0) −−→ (l0 , 1.7, 1.7, 8.5) −→

1

e

e

4 2 (l4 , 2.7, 1, 19.5). −→ (l2 , 1.7, 0, 8.5) − → (l2 , 2.7, 1, 18.5) −→

In order to avoid too heavy notations in the sequel we denote by q both states and extended states when the context allows it. Similarly we denote by ρ both runs of timed automata and (extended) runs of weighted timed automata and by TA both transition systems. In the case m = 1, i.e. if the m-tuple of costs reduces in a single cost, the semantic of weighted timed automata can be defined in a different way. Given A a weighted timed automaton and ρ a finite canonical run of the underlying timed automaton, we define the cost of ρ as follows. τ

1 Definition 3.3.12. Let A be a weighted timed automaton and ρ = q0′ → τl el ′ e2 ′ e1 ′ τ2 q1 → q1 → q2 → q2 · · · → ql → ql be a canonical run of TA . Let lk be the ′ location of qk (and qk−1 ) for each k. Then the cost 4 C(ρ) of ρ is equal to Cd (ρ) + Cs (ρ) with X X C(ek ). C(lk ) · τk , Cs (ρ) = Cd (ρ) =

k∈{1,...,l}

k∈{1,...,l}

In the previous definition, Cd (ρ) is called the duration cost of ρ, and Cs (ρ) the switch cost of ρ. Example 3.3.13. Let us consider the weighted timed automaton of Figure 3.11. The following run (from Example 3.1.24) is a finite canonical run of the underlying timed automaton. 1.7

0

e

1 (l1 , 1.7, 0) − → (l1 , 1.7, 0) ρ = (l0 , 0, 0) −−→ (l0 , 1.7, 1.7) −→

e

1

e

4 2 (l4 , 2.7, 1). −→ (l2 , 1.7, 0) − → (l2 , 2.7, 1) −→

We have that C(ρ) = Cd (ρ) + Cs (ρ) where Cd (ρ) = 5 · 1.7 + 0 · 0 + 10.1 = 18.5 and Cs (ρ) = 0 + 0 + 1 Hence C(ρ) = 19.5. ql′

4 In τl+1

the case ρ ends with a time-transition, i.e. there is an additional transition

→ ql+1 , then there is an additional term C(ll+1 ) · τl+1 in both C(ρ) and Cd (ρ).

78


Remark 3.3.14. Let A be a weighted timed automaton with a single cost and let ρ be the following finite canonical run of the underlying timed automaton τ e e1 ′ τ1 q1 · · · →l ql →l ql′ . q1 → ρ = q0′ → If we consider the following run of the weighted timed automaton τ

e

τ

e

1 1 (q1′ , ω ′1 ) · · · →l (ql , ω l ) →l (ql′ , ω ′l ) (q1 , ω 1 ) → ρw = (q0′ , 0) →

we have that ω ′l = C(ρ). The notion of (time abstract) bisimulation on a timed automaton (see Definition 3.2.12) can naturally be extended to (time abstract) bisimulation on a weighted timed automaton. Definition 3.3.15. Let A be a weighted timed automaton and TAw its transition system. A (time abstract) bisimulation on A is an equivalence relation ≈ ⊆ Qe × Qe such that for all q1 , q2 ∈ Qe satisfying q1 ≈ q2 , τ

→ q1′ with τ ∈ • whenever q1 − τ′

T and q1′ ∈ Qe, there exist τ ′ ∈ T and

q2′ ∈ Q such that q2 −→ q2′ and q1′ ≈ q2′ ; a

→ q1′ with a ∈ Σ and q1′ ∈ Qe , there exists q2′ ∈ Q • whenever q1 − a → q2′ and q1′ ≈ q2′ . such that q2 − One can naturally extends the definition of switch and time (existential) predecessors (see Definitions 3.2.13 and 3.2.14) to weighted timed automata. However there is no analog of the region graph for weighted timed automata. Indeed there exists simple weighted timed automata which do not admit finite bisimulation quotient (see Example 5.29). Thus in general the bisimulation algorithm does not terminate. Proposition 3.3.16. [AHLP00] [Hen95] Let A be a weighted timed automaton. The bisimulation algorithm terminates if and only if the coarsest bisimulation of A that respects a partition P0 is finite.

Chapter 4

Optimal Reachability In this chapter we study the natural problem associated with weighted timed automata, namely the cost-optimal reachability problem. Let A be a weighted timed automaton and l be a location of A, the optimal reachability problem asks what is the minimal accumulated cost of an initial run that reach l in A ? Two different algorithmic solutions have been proposed independently to solve the optimal reachability problem. First, in [ALP01], the authors proposed a non-trivial extension of the region automaton to solve the optimal reachability problem. This construction is the basis for an ExpTime solution to the problem. The optimality of the proposed solution is not studied there. Second, in [BFH+ 01], the authors have proposed a symbolic algorithm that manipulates priced (cost) extensions of zones. This second solution does not provide a complexity result: the termination of the algorithm is ensured by a well-quasi order for which the length of descending chains is not studied. The PSpace-Completeness of the optimal reachability problem has been announced in [AM04] in a survey paper on timed automata but a complete proof never appeared. In this survey the authors mention that the key tools in order to prove that the optimal reachability problem is PSpace-Complete can be found in [BBL04]. In this chapter we give a complete and detailed proof of the PSpace79

80

Chapter 4 — Optimal Reachability

Completeness of the optimal reachability problem. Moreover we show that the optimal reachability problem can be solved for a more general1 class of weighted timed automata: positive as well as negative costs on edges and locations can be handled simultaneously. As a consequence, we study the computation of the infimum and the supremum of costs for reachability. The results of this chapter are based on [BBBR06]. Before we proceed let us give some conventions and notations that we will use throughout the chapter. Conventions and notations In this chapter we only consider timed automata on dense2 time A = (L, X, Σ, E, I, L) where the set of actions Σ reduces to a singleton and where the labelling function L maps every location to the empty set. In this context, the set Σ and the function L are useless. To avoid to heavy notations we will thus denote timed automata A by (L, X, E, I). Moreover we will only consider weighted timed automata with single cost, i.e. C : L ∪ E → Z, and use the semantic given by Definition 3.3.12.

4.1

Cost-optimal reachability problem

In this section we define the cost-optimal reachability problem for weighted timed automata [BFH+ 01].3 Definition 4.1.1. Let A be a weighted timed automaton. Given two regions r, r′ of RA , the optimal cost OptCost(r, r′ ) of reaching r′ from r is the infimum (resp. supremum) of the costs of the runs ρ = q ; q ′ of TA such that q ∈ r and q ′ ∈ r′ . Moreover, we say that OptCost(r, r′ ) is realizable if there exists such a run ρ such that C(ρ) = OptCost(r, r′ ). Remark 4.1.2. In the previous definition, suppose that the infimum cost is considered. By convention OptCost(r, r′ ) = +∞ in the case there is no 1 In

[ALP01] and [BFH+ 01] only positive costs are considered. case of discrete time is easier and quickly discussed in Subsection 4.3.4. 3 In this chapter, by cost-optimality we mean both infimum cost and supremum cost, while only infimum cost is studied in [BFH+ 01]. 2 The

4.1 — Cost-optimal reachability problem

81

run ρ = q ; q ′ such that q ∈ r and q ′ ∈ r′ . Otherwise, OptCost(r, r′ ) ∈ R or OptCost(r, r′ ) = −∞. Symmetric observations hold when the supremum cost is considered. Problem 4.1.3. Cost-optimal reachability problem. Given A a weighted timed automaton, and two regions r, r′ of RA , compute the optimal cost OptCost(r, r′ ). Our main result is the following one. The rest of the chapter is devoted to its proof.

Theorem The cost-optimal reachability problem is PSpace-Complete. Remark 4.1.4. In the sequel, we make several assumptions for solving Problem 4.1.3. First, we suppose that the region r given in Problem 4.1.3 is composed of a unique state of the form (l, 0) such that all the clock values are null. Second, we focus only on the computation of the infimum cost. Finally we only consider bounded and diagonal-free timed automata. In Section 4.3, we explain why these hypotheses are not restrictions. The next example indicates how the cost-optimal reachability problem is related to a linear programming problem (see the book [NW88] for details on linear programming). Example 4.1.5. Let A be the weighted timed automaton pictured on Figure 4.1. The cost of each location is indicated on the figure and the cost of each edge is null. The invariant (x1 ≤ 4) ∧ (x2 ≤ 2) is assigned to each location, showing that A is bounded. We are interested in runs from l0 to l3 .4 There are mainly two families of such runs, the runs going through l1 , and the runs going through l2 . 4 In

this example, we work with locations, instead of regions as indicated in Definition 4.1.1.

82

Chapter 4 — Optimal Reachability l0 1

x1 ≤ 1 x1 := 0

x2 = 2

x1 < 2 x2 := 0 l2 2

x1 > 3 x2 > 1

x2

l1 3

l3 0 x1

Figure 4.1: A weighted timed au- Figure 4.2: Its equivalence relation ≈t tomaton The first family can be described by the following parameterized run5 t

1 (l0 , t1 , t1 ) → (l1 , 0, t1 ) ρ1 (t1 , t2 ) = (l0 , 0, 0) →

t

2 → (l1 , t2 , t1 + t2 ) → (l3 , t2 , t1 + t2 ).

The parameters t1 , t2 represent the time elapsed at locations l0 , l1 respectively. They are constrained by the next linear inequalities 0 ≤ t1 ≤ 1, t2 ≥ 0 and t1 + t2 = 2.

(4.1)

The cost of the parameterized run ρ1 (t1 , t2 ) is given by t1 +3·t2. Therefore to find the infimum cost with respect to the first family of runs reduces in computing the infimum value of the function t1 + 3 · t2 under the constraints (4.1). This is a linear programming problem for which it is known that the optimal solution is given by one of the vertices of the polyhedron defined by (4.1), here the point (1, 1) leading to the infimum cost 4. On Figure 4.3, the bold line represents this polyhedron, and the dashed line represents the situation of an optimal cost t1 + 3 · t2 = 4. Note that the optimum cost 4 is a minimum cost since it is realized by the run ρ1 (t1 , t2 ) with t1 = t2 = 1. 5 We can suppose that this run is canonical by Remark 3.1.21 and that it is initial by Remark 4.1.4. Moreover we can assume that this run ends with a switch-transition since we consider the infimum cost to reach l3 . We also notice the form of the clock values as described in Remark 3.1.23.

83

4.1 — Cost-optimal reachability problem t2

t2

1 1

1

1

t1

t1

Figure 4.3: Optimizing the cost of Figure 4.4: Optimizing the cost of ρ2 (t1 , t2 ) ρ1 (t1 , t2 ) Similarly the second family of runs is described by the following parameterized run t

1 (l0 , t1 , t1 ) → (l2 , t1 , 0) ρ2 (t1 , t2 ) = (l0 , 0, 0) →

t

2 → (l2 , t1 + t2 , t2 ) → (l3 , t1 + t2 , t2 ).

In this case, parameters t1 , t2 are constrained by the linear inequations 0 ≤ t1 < 2, t2 > 1 and t1 + t2 > 3.

(4.2)

The cost with respect to ρ2 (t1 , t2 ) is given by t1 + 2 ·t2 . on Figure 4.4, the shaded zone represents the polyhedron defined by (4.2), and the dashed line represents the situation of the infimum cost t1 + 2 · t2 = 4. This infimum cost is not a minimum cost since no run realizes it. Indeed the value 4 is achieved at the vertex (2, 1) of the polyhedron, a point that does not belong to it. Therefore in this simple example, the infimum cost of reaching location l3 from location l1 is equal to 4, and it is realizable. This value has been obtained by solving a linear programming problem for the two parameterized runs ρ1 (t1 , t2 ) and ρ2 (t1 , t2 ). In order to solve the cost-optimal reachability problem, we first study an easier problem: the cost-optimal path reachability problem. It is related

84


to a given path in the region graph RA of a weighted timed automaton A. We define this simpler problem in Subsection 4.1.1 below. We show in Subsection 4.1.2 that solving the cost-optimal path reachability problem reduces in solving a linear programming problem. In Subsections 4.1.3 and 4.1.4, we investigate further the approach by linear programming. The obtained results will be a first step toward the solution of Problem 4.1.3 given in Section 4.2.

4.1.1

Cost-optimal path reachability problem

Definition 4.1.6. Let A be a weighted timed automaton. Given a canonical initial path ρR in RA , the optimal cost OptCost(ρR ) associated with ρR is the infimum of the costs C(ρ) among the runs ρ of TA such that [ρ] = ρR . Moreover, we say that OptCost(ρR ) is realizable if there exists such a run ρ such that C(ρ) = OptCost(ρR ). Remark 4.1.7. In the previous definition, we can suppose that ρR is canonical and initial due to Remarks 3.1.21 and 4.1.4. Problem 4.1.8. Cost-optimal path reachability problem. Given A a weighted timed automaton, and ρR a canonical initial path in RA , compute the optimal cost OptCost(ρR ) associated with ρR . Remark 4.1.9. We notice that given ρR a path of RA , we have Cs (ρ) = Cs (ρ′ ) whenever [ρ] = [ρ′ ] = ρR . Hence the cost-optimal path reachability problem reduces in computing the optimal duration cost Cd .

4.1.2

A linear programming problem

In this section we show that solving Problem 4.1.8 reduces in solving a linear programming problem. This idea was already illustrated in Example 4.1.5. Before we formalize this idea, we go further with this example. Example 4.1.10. We come back to the weighted timed automaton of Figure 4.1 and its equivalence relation ≈t given on Figure 4.2. We consider the following path ρR in RA ρR = r0′ → r1 → r1′ → r2 → r2′


85

with the regions r0′ r1 r1′ r2 r2′

= = = = =

(l0 , (l0 , (l1 , (l1 , (l3 ,

0, 0), 0 < x1 = x2 < 1), x1 = 0, 0 < x2 < 1), 1 < x1 < 2, x2 = 2), 1 < x1 < 2, x2 = 2).

Each run ρ of TA such that [ρ] = ρR can be parameterized as t

1 (l0 , t1 , t1 ) → (l1 , 0, t1 ) ρ(t1 , t2 ) = (l0 , 0, 0) →

t

2 → (l1 , t2 , t1 + t2 ) → (l3 , t2 , t1 + t2 )

with the two parameters t1 , t2 constrained by the next linear inequalities 0 < t1 < 1, 1 < t2 < 2 and t1 + t2 = 2.

(4.3)

These constraints are obtained as follows. We have r1 = [(l0 , t1 , t1 )] justifying the first inequality, and r2 = [(l1 , t2 , t1 + t2 )] justifying the second and third inequalities. In the same way it has been done in Example 4.1.5, we compute OptCost(ρR ) as equal to 4. Indeed, it is equal to the infimum value of the cost C(ρ(t1 , t2 )) = t1 + 3 · t2 under the constraints (4.3). This optimal cost is not realizable. However it can be approximated by ρ(1 − ε, 1 + ε) with ε > 0 arbitrarily small. We now generalize arguments of Example 4.1.10 to any canonical initial path ρR of Definition 4.1.6. We suppose that it has the following form with the last edge being a switch-edge6 : ′ ρR = r0′ → r1 → r1′ → r2 · · · → rm → rm .

(4.4)

In this path, each region rk (resp. rk′ ) is bounded since the timed automata studied in this chapter are supposed to be bounded (see Remark 3.1.4). 6 The

case where the last edge is a time-edge can be treated similarly. All the results of Section 4.1.2 remain valid.

86


We recall the basic fact [AD94] that each region r of A can be described by a location and a finite set of linear constraints of the form xi − xj ∼ c

or

xi ∼ c

(4.5)

where xi , xj are clocks, c ∈ Z and ∼ ∈ {}. We denote this set of linear constraints by r(x1 , ..., xn ). All runs ρ of TA such that [ρ] = ρR can be parameterized as e

t

t

e

t

e

m m 2 2 1 1 ′ qm qm → ··· → q2 → q1′ → q1 → ρ(t1 , t2 , . . . , tm ) = q0′ →

(4.6)

where • the first state is of the form q0′ = (l1 , 0) such that r0′ = [(l1 , 0)], • each other state can be written as qk = (lk , xk ) = (lk , xk1 , xk2 , . . . , xkn ) (resp. qk′ = (lk+1 , x′k )) such that each clock xki (resp. x′k i ) depends on the parameters t1 , t2 , . . . , tk . Let us recall that for state qk , this dependence xki = xki (t1 , . . . , tk ) is given in Remark 3.1.23: xki (t1 , . . . , tk ) = th+1 + th+2 + · · · + tk−1 + tk

(4.7)

e

h with 0 ≤ h ≤ k such that qh → qh′ is the last transition of ρ(t1 , . . . , tm ) where the clock xi has been reset. For state qk′ , with ek = (lk , gk , Yk , lk+1 ), we have ( 0 if xki ∈ Yk ′k xi (t1 , . . . , tk ) = (4.8) xki otherwise.

Since [ρ(t1 , . . . , tm )] = ρR , we have rk = [qk ] for all k ∈ {1, . . . , m}, this shows that the parameters t1 , . . . , tm are constrained by the following set of inequalities Constr(ρR ) =

[

rk (t1 , . . . , tk )

k∈{1,...,m}

where rk (t1 , . . . , tk ) = rk (xk1 (t1 , . . . , tk ), . . . , xkn (t1 , . . . , tk )).

(4.9)

87


Therefore for all runs ρ of TA such that [ρ] = ρR , we can write ρ = ρ(τ1 , . . . , τm ) such that (τ1 , . . . , τm ) ∈ (R+ )m satisfy the constraints of Constr(ρR ) (see Example 4.1.10). We now define the two following subsets of (R+ )m : A(ρR ) = {(τ1 , . . . , τm ) ∈ (R+ )m | [ρ(τ1 , . . . , τm )] = ρR },

B(ρR ) = {(τ1 , . . . , τm ) ∈ (R+ )m | (τ1 , . . . , τm ) |= Constr(ρR )}. This allows us to formulate the next lemma. Lemma 4.1.11. A(ρR ) = B(ρR ). Proof. From above we have A(ρR ) ⊆ B(ρR ). For the other inclusion, consider (τ1 , ..., τm ) |= Constr(ρR ), we have to prove that ρ = ρ(τ1 , . . . , τm ) is a run of TA satisfying [ρ(τ1 , . . . , τm )] = ρR . The proof is by induction on k with k ∈ {0, . . . , m}. For k = 0, we have q0′ = (l1 , ν ′0 ) = (l1 , 0) and [q0′ ] = r0′ . For correctly starting the induction, we also need an artificial state q0 = (l0 , ν 0 ) = (l0 , 0) and an artificial edge e0 = (l0 , g0 , Y0 , l1 ) with g = true and Y0 = X. Consider the case k > 0. Let ek−1 be the edge (lk−1 , gk−1 , Yk−1 , lk ). ′ By induction, we can suppose that qk−1 = (lk , ν ′k−1 ) with ν ′k−1 satisfying (4.8) and (4.7), that is νi′k−1 =

(

0

if the clock xi belongs to Yk−1

νik−1

otherwise

where νik−1 = τh+1 + τh+2 + · · · + τk−1 e

h with 0 ≤ h ≤ k − 1 such that qh → qh′ is the last transition of ρ where ′ ′ the clock xi has been reset. Moreover, [qk−1 ] = rk−1 . ′ Let us now study the form of the states qk and qk . By definition of a time-transition, we have qk = (lk , ν k ) with

νik

=

(

τk

if νi′k−1 = 0

τh+1 + τh+2 + · · · + τk−1 + τk

otherwise.

88


This shows that ν k satisfies (4.7). By hypothesis, τ1 , . . . , τk satisfy the subset of constraints rk (t1 , . . . , tk ) of Constr(ρR ). It follows that the tranτk ′ sition qk−1 → qk is a time-transition of TA such that [qk ] = rk . Let ek be the edge (lk , gk , Yk , lk+1 ). Using the definition of a switchtransition, we have qk′ = (lk+1 , ν ′k ) with νi′k

=

(

0

if the clock xi belongs to Yk

νik

otherwise. e

k Then we have a switch-transition qk → qk′ such that [qk′ ] = rk′ and ν ′k satisfies (4.8). This ends the case k > 0 of the induction.

In Remark 4.1.9, we notice that solving the cost-optimal path reachability problem reduces in computing the optimal duration cost Cd . Looking at the parameterized run ρ(t1 , . . . , tm ) (see (4.6)), its duration cost is equal to X C(lk ) · tk . (4.10) Cd (ρ(t1 , . . . , tm )) = k∈{1,...,m}

Thus by Lemma 4.1.11, the optimal cost OptCost(ρR ) can be obtained by computing the infimum value of Cd (ρ(t1 , . . . , tm )) under the set of constraints Constr(ρR ). The set Constr(ρR ) defines an m-dimensional polyhedron Pol(ρR ) equal to Pol(ρR ) = {(τ1 , ..., τm ) ∈ (R+ )m | (τ1 , ..., τm ) |= Constr(ρR )}

(4.11)

Notice that this polyhedron is bounded since the set of constraints given by Constr(ρR ) is constructed from bounded regions. We also define the closure of the polyhedron Pol(ρR ), denoted by Pol(ρR ). This polyhedron is obtained by considering the set Constr(ρR ) where each constraint (see (4.5)) of the form xi − xj < c or xi < c (resp. xi − xj > c or xi > c) is replaced by xi − xj ≤ c or xi ≤ c (resp. xi − xj ≥ c or xi ≥ c).7 Looking at (4.7), we notice that the constraints 7 This

view.

definition corresponds to the notion of closure from the topological point of


89

of Constr(ρR ) have the form ti + ti+1 + · · · + tj−1 + tj ∼ c with i, j ∈ {1, . . . , m}, c ∈ Z and ∼∈ {}. It follows that Pol(ρR ) can be defined by constraints of the form M · t ≤ d,

t≥0

(4.12)

where M is a (p × m) matrix with integer coefficients (for some p), t is the column vector (t1 , . . . , tm ) such that ti ≥ 0 for all i ∈ {1, . . . , m}, and d is a column vector of p integer constants. As the duration cost is a linear function with integer coefficients (see (4.10)), the optimum value of Cd (ρ(t1 , . . . , tm )) is obtained at one of the vertices of the polyhedron Pol(ρR ). Due to the form of (4.12), this can be computed by the Simplex Method, a well-known method in linear programming (see [NW88]). In this way, we have shown how to solve Problem 4.1.8. Corollary 4.1.12. Problem 4.1.8 is decidable. Notice that this problem is in PTime (in p and m). We recall that m is the length of ρR and p is related to the number of constraints of Constr(ρR ) defined in (4.9). With the linear programming approach, we can also decide whether the optimal cost OptCost(ρR ) is realizable. Corollary 4.1.13. It is decidable whether the optimal cost OptCost(ρR ) is realizable. Proof. Suppose that the minimum value of Cd (ρ(τ1 , . . . , τm )) computed by the Simplex Method is equal to b. Recall the form of Cd (ρ(τ1 , . . . , τm )) given in (4.10). Then OptCost(ρR ) is realizable if and only if the intersection between X {(τ1 , ..., τm ) ∈ (R+ )m | C(lk ) · τk = b} k∈{1,...,m}

and Pol(ρR ) is non empty.

90


Remark 4.1.14. It is important to note that Corollary 4.1.12 remains true in the case of more general duration cost functions. For instance, if Cd (ρ(t1 , . . . , tm )) is a concave function, then its minimum value is obtained at one of the vertices of the polyhedron Pol(ρR ) (see [Roc70]). We recall that a function f (t) = f (t1 , . . . , tm ) is concave if f (λt + (1 − λ)t′ ) ≥ λf (t) + (1 − λ)f (t′ ) P with λ ∈ [0, 1]. Since every t ∈ Pol(ρR ) can be written as t = k λk vk P with k λk = 1 and the vk ’s being the vertices of Pol(ρR ), we have X X X f (t) = f ( λk vk ) ≥ λk f (vk ) ≥ λk min{f (vk )} = min{f (vk )}. k

k

k

k

k

This shows that the minimum value of Cd (ρ(t1 , . . . , tm )) is obtained at the vertex vl of Pol(ρR ) such that f (vl ) = mink {f (vk )}. Symmetrically, if Cd (ρ(t1 , . . . , tm )) is a convex function, then its maximum value is obtained at one of the vertices of Pol(ρR ) (see [Roc70]). A function f (t) is convex if −f (t) is concave.

4.1.3

3-Block matrices

Let A be a weighted timed automaton, and ρR be a canonical initial path in RA . In this section we investigate in more details the form of the polyhedron Pol(ρR ), and in particular its vertices. This study leads to the nice results given in Corollaries 4.1.20 and 4.1.21. Coming back to the form of the matrix M given in (4.12), we observe that each line of M is composed of three blocks (possibly empty) : a first block of 0’s, a second block of 1’s (resp. −1’s) and a third block of 0’s, that is (0, . . . , 0, 1, . . . , 1, 0, . . . , 0) or (0, . . . , 0, −1, . . . , −1, 0, . . . , 0). We call 3-block a matrix of this form. This particularity of the matrix M will lead to very nice results. First we give an illustration. Example 4.1.15. Considering the path ρR of Example 4.1.10, the set Constr(ρR ) is composed of the following linear constraints


91

• region r1 : 0 < t1 < 1, • region r2 : 1 < t2 < 2, t1 + t2 = 2. The polyhedron Pol(ρR ) is defined by the following matrix system    0 −1 0 1 1  0   !   −1  0 −1 t     1 ≤  .   2 0 1  t2     2 1 1 −2 −1 −1 

Let us show that the matrix M is totally unimodular. Definition 4.1.16. [NW88] An integer matrix M is said totally unimodular if the determinant of all its square submatrices is equal to 0, 1 or −1. Lemma 4.1.17. Any 3-block matrix is totally unimodular. Proof. We prove this lemma by induction on the size l of the square submatrices of M . The computation of their determinant is done with the cofactor method. If l = 1 the result clearly holds. Suppose l > 1 and let A ∈ Zl×l be a square submatrix of M . We have to prove that det(A) equals 0, 1 or −1. This proof is by induction on k the number of non null coefficients of the first column of A. If k = 0, then det(A) = 0. If k = 1, then we obtain the desired result by the induction hypothesis on l. In order to treat the case k > 1, we need to introduce some notation and definition. As usual we denote by Aij the coefficient of A located in line Li and column Cj of A. We consider the lines Li of A such that Ai1 6= 0,8 and we define a total ordering on these lines as follows Li ⊆ Li′ 8 Recall

iff ∀j Aij 6= 0 ⇒ Ai′ j 6= 0.

that M is 3-block. Thus such a line Li is formed by a block of 1’s (resp. −1’s) followed by a block of 0’s.

92


Consider two lines Li , Li′ such that Ai1 6= 0, Ai′ 1 6= 0 respectively, and Li ⊆ Li′ . We build a new matrix B from A by replacing the line Li′ by the line Li′ −Li if Ai1 = Ai′ 1 , and by the line Li′ +Li if Ai1 = −Ai′ 1 . The other lines are left unchanged. Since B is again 3-block, det(A) = det(B), and B has k − 1 non null coefficients in its first column, we can conclude that det(A) equals 0, 1 or −1 by the induction hypothesis on k. From the next theorem and Lemma 4.1.17, we have the following nice corollaries. Theorem 4.1.18. [NW88] Consider the polyhedron {t ∈ Rm | M · t ≤ d} with M a totally unimodular (p × m) matrix and d ∈ Zp . Then the coordinates of its vertices are integers. Corollary 4.1.19. The vertices of the polyhedron Pol(ρR ) have integer coordinates. Corollary 4.1.20. The optimal cost OptCost(ρR ) is an integer. In the next corollary, we indicate the relation between the optimal cost OptCost(r, r′ ) of reaching the region r′ from the region r and the optimal cost OptCost(ρR ) associated with a path ρR of the region graph (see Definitions 4.1.1 and 4.1.6). Corollary 4.1.21. Let A be a timed automaton and r, r′ be two regions of RA . Then OptCost(r, r′ ) = inf{OptCost(ρR ) | ρR = r ; r′ path in RA }. Moreover, if OptCost(r, r′ ) 6= ∞, then OptCost(r, r′ ) = OptCost(ρR ) for some path ρR = r ; r′ of RA , and OptCost(r, r′ ) is an integer. Proof. The first part of the corollary follows from the next equality. inf{C(ρ) | ρ = q ; q ′ , q ∈ r, q ′ ∈ r′ } = inf inf{C(ρ) | ρ = q ; q ′ , [ρ] = ρR }. ρR

The second part is an immediate consequence of Corollary 4.1.20.

93


4.1.4

ε-Semantics

We have shown that Problem 4.1.8 is decidable : with the notation of Section 4.1.2, the optimal cost OptCost(ρR ) can be obtained by computing the infimum value of the duration cost Cd (ρ(t1 , . . . , tm )) under the set of constraints Constr(ρR ). By the Simplex Method, it is obtained at one of the vertices of the polyhedron Pol(ρR ). Moreover, these vertices have integer coordinates by Corollary 4.1.19. All these results suggest that when computing OptCost(ρR ), only time-transitions with a time τ “arbitrarily close to an integer” have to be considered (see also the end of Example 4.1.10). We thus introduce the ε-semantics in Definition 4.1.22 and we formalize the previous suggestion in Lemma 4.1.24. The notion of ε-semantics of a timed automaton A is similar to the semantics given in Definition 3.1.11, except that elapse τ of time at a location is restricted to τ close to an integer. Definition 4.1.22. Let A = (L, X, E, I) be a timed automaton and ε ∈]0, 21 ] be a real number. The ε-transition system TAε = (Q, →ε ) has the same set Q as in TA and a transition relation →ε =

[

τ ∈R+ ε

such that

R+ε = {τ ∈ R+ | ∃N ∈ N

τ

→ ∪

[

e

→

e∈E

|N − τ | < ε}. τ

We distinguish two kinds of time-transition → with τ ∈ 9

R+ε :

either N−

0 ≤ N − τ < ε, or 0 ≤ τ − N < ε. In the first case we use notation → , N+

and in the second case → . We notice that in some very particular cases, a transition of TAε can be both a time-transition and a switch-transition (see Remark 3.1.14). A finite path in the ε-transition system TAε is called an ε-run, it is denoted by ρε . Clearly any ε-run of TAε can be seen as a run of TA . Remark 4.1.23. When the context is clear enough, we use notation q → q ′ instead of q →ε q ′ for transitions of TAε . 9 The

two cases are mutually exclusive by the choice of ε ∈]0, 12 ].

94


In the next lemma, we show that the optimal cost OptCost(ρR ) can be approximated by the cost of some well-chosen ε-run. Lemma 4.1.24. Let A be a weighted timed automaton, and ρR be a canonical initial path in RA . Let ε ∈]0, 12 ]. Then there exists an initial ε-run ρε in TAε such that [ρε ] = ρR and |OptCost(ρR ) − C(ρε )| < ε. Proof. We use the notation of Section 4.1.2. We suppose that ρR has the form ′ ρR = r0′ → r1 → r1′ → r2 · · · → rm → rm with the related parameterized run t

e

t

e

t

e

m m 2 2 1 1 ′ qm . qm → ··· → q2 → q1′ → q1 → ρ(t1 , t2 , . . . , tm ) = q0′ →

(see (4.4) and (4.6)). Consider the set of constraints Constr(ρR ) and the polyhedron Pol(ρR ) defined by them (see (4.9) and (4.11)). By Remark 4.1.9, we know that the computation of the optimal cost OptCost(ρR ) reduces in the computation of the optimal duration cost Cd . By the Simplex Method and Corollary 4.1.19, this duration cost is obtained at one of the vertices (τ1 , ..., τm ) ∈ Nm of Pol(ρR ) with integer coordinates. Let us show how to define the required ε-run ρε . Suppose A = (L, X, E, I, C) and let K = maxl∈L |C(l)|. Let ε′ be such that 0 < ε′ ≤ ε and mKε′ < ε. Since Pol(ρR ) is the closure of the polyhedron Pol(ρR ), ′ there exists a point (τ1′ , ..., τm ) ∈ Pol(ρR ) such that |τk − τk′ | < ε′ for ′ all k ∈ {1, ..., m}. By Lemma 4.1.11, the run ρ(τ1′ , ..., τm ) of TA satisfies ′ ′ ′ ′ ) [ρ(τ1 , ..., τm )] = ρR . Moreover, since τk ∈ N, ∀k, and ε ≤ ε, ρ(τ1′ , ..., τm ε ′ ′ is an ε-run. Therefore we define ρ = ρ(τ1 , ..., τm ). Looking at Definition 3.3.12 and Remark 4.1.9, we have X X C(lk )τk′ C(lk )τk − OptCost(ρR ) − C ρε = k∈{1,...,m} ′

≤ Kmε < ε.

k∈{1,...,m}

4.2 — A solution to the cost-optimal reachability problem

4.2

95

A solution to the cost-optimal reachability problem

In this section, we solve the cost-optimal reachability problem for weighted timed automata (Problem 4.1.3) and prove the PSpace-Completeness of this problem as announced in Section 4.1. This proof needs several steps that we now briefly introduce. By Lemma 4.1.24, we have seen that to solve Problem 4.1.8 for a weighted timed automaton A, it was sufficient to consider runs of the transition system TA restricted to the ε-semantics (with ε arbitrarily close to 0). This observation motivates the introduction of the ε-region graph in Subsection 4.2.1, which is a refinement of the region graph RA . In Subsection 4.2.2, we establish what is the correspondence between runs of the ε-semantics and paths of the ε-region graph (Lemmas 4.2.12 and 4.2.13). In Subsection 4.2.3, we introduce the notion of discrete graph, a notion similar to the εregion graph, which is independent of ε. We show how to augment the discrete graph with a weight function in relation to the cost function of A. Then, we give the counterparts of the two previous lemmas with weight (Lemmas 4.2.22 and 4.2.23). All these steps lead to Theorem 4.2.24 where it is stated that solving Problem 4.1.3 reduces to compute some minimum weight in the discrete graph. The announced complexity of the cost-optimal reachability problem is proved in Subsection 4.2.4.

4.2.1

ε-Region graph

In this section, given a timed automaton A, we define the concept of ε-region graph which can be seen as a refinement of RA . The refinement that we propose is simpler than the one given in [ALP01]. Let ε ∈]0, 21 ]. We define the ε-equivalence denoted ≈ε on clock valuations. This new equivalence relation refines the equivalence relation ≈t given in Definition 3.2.1. We recall that for every clock xi , ci is the largest constant such that xi is compared with in any guard and any invariant of A. Definition 4.2.1. Let ε ∈]0, 12 ]. Two clock valuations ν and ν ′ are ε-

96


equivalent, ν ≈ε ν ′ , iff they satisfy the following conditions10 • ν ≈t ν ′ ; • ν¯i < ε iff ν¯i′ < ε for all i ∈ {1, . . . , n} with νi ≤ ci ; • 1 − ε < ν¯i iff 1 − ε < ν¯i′ for all i ∈ {1, . . . , n} with νi ≤ ci . Figure 4.5 indicates the partition induced by the ε-equivalence for the timed automaton of Figure 4.1. x2

x1 Figure 4.5: The ε-equivalence ≈

ε

The relation ≈ε is extended to the states of TA as done previously with ≈t . An equivalence class is called an ε-region. The ε-region to which a state q belongs is denoted [q]ε and the set of all ε-regions is denoted by Rε . In order to define the ε-region graph of a timed automaton A, we do not need all the ε-regions of Rε (contrarily to the construction of RA ). Due to Lemma 4.1.24, we only need to consider the ε-regions [(l, ν)]ε whose clock values ν are close enough to n-tuples of integers (the dashed zones on Figure 4.5). Definition 4.2.2. Given a timed automaton A and ε ∈]0, 12 ], the set of acceptable ε-regions, denoted S ε , is defined by S ε = [(l, ν)]ε | ∀i ∈ {1, . . . , n} : νi ≤ ci ⇒ (¯ νi < ε or 1 − ε < ν¯i ) .

10 With

the choice of ε ∈]0, 21 ], the last two conditions are mutually exclusive.


97

Remark 4.2.3. If rε = [(l, ν)]ε is an ε-region of S ε , then there exists a unique region r ∈ R, equal to [(l, ν)], such that rε ⊆ r. In the sequel, rε always denotes an ε-region included in the region r.11 Remark 4.2.4. Using the representation introduced in Remark 3.2.6, we can visualize an ε-region rε as on Figure 4.6 (when r is a bounded region). We observe that the fractional parts ν¯i of the clock values are either less than ε or greater than 1 − ε. We thus introduce the following notation12 Low(rε ) = ε

High(r ) =

{νi | νi ≤ ci and ν¯i < ε}; {νi | νi ≤ ci and 1 − ε < ν¯i }.

This graphical representation of the ε-regions is very helpful in the proofs below. 1−ε ε 0

1 ν¯1 · · · ν¯i

ν¯i+1 · · · ν¯n

Figure 4.6: The region 0 < ν¯1 < · · · < ν¯i < ε ≤ 1 − ε < ν¯i+1 < · · · < ν¯n

Remark 4.2.5. The acceptable ε-regions that we propose as a refinement of the classical regions of [AD94] is simpler than the refinement introduced in [ALP01]. Indeed in our case, the clock values of an acceptable ε-region rε are arbitrarily close to one of the corners of the region r, when in [ALP01] the clock values are arbitrarily closed to one of the boundaries of r. In the next example, we illustrate the interest of Definition 4.2.2 for computing the optimal cost OtpCost(r, r′ ) for two regions r, r′ of a timed automaton. Example 4.2.6. We consider the weighted timed automaton A of Figure 4.7. if δ ≤ ε, we will also use notation r δ , r ε , r with r δ ⊆ r ε ⊆ r. that the sets Low(r ε ) and High(r ε ) are disjoint since ε ≤ 21 .

11 Similarly 12 Notice

98

Chapter 4 — Optimal Reachability l1 2

l2 0

x=1

0 1 − εk+1 , showing the first inequality. To obtain the second one, notice that ν¯d′ = ν¯b + 1 − εk < εk + 1 − εk = 1. ν¯c′ ν¯d′

ν¯a ν¯b

Figure 4.15: The proof at a glance when Low(rε ) = High(r′ε ), and High(rε ) = Low(r′ε ) = ∅

Lemma 4.2.13. Let A be a timed automaton. Let ρδ = (l0 , ν 0 ) → 1 ]. (l1 , ν 1 ) → · · · → (lm , ν m ) be an initial δ-run in TAδ , with δ ∈]0, 2(m+1) ε ε ε ε Then, with ε = (m + 1)δ, there exists a path ρS = r0 → r1 → · · · → rm ε in RA such that (lk , ν k ) ∈ rkε for all k ∈ {0, . . . , m}. Proof. Consider the regions rk = [(lk , ν k )] of RA , for k ∈ {0, . . . , m}. We are going to build the required path ρS ε as follows : for all k ∈ {0, . . . , m}, we have (lk , ν k ) ∈ rkεk and the prefix ρS εk = r0εk → r1εk → · · · → rkεk

106


εk is a path in RA , with εk = (k + 1)δ.16 Since εk ≤ ε, we have rkεk ⊆ rkε ε . Thus the thesis holds with k = m. and ρS εk is also a path in RA We proceed by induction on k. If k = 0, then (l0 , ν 0 ) ∈ r0ε0 since ν 0 = 0. Let k ≥ 0. Suppose by induction hypothesis that we have built the path ρS εk with the desired conditions. This path can be seen as a path ε ε in RAk+1 since rjεk ⊆ rj k+1 for all j ∈ {0, . . . , k}. Consider the edge rk → εk+1 ε εk+1 rk+1 of RA . If we show that (lk+1 , ν k+1 ) ∈ rk+1 , then rkk+1 → rk+1 is εk+1 an edge of RA , and case k + 1 is thus solved. As in the proof of Lemma 4.2.12, we change the notation as follows. We denote the states (lk , ν k ), (lk+1 , ν k+1 ) by (l, ν), (l′ , ν ′ ) respectively, and the regions rk , rk+1 by r, r′ respectively. In a way to prove that (l′ , ν ′ ) ∈ r′εk+1 , we treat the different types of transition (l, ν)→(l′ , ν ′ ) (see Definition 4.1.22). Suppose that (l, ν)→(l′ , ν ′ ) is a switch-transition. Since (l, ν) ∈ rεk by induction hypothesis and εk < εk+1 , then (l′ , ν ′ ) ∈ r′εk ⊆ r′εk+1 . τ Suppose now that (l, ν) → (l′ , ν ′ ) is a time-transition such that |N −

τ | < δ for some N ∈ N. We have to consider the two cases (l, ν) → (l, ν ′ ) N+

N−

and (l, ν) → (l, ν ′ ). 1. Suppose τ = N + τ ′ with 0 ≤ τ ′ < δ. This case is illustrated on Figure 4.16. We have to prove that (l, ν ′ ) ∈ r′εk+1 , i.e. ν¯i′ ∈

N+

Figure 4.16: The proof at a glance for transition (l, ν) → (l, ν ′ )

[0, εk+1 [∪]1 − εk+1 , 1[ for all i ∈ {1, . . . , n}. A clock xi belongs either to Low(rkεk ) or to High(rkεk ). (a) xi ∈ Low(rkεk ). Thus by induction hypothesis, 0 ≤ ν¯i′ = ν¯i + τ ′ < εk + δ = εk+1 . 16 As

in the proof of the previous lemma, we use the notation discussed in Remark 4.2.3. On the other hand, notice that ε ∈]0, 12 ] by the choice of δ.

107


(b) xi ∈ High(rkεk ). Then either ν¯i′ = ν¯i + τ ′ or ν¯i′ = ν¯i + τ ′ − 1. In the first case, we have 1 − εk+1 < 1 − εk < ν¯i ≤ ν¯i′ < 1. In the second case, we have 0 ≤ ν¯i′ < δ < εk+1 . 2. Suppose that τ = N − τ ′ with 0 < τ ′ < δ. This case is illustrated on Figure 4.17. Let us show that ν¯i′ ∈ [0, εk+1 [∪]1 − εk+1 , 1[ for all

N−

Figure 4.17: The proof at a glance for transition (l, ν) → (l, ν ′ )

i ∈ {1, . . . , n}. (a) xi ∈ Low(rkεk ). Then either ν¯i′ = ν¯i − τ ′ , or ν¯i′ = ν¯i − τ ′ + 1. In the first case, we have 0 ≤ ν¯i′ ≤ ν¯i < εk < εk+1 . In the second case, we have 1 − εk+1 < 1 − εk < ν¯i < ν¯i′ < 1. (b) xi ∈ High(rkεk ). Therefore ν¯i′ = ν¯i − τ ′ and 1 − εk+1 = 1 − εk − δ < ν¯i′ < 1.

4.2.3

Weighted discrete graph

In the previous subsection, we gave the relation between the ε-semantics and the ε-region graph of a timed automaton A. In this section, we introduce the notion of discrete graph, a notion similar to the ε-region graph, which is independent of ε (Definition 4.2.15). Then, we consider A as a weighted timed automaton with a cost function C. We show how the discrete graph can be augmented with a weight function W in relation to C (Definition 4.2.18). We end the section with an important result that indicates how the optimal cost OptCost(r, r′ ), with r, r′ being two regions of RA , can be computed thanks to the weighted discrete graph (Theorem 4.2.24). In [BBL04], we propose the construction of a graph called the corner point abstraction, for studying the optimal way of staying into a desig-

108


nated set of safe locations. This construction shares several ideas with the construction proposed here for the weighted discrete graph. Let A be a timed automaton. We begin with a lemma that states ε that all the ε-region graphs RA are isomorphic. Lemma 4.2.14. Let A be a timed automaton. Then all the ε-region ε graphs RA , with ε ∈]0, 31 ], are isomorphic graphs. δ ε Proof. Consider RA = (S δ , →) and RA = (S ε , →), with δ, ε ∈]0, 13 ] such δ ε that δ < ε. We have to prove that RA and RA are isomorphic graphs, that is, there exists a one-to-one correspondence between S δ and S ε that respects the edge relation → of each graph. δ For any δ-region rδ of RA , since δ < ε, there exists exactly one εε ε region r of RA such that rδ ⊆ rε .17 This establishes the one-to-one correspondence between S δ and S ε . Of course we have Low(rε ) = Low(rδ ) and High(rε ) = Low(rδ ). δ If rδ → r′δ is an edge in RA , then clearly there is an edge rε → r′ε in ε RA . The converse is more difficult to prove. However the proof follows arguments similar to the ones given in the proof of Lemma 4.2.12. Let us explain them, with less details.18 ε Let rε → r′ε be an edge in RA . It is a switch-edge or a time-edge. δ We have to show that there exists an edge rδ → r′δ in RA . If rε → r′ε is δ ′δ a switch-edge, it is not difficult to verify that r → r exists. τ We now treat the case where rε → r′ε is a time-edge. Let (l, ν) → (l, ν ′ ) be a time-transition in TA such that (l, ν) ∈ rε and (l, ν ′ ) ∈ r′ε . We define new clock values µ from ν as follows

µi =

(

⌊νi ⌋ +

δ ¯i 2ε ν

δ (1 − ν¯i )) ⌊νi ⌋ + 1 − ( 2ε

if xi ∈ Low(rε ) if xi ∈ High(rε )

One verifies that for each i δ δ µ ¯i ∈ [0, [∪]1 − , 1[. 2 2 17 We 18 We

helpful.

again use the notation discussed in Remark 4.2.3 use the notation of the proof of Lemma 4.2.12. Figures 4.10-4.15 will be

109

4.2 — A solution to the cost-optimal reachability problem τ′

In particular, (l, µ) ∈ rδ . If we exhibit a time-transition (l, µ) → (l, µ′ ) in TA with (l, µ′ ) ∈ rδ , then we obtain the required time-edge rδ → r′δ δ of RA . First we suppose that r′ is a closed region. Hence there exists a clock xf such that ν¯f′ = 0. It follows that τ = N − νf with N = νf′ ∈ N. We define τ ′ = N − µf and µ′ = µ + τ ′ . Let us show that (l, µ′ ) ∈ r′δ , i.e. µ ¯′i ∈ [0, δ[∪]1 − δ, 1[ for each i. We have to distinguish four cases. 1. xf ∈ Low(rε ). (a) xi ∈ Low(rε ). If µ ¯i ≥ µ ¯f , then µ ¯′i = µ ¯i − µ ¯f . We have 0 ≤ µ ¯′i < 2δ < δ. If ′ µ ¯i < µ ¯f , then µ ¯i = 1 − (¯ µf − µ ¯i ). We have 1 − δ < 1 − 2δ < µ ¯′i < 1. (b) xi ∈ High(rε ). We have µ ¯′i = µ ¯i − µ ¯f . We conclude that 1 − δ = 1 − 2 2δ < µ ¯′i < 1. 2. xf ∈ High(rε ). (a) xi ∈ Low(rε ). ¯i + (1 − µ ¯f ). Hence 0 ≤ µ ¯′i < 2 2δ = δ. We have µ ¯′i = µ (b) xi ∈ High(rε ). If µ ¯i < µ ¯f , then µ ¯′i = µ ¯i + (1 − µ ¯f ) and 1 − δ < 1 − 2δ < µ ¯′i < 1. δ ′ ′ If µ ¯i ≥ µ ¯f , then µ ¯i = µ ¯i − µ ¯f and 0 ≤ µ ¯i < 2 < δ. τ′

We have thus proved that (l, µ) → (l, µ′ ) is a transition in TA with (l, µ′ ) ∈ r′δ . We now treat the case where r′ is an open region. Either there exists a closed region r′′ such that r → r′′ → r′ and r′ = succ(r′′ ), or r′′ does not exist and then r = r′ . 1. If r′′ exists, by using the previous case, we can find a transition τ′

1 (l, µ) → (l, µ′′ ) in TA such that (l, ν ′′ ) ∈ r′′δ . We then choose τ2′ such that τ2′ < min(δ − µ ¯′′b , 1 − µ ¯′′d ), and we define µ′ = µ + τ1′ + τ2′ .

τ ′ +τ ′

2 It follows that (l, µ) −−1−−→ (l, µ′ ) is a transition in TA such that (l, µ′ ) ∈ r′δ .

110


2. If r′′ does not exist, then r = r′ . In the case rε = r′ε , we proceed with an argument similar to the one of the previous case with τ ′ < min(δ − µ ¯b , 1 − ν¯d ). In the case rε 6= r′ε , we show as in the proof of Lemma 4.2.12 that Low(rε ) = High(r′ε ), and High(rε ) = Low(r′ε ) = ∅.

(4.16)

We then choose τ ′ = 1 − δ. Let us show that, with µ′ = µ + τ ′ , we have (l, µ′ ) ∈ r′δ , that is, 1 − δ < µ ¯′c and µ ¯′d < 1. We have µ ¯′c = µ ¯a + 1 − δ > 1 − δ, and µ ¯′d = µ ¯b + 1 − δ < 1. The proof is completed. Due to the previous lemma, the only difference between the ε-region graphs, with ε ∈]0, 13 ], is the size of their ε-regions depending on ε. We thus introduce the following graph, independently of any ε, which is isoε ε morphic to all RA . It can be seen as the limit graph of RA when ε converges to 0. Definition 4.2.15. Let A be a timed automaton. We denote by R˙ A = ˙ →) a graph isomorphic to each Rε = (S ε , →), with ε ∈]0, 1 ], and (S, A 2 we call it the discrete graph of A. We also use the same terminology of switch-edge and time-edge. Remark 4.2.16. In the sequel, as done in Remark 4.2.3, we use the same letter r to express that the vertex r˙ of S˙ is isomorphic to the vertex rε of S ε . Moreover, we say that the edge r˙ → r˙ ′ is isomorphic to rε → r′ε , and that the path r˙ ; r˙ ′ is isomorphic to rε ; r′ε . We now want to augment the discrete graph with a weight function. First, in the next lemma, we show that given a time-edge rε → r′ε in the ε ε-region graph RA , we can associate a unique integer N which represents, up to 2ε, the time elapsed between rε and r′ε . We recall that both εregions rε and r′ε are bounded (See Remark 3.1.4). Let us notice that it is impossible to associate a unique integer with an edge r → r′ of the region graph RA in such a way.

111


Lemma 4.2.17. Let A be a timed automaton. Let rε → r′ε be a timeε edge in the ε-region graph RA , with ε ∈]0, 16 ]. Then there exists a unique τ N ∈ N such that for all time-transitions (l, ν) − → (l, ν ′ ) in TA with (l, ν) ∈ ε ′ ′ε r , (l, ν ) ∈ r : |τ − N | < 2ε. Moreover, N is independent of ε. τ

Proof. Let (l, ν) − → (l, ν ′ ) be a time-transition such that (l, ν) ∈ rε and (l, ν ′ ) ∈ r′ε . We first prove that there exists N ∈ N such that |τ −N | < 2ε. We then prove that this integer N is the same for all such time-transitions. 1. Existence. Assume the contrary, that is, |τ −N | ≥ 2ε for all N ∈ N. In particular for M = ⌊τ ⌋, we have τ = M +τ ′ and 2ε ≤ τ ′ ≤ 1−2ε. Let xi be a clock. We consider two cases according to xi ∈ Low(rε ) or xi ∈ High(rε ). Let us study bounds for νi′ = νi + τ . (a) xi ∈ Low(rε ). Thus we have M + 2ε ≤ νi + M + τ ′ = νi′ < ε + M + (1 − 2ε) = (M + 1) − ε. It follows that 2ε ≤ ν¯i < 1 − 2ε. This contradicts (l, ν ′ ) ∈ r′ε . (b) xi ∈ High(rε ). It follows that (M + 1) + ε = (1 − ε) + M + 2ε < νi + M + τ ′ = νi′ and νi′ < 1 + M + (1 − 2ε) = (M + 2) − 2ε. It follows that ε < ν¯i ≤ 1 − 2ε again in contradiction with (l, ν ′ ) ∈ r′ε . τ

2. Uniqueness. Let us consider two time-transitions (l, ν) − → (l, ν ′ ) τ˜ ′ ε ′ and (l, ν˜) − → (l, ν˜ ) such that (l, ν), (l, ν˜) ∈ r and (l, ν ), (l, ν˜′ ) ∈ r′ε . ˜ ∈ N such that |τ − N | < 2ε and We know that there exist N, N ˜ ˜. |˜ τ − N | < 2ε. Let us show that N = N ˜ − N | = |(τ − N ) − (˜ ˜ ) + (˜ |N τ −N τ − τ )| < 4ε + |˜ τ − τ |. For all i ∈ {1, . . . , n}, we have νi′ = νi + τ and ν˜i′ = ν˜i + τ˜. Moreover we recall that (l, ν), (l, ν˜) ∈ rε and (l, ν ′ ), (l, ν˜′ ) ∈ r′ε . Therefore |˜ τ − τ | = |(˜ νi′ − νi′ ) − (˜ νi − νi )| < 2ε.

112

Chapter 4 — Optimal Reachability It follows that ˜ − N | < 6ε. |N ˜. By hypothesis ε ≤ 16 . Hence N = N

It remains to prove that N is independent of ε. Let ε, ε′ ∈]0, 16 ] and N, N ′ ∈ N be such that |τ − N | < 2ε and |τ − N ′ | < 2ε′ . Then |N ′ − N | = |(τ − N ) + (τ − N ′ )| < 2ε + 2ε′ < 1. Therefore, N = N ′ . Remembering the definition of the discrete graph R˙ A (see Definition 4.2.15), the number N proposed in Lemma 4.2.17 for the time-edge ε rε → r′ε of RA can also be associated with the time-edge r˙ → r˙ ′ of R˙ A isomorphic to rε → r′ε . We now see A as a weighted timed automaton A = (L, X, E, I, C), and we explain how to assign a weight to each edge of the discrete graph R˙ A of A, in relation with the cost function C. Let ε ∈]0, 61 ] and let r˙ → r˙ ′ be an edge of R˙ A . It is isomorphic to an edge rε → r′ε of the ε-region ε graph RA . Consider a transition (l, ν) → (l′ , ν ′ )

(4.17)

in TA such that (l, ν) ∈ rε and (l′ , ν ′ ) ∈ r′ε . It is a time-transition τ e (l, ν) → (l′ , ν ′ ) or a switch-transition (l, ν) → (l′ , ν ′ ). τ

1. Transition (l, ν) → (l′ , ν ′ ). In this case, r˙ → r˙ ′ is a time-edge. We associate with it a weight W(r, ˙ r˙ ′ ) equal to W(r, ˙ r˙ ′ ) = N · C(l)

(4.18)

where N is the unique integer of Lemma 4.2.17. e

2. Transition (l, ν) → (l′ , ν ′ ). Thus r˙ → r˙ ′ is a switch-edge. We associate with it a weight W(r, ˙ r˙ ′ ) equal to W(r, ˙ r˙ ′ ) = C(e).

(4.19)


113

Definition 4.2.18. Let A be a weighted timed automaton. The discrete graph R˙ A of A augmented with the weight function W as defined in w ˙ →, W) (4.18) and (4.19) is called the weighted discrete graph R˙ A = (S, of A. Remark 4.2.19. We are conscious that this definition is incorrect in some very particular cases. Indeed (see Remark 3.1.14), both weights defined in (4.18), (4.19) can be assigned to the same edge r˙ → r˙ ′ when the transition (l, ν)→(l′ , ν ′ ) defined in (4.17) is both a time-transition and a switch-transition. If such a case happens, the edge r˙ → r˙ ′ must be duplicated in a way that each of the two weights is assigned to each of the two copies. w Remark 4.2.20. We notice that weights labeling the edges of R˙ A are polynomials in the constants appearing in A (see (4.18) (4.19). Therefore, ε w since |RA | is in O(2|A| ) by Remark 4.2.9, we also have |R˙ A | in O(2|A| ) .

Definition 4.2.21. Let A be a weighted timed automaton. Let ρ˙ = w r˙0 → r˙1 → r˙2 · · · → r˙m be a path in R˙ A . Then the weight W(ρ) ˙ of ρ˙ is equal to m−1 X W(ρ) ˙ = W(r˙k , r˙k+1 ). k=0

It is an integer number.

w In the next two lemmas, we relate the weight of paths in R˙ A to the ε cost of runs in TA . These lemmas are the counterparts of Lemmas 4.2.12 and 4.2.13 with weight.

Lemma 4.2.22. Let A = (L, X, E, I, C) be a weighted timed automaton P and let K = l∈L |C(l)|. Let ρ˙ = r˙ ; r˙ ′ be an initial path of length ε w m in R˙ A . Let ε ∈]0, 16 ]. Then there exist two ε-regions rε , r′ε of RA ′ ε ′ respectively isomorphic to r, ˙ r˙ , and there exists an ε-run ρ = q ; q of length m in TAε such that |W(ρ) ˙ − C(ρε )| ≤ 2εKm and q ∈ rε , q ′ ∈ r′ε .

114


Proof. Suppose ρ˙ has the form r˙0 → r˙1 → · · · → r˙m . It is isomorphic ε ε in RA . Since ρ˙ is initial, to the ε-run ρS ε = r0ε → r1ε → · · · → rm ε ε r0 = [(l0 , 0)] for some location l0 . By Lemma 4.2.12, there exists an ε-run ρε = (l0 , 0)→(l1 , ν 1 ) → · · · →(lm , ν m ) in TAε such that (lk , ν k ) ∈ rkε for all k. Looking at Definitions 3.3.12 and 4.2.21, by Lemma 4.2.17, we verify that |W(ρ) ˙ − C(ρε )| ≤ 2εKm. Lemma 4.2.23. Let A = (L, X, E, I, C) be a weighted timed automaton P and let K = l∈L |C(l)|. Let ρδ = q ; q ′ be an initial δ-run of length m 1 ε ]. Then there exist two ε-regions rε , r′ε of RA in TAδ , with δ ∈]0, 6(m+1) ε ′ ′ε ′ such that q ∈ r , q ∈ r , and there exists a path ρ˙ = r˙ ; r˙ of length m w in R˙ A such that r, ˙ r˙ ′ are respectively isomorphic to rε , r′ε and |W(ρ) ˙ − C(ρδ )| ≤ 2εKm with ε = (m + 1)δ. Proof. Suppose that ρδ is of the form (l0 , 0) → (l1 , ν 1 ) → · · · → (lm , ν m ). ε ε in RA By Lemma 4.2.13, there exists a path ρS ε = r0ε → r1ε → · · · → rm k ε such that (lk , ν ) ∈ rk for all k ∈ {0, . . . , m}. We consider the isomorphic w path ρ˙ = r˙0 → r˙1 → · · · → r˙m of R˙ A . As in the proof of Lemma 4.2.22 δ we conclude that |W(ρ) ˙ − C(ρ )| < 2εKm. Let A be a timed automaton and r, r′ be two regions of RA . We are going to state an important result about OptCost(r, r′ ). Before, we need to fix some notation. Due to Remark 4.1.4, the region r is composed of a unique state of the form (l, 0). Thus, given ε ∈]0, 12 ], there is exactly one ε-region rε included in r (also composed of the unique state (l, 0)). We w denote by r˙ the vertex of R˙ A isomorphic to rε . On the hand, the region ′ r gives rise to at most n + 1 ε-regions r′ε ⊆ r′ (see Remark 4.2.9). We ˙ ′ ) the set of vertices of denote by S(r′ ) this set of ε-regions, and by S(r w ˙ RA that are isomorphic to them. Theorem 4.2.24. Let A be a weighted timed automaton and r, r′ two regions of RA . Then ˙ ′ ), ρ˙ = r˙ ; r˙ ′ path in R˙ w }.(4.20) OptCost(r, r′ ) = inf{W(ρ) ˙ | ∃r˙ ′ ∈ S(r A


115

˙ ′ ), ρ˙ = r˙ ; r˙ ′ } by InfWeight. Proof. We denote inf{W(ρ) ˙ | ∃r˙ ′ ∈ S(r Suppose OptCost(r, r′ ) = +∞, i.e. there is no run ρ = q ; q ′ of TA such ˙ ′ ). that q ∈ r, q ′ ∈ r′ , then there is no path ρ˙ = r˙ ; r˙ ′ for any r˙ ′ ∈ S(r ε ′ Otherwise, by Lemma 4.2.22, there exists an ε-run ρ = q ; q with q ∈ rε and q ′ ∈ r′ε . This ε-run can be seen as a run ρ = q ; q ′ of TA with q ∈ r and q ′ ∈ r′ , a contradiction. So InfWeight = +∞ and Equality (4.20) holds in this case. Assume OptCost(r, r′ ) ∈ R ∪ {−∞} and OptCost(r, r′ ) < InfWeight. By Corollary 4.1.21, it follows that there is a path ρR = r ; r′ in RA with length m such that OptCost(ρR ) < InfWeight. By Lemmas 4.1.24 and 4.2.23 respectively used with ε and δ chosen small enough, we can w ˙ ′ ) and W(ρ) find a path ρ˙ = r˙ ; r˙ ′ in R˙ A such that r˙ ′ ∈ S(r ˙ < InfWeight. This is impossible. Assume now that OptCost(r, r′ ) ∈ R and OptCost(r, r′ ) > InfWeight. By definition of the inf operator, we have OptCost(r, r′ ) > W(ρ) ˙ for some ˙ ′ ). We get a contradiction using Lemma 4.2.22 ρ˙ = r˙ ; r˙ ′ with r˙ ′ ∈ S(r with ε chosen small enough. This proves Equality (4.20).

4.2.4

Complexity

In this section, we prove the main result of this chapter. Theorem 4.2.25. The cost-optimal reachability problem is PSpaceComplete. Proof. We begin with some preliminary considerations. The discrete w graph R˙ A has size in O(2|A| ), and the weights labelling its edges are polynomials in the constants appearing in A (see Remark 4.2.20). In the w sequel of the proof, we consider paths ρ˙ in R˙ A with a length bounded by w ˙ the number of vertices of RA , thus with a length at most exponential in |A|. These paths are called elementary. Therefore, the encoding of the cost of an elementary path ρ˙ can be done in PSpace. Let us now prove that the cost-optimal reachability problem is in PSpace. By Theorem 4.2.24, computing the optimal cost OptCost(r, r′ )

116


given two regions r, r′ of RA , reduces in computing inf{W(ρ) ˙ | ∃r˙ ′ ∈ ˙ ′ ), ρ˙ = r˙ ; r˙ ′ path in R˙ w }. There are three possibilities : S(r A ˙ ′ ) in R˙ w , and thus • there is no path ρ˙ = r˙ ; r˙ ′ with r˙ ′ ∈ S(r A OptCost(r, r′ ) = +∞; • there is such a path ρ˙ containing a cycle with a negative weight, and thus OptCost(r, r′ ) = −∞; • there is such a path ρ, ˙ and none of these paths contains a cycle with a negative weight. Therefore OptCost(r, r′ ) is an integer equal ˙ ′ ), ρ˙ = r˙ ; r˙ ′ }. to the minimum value of {W(ρ) ˙ | ∃r˙ ′ ∈ S(r Let us notice that in the three previous situations, the considered paths and cycles can be supposed to be elementary. In the third situation, a path ρ˙ with a minimum value W(ρ) ˙ can also supposed to be elementary. The algorithm works as follows. ˙ ′ ). Note 1. Guess an elementary path ρ˙ = r˙ ; r˙ ′ for some r˙ ′ ∈ S(r that the length of ρ˙ is exponential in |A|, and that each vertex of w R˙ A can be stored in polynomial space. Hence one can decide in NPSpace, thus in PSpace, whether OptCost(r, r′ ) is equal to +∞ or not. 2. We assume OptCost(r, r′ ) 6= +∞. w Guess a vertex r˙0 in R˙ A , and check whether there exist an elementary path from r˙ to r˙0 and another one from r˙0 to some r˙ ′ ∈ S(r′ ) (as explained in 1., this can be done in PSpace). Then guess an elementary cycle from r˙0 to r˙0 and compute on-the-fly its weight (as explained at the beginning of the proof, the computation of this weight can be done in PSpace). Therefore it can be decided in PSpace whether OptCost(r, r′ ) is equal to −∞ or not.

3. We assume OptCost(r, r′ ) ∈ Z. ˙ ′ ), and compute Guess an elementary path ρ˙ = r˙ ; r˙ ′ with r˙ ′ ∈ S(r on-the-fly its weight W(ρ). ˙ As explained in 2., this can be done in PSpace. Store the weight W(ρ) ˙ invariable aux. If there is no


117

˙ ′ ) with a weight strictly elementary path ρ˙ 1 = r˙ ; r˙1′ with r˙1′ ∈ S(r less than aux, then it means that OptCost(r, r′ ) is equal to aux. Therefore guess such a path ρ˙ 1 , compute its weight W(ρ˙ 1 ) on-thefly, and compare W(ρ˙ 1 ) with aux. It follows that the complexity of this procedure is in N-(Co-NPSpace), thus in PSpace. The proposed algorithm is globally in PSPace showing that the costoptimal reachability problem is in PSpace. It remains to prove that it is PSpace-hard. We do that by reduction of the reachability problem for timed automata known to be PSpace-complete [AD94]. Let A be a timed automaton. We augment it with a cost function C that assigns a null cost to each location and edge of A. Then, trivially, a region r′ is reachable from a region r if and only if the optimal cost OptCost(r, r′ ) is different from +∞. We conclude Section 4.2 with the following important remark. Remark 4.2.26. In Remark 4.1.14, we mentioned that Problem 4.1.8 remains decidable if the duration cost is a concave function (resp. convex function) and the considered optimum cost is an infimum (resp. supremum). Given a weighted timed automaton A, we recall that the definitions ε of ε-semantics TAε , ε-region graph RA and discrete graph R˙ A have been introduced independently of the cost function C used in A. Their definition was only based on the crucial Corollary 4.1.19 indicating that when computing an optimum cost, only time-transitions with a time τ arbitrarily close to an integer have to be considered. In Definition 4.2.18, we have shown how to augment the discrete graph R˙ A with a weight function W in relation with C. We have given the related Lemmas 4.2.22 and 4.2.23. Let us consider some possible generalizations of cost and weight funcτ tions. In (4.18), given a time-transition (l, ν) → (l′ , ν ′ ) in TA and the related time-edge r˙ → r˙ ′ in R˙ A , the duration cost of the time-transition is equal to τ · C(l),

(4.21)

118


and the weight of the time-edge is equal to N · C(l).

(4.22)

The number N is the unique integer of Lemma 4.2.17 satisfying |τ − N | < 2ε. Suppose that (4.21) and (4.22) are respectively replaced by f (τ )·C(l) and f (N )·C(l) where f is a continuous function. It follows that we still have an analogous of Lemma 4.2.17 with |f (τ ) − f (N )| < δ and δ small enough, as well as the analogous of Lemmas 4.2.22 and 4.2.23. Therefore, Theorem 4.2.24 remains true with a concave duration cost function and the continuous function f mentioned above.19 If additionally these functions are computable, we get a generalization of Theorem 4.2.25.

4.3

Assumptions

Till this section, the whole chapter has been written under two assumptions concerning Problem 4.1.3 (see Remark 4.1.4) : First, the region r given in Problem 4.1.3 is composed of a unique state of the form (l, 0). Second, the infimum cost is only considered. On the other hand, we have supposed in Remark 3.1.4 that the timed automata of this chapter are diagonal-free and bounded. We show in this section that all these assumptions can be discarded.

4.3.1

Supremum cost

Let us go through the chapter and indicate the modifications to be done when the supremum cost is considered instead of the infimum cost. In Definition 4.1.1, the optimal cost OptCost(r, r′ ) is the supremum of the costs of the runs ρ = q ; q ′ of TA such that q ∈ r and q ′ ∈ r′ . It is equal to −∞ when there is no such run ρ. Otherwise it belongs to R ∪ {+∞}. Similarly, in Definition 4.1.6, the optimal cost OptCost(ρR ) is the supremum of the costs C(ρ) among the runs ρ of TA such that [ρ] = ρR . 19 For

(4.10)).

instance with f = ln and Cd (ρ(t1 , . . . , tm )) =

P

k∈{1,...,m}

C(lk ) · ln(tk ) (see

119

4.3 — Assumptions

The proof of Corollary 4.1.12 stating that Problem 4.1.8 is decidable is the same. Indeed the Simplex Method acts similarly when a supremum or an infimum value has to be computed. Here the supremum value of Cd (ρ(t1 , . . . , tm )) is also obtained at one of the vertices of the polyhedron Pol(ρR ). Therefore Corollaries 4.1.20 and 4.1.21 also hold for the supremum costs OptCost(ρR ) and OptCost(r, r′ ).20 In the case of a supremum cost, Theorem 4.2.24 states that ˙ ′ ), ρ˙ = r˙ ; r˙ ′ path in R˙ w }. OptCost(r, r′ ) = sup{W(ρ) ˙ | ∃r˙ ′ ∈ S(r A The proof has to be adapted since the sup operator is considered. This can be done easily. The proof of Theorem 4.2.25 essentially remains the same. It must be slightly adapted to deal with the sup operator instead of the inf operator.

4.3.2

Any region r

In Definition 4.1.1, the optimal cost OptCost(r, r′ ) is defined for any regions r, r′ of RA . Along the chapter, we have assumed that r is composed of a unique state of the form (l, 0). We now indicate the modifications to be done when r is any region. We here come back to the infimum cost. We first consider Section 4.1.2 dedicated to the solution of Problem 4.1.8. The approach is similar : Given ρR = r ; r′ a path in RA , we construct a set of constraints Constr(ρR ) that define a polyhedron Pol(ρR ). The optimal cost OptCost(r, r′ ) is then computed thanks to one of the vertices of Pol(ρR ). Let us go into details. We use the same notation as in Section 4.1.2. Let us write ρR as in (4.4) ′ ρR = r0′ → r1 → r1′ → r2 · · · → rm → rm .

The runs ρ of TA such that [ρ] = ρR can be parameterized as done in (4.6), with the difference that the first region r0′ is not equal to [(l1 , 0)]. Instead of (4.6), we write tn+1

e

tn+2

e

tn+m

e

m 2 1 ′ qm · · · → qm → q1′ → q2 → ρ(t1 , t2 , . . . , tn+m ) = q0′ → q1 →

20 Of

course, the inf operator has to be replaced by the sup operator in Corollary 4.1.21.

120


such that • the state q0′ depends on the parameters t1 , t2 , . . . , tn , • each state qk (resp. qk′ ) depends on the parameters t1 , t2 , . . . , tn+k , for k ∈ {1, . . . , m}. ′0 ′0 ′ Let us study the form of q0′ = (l1 , x′0 1 , x2 , . . . , xn ) ∈ r0 . Without loss of generality we can suppose that the ordering of the clocks is as follows ′0 ′0 ′0 0 ≤ x′0 1 ≤ x2 ≤ · · · ≤ xn−1 ≤ xn .

We define the n parameters t1 , . . . , tn such that tn−j

=

(

x′0 1 x′0 j+1

if j = 0 −

x′0 j

otherwise

(4.23)

for j ∈ {0, . . . , n − 1}. These parameters are represented on Figure 4.18. ′0 With this definition, we have x′0 i = xi (t1 , . . . , tn ), for i ∈ {1, . . . , n}, tn−1 tn−2

tn

0

z}|{ z}|{ z}|{

′0 ′0 x′0 1 x2 x3

··· ···

t2

t1

z}|{ z}|{

′0 ′0 x′0 n−2 xn−1 xn

Figure 4.18: The parameters t1 , . . . , tn .

equal to the sum x′0 i (t1 , . . . , tn ) = tn−i+1 + · · · + tn−1 + tn

(4.24)

which expresses a dependence on the parameters t1 , . . . , tn like in (4.7). Concerning the other states qk = (lk , xk ) (resp. qk′ = (lk+1 , x′k )), with k ∈ {1, . . . , m}, we also have a dependence on the parameters like k in (4.7). The clocks xki (t1 , . . . , tn+k ) and x′ i (t1 , . . . , tn+k ) are either null or of the form th+1 + th+2 + · · · + tn+k−1 + tn+k with n ≤ h ≤ n + k.

(4.25)

121

4.3 — Assumptions

Therefore, as done in (4.9), we have to consider the set of constraints [ rk (t1 , . . . , tn+k ) (4.26) Constr(ρR ) = r0′ (t1 , . . . , tn ) ∪ k∈{1,...,m}

With the following subsets of (R+ )n+m A(ρR ) = {(τ1 , . . . , τn+m ) ∈ (R+ )n+m | [ρ(τ1 , . . . , τn+m )] = ρR },

B(ρR ) = {(τ1 , . . . , τn+m ) ∈ (R+ )n+m | (τ1 , . . . , τn+m ) |= Constr(ρR )}. we have the analog of Lemma 4.1.11, i.e. A(ρR ) = B(ρR ). The proof of this lemma is similar, except that the base case of the induction has to be adapted to the region r0′ . This is easily done by using the additional constraints r0′ (t1 , . . . , tn ) appearing in (4.26). Therefore, as done in Section 4.1.2, the optimal cost OptCost(ρR ) can be obtained by computing the infimum value of the duration cost Cd (ρ(t1 , . . . , tn+m )) under the set of constraints Constr(ρR ). This infimum value is obtained at one of the vertices of the polyhedron Pol(ρR ) which is the closure of the polyhedron Pol(ρR ) equal to Pol(ρR ) = {(τ1 , . . . , τn+m ) ∈ (R+ )n+m | (τ1 , . . . , τn+m ) |= Constr(ρR )}. This can be computed by the Simplex Method. It follows that Problem 4.1.8 is decidable (Corollary 4.1.12) and that it is decidable whether OptCost(ρR ) is realizable (Corollary 4.1.13). Let us now go through Section 4.1.3. All the results of this section are similar because we have equations (4.24) and (4.25) like in (4.7) that express each clock as a sum of consecutive tk . In particular, since the vertices of the polyhedron Pol(ρR ) have integer coordinates, a run ρ = ρ(τ1 , . . . , τn+m ) with a cost C(ρ) arbitrarily close to OptCost(ρR ) has its first state q0′ ∈ r0′ with its clock values arbitrarily close to an integer (see (4.23)). In Section 4.1.4, due to the previous discussion, the statement of Lemma 4.1.24 is modified as follows.

122


Lemma 4.3.1. Let A be a weighted timed automaton, and ρR = r ; r′ be a canonical path in RA . Let ε ∈]0, 12 ]. Then there exists an ε-run ρε = q ; q ′ in TAε such that [ρε ] = ρR , |OptCost(ρR ) − C(ρε )| < ε and q ∈ rε . The only modification appears at the end of the lemma, with q ∈ rε . The proof remains the same. We now go to Section 4.2. We have to pay attention to Lemmas 4.2.12, 4.2.13, 4.2.22 and 4.2.23, and also to Theorems 4.2.24 and 4.2.25. We indicate the modified statements. Lemma 4.3.2. Let A be a timed automaton and ε ∈]0, 13 ]. Let ρS ε = ε ε r0ε → r1ε → · · · → rm be a path in RA . Then there exists an ε-run ε 0 1 m ρ = (l0 , ν ) → (l1 , ν ) → · · · → (lm , ν ) in TAε such that (lk , ν k ) ∈ rkε for all k ∈ {0, . . . , m}. The proof of this lemma is the same except for case k = 0. Instead of defining the first state (l0 , ν 0 ) = (l0 , 0), we choose it such that (l0 , ν 0 ) ∈ r0ε0 with ε0 = 2εm . Lemma 4.3.3. Let A be a timed automaton. Let ρδ = (l0 , ν 0 ) → 1 (l1 , ν 1 ) → · · · → (lm , ν m ) be a δ-run in TAδ , such that δ ∈]0, 2(m+1) ] and 0 δ δ δ (l0 , ν ) ∈ r0 for some δ-region r0 of RA . Then, with ε = (m + 1)δ, there ε ε in RA such that (lk , ν k ) ∈ rkε exists a path ρS ε = r0ε → r1ε → · · · → rm for all k ∈ {0, . . . , m}. The proof of this lemma is the same except for case k = 0. By hypothesis, we have (l0 , ν 0 ) ∈ r0δ = r0ε0 . Lemma 4.3.4. Let A = (L, X, E, I, C) be a weighted timed automaton P w . and let K = l∈L |C(l)|. Let ρ˙ = r˙ ; r˙ ′ be a path of length m in R˙ A 1 ε ′ε ε Let ε ∈]0, 6 ]. Then there exist two ε-regions r , r of RA respectively isomorphic to r, ˙ r˙ ′ , and there exists an ε-run ρε = q ; q ′ of length m in TAε such that |W(ρ) ˙ − C(ρε )| ≤ 2εKm and q ∈ rε , q ′ ∈ r′ε .

123

4.3 — Assumptions The proof is unchanged.

Lemma 4.3.5. Let A = (L, X, E, I, C) be a weighted timed automaton P and let K = l∈L |C(l)|. Let ρδ = q ; q ′ be a δ-run of length m in TAδ , 1 δ ] and (l0 , ν 0 ) ∈ r0δ for some δ-region r0δ of RA . such that δ ∈]0, 6(m+1) ε ′ε ε ε ′ ′ε Then there exist two ε-regions r , r of RA such that q ∈ r , q ∈ r , w and there exists a path ρ˙ = r˙ ; r˙ ′ of length m in R˙ A such that r, ˙ r˙ ′ are respectively isomorphic to rε , r′ε and |W(ρ) ˙ − C(ρδ )| ≤ 2εKm with ε = (m + 1)δ. The proof is unchanged. Concerning Theorem 4.2.24, the modifications come from the fact that r is any region. Instead of having a unique vertex r˙ associated to r, we now have to consider all the vertices r˙ ∈ S(r). The statement of the theorem is thus as follows, with a similar proof. Theorem 4.3.6. Let A be a weighted timed automaton and r, r′ two regions of RA . Then OptCost(r, r′ ) ˙ ˙ ′ ), ρ˙ = r˙ ; r˙ ′ path in R˙ w }. = inf{W(ρ) ˙ | ∃r˙ ∈ S(r), ∃r˙ ′ ∈ S(r A Finally, the proof of Theorem 4.2.25 is similar, except that the al˙ gorithm has to deal with paths ρ˙ = r˙ ; r˙ ′ such that r˙ ∈ S(r) and ′ ′ ˙ r˙ ∈ S(r ).

4.3.3

Any timed automaton

In this chapter, we have restricted our study to bounded and diagonal-free timed automata. These restrictions are quite classical [BBL04, LR05]. Indeed, it is well known that diagonal constraints can be removed from timed automata [BPDG98] (while preserving strong bisimilarity), and we here shortly explain how to transform a diagonal-free timed automaton into a bounded one. This construction is a folklore result. We recall it here since we could not find it in any paper of the literature.

124


Let A = (L, X, E, I(, C)) be a (weighted) diagonal-free timed automaton. Let M be an integer strictly greater than all constants appearing in guards of A. Then we construct the following automaton A′ = (L′ , X, E ′ , I ′ (, C ′ )) : • the set L′ of locations is L × 2X • the set E ′ of edges is – ((l, Z), gZ , Y, (l′ , Z ′ )) if (l, g, Y, l′ ) is an edge of A, and gZ is the guard obtained by replacing every x ∼ cwith x ∈ Z by either true or false, depending on ∼ : if ∼ is ≥ or >, then it is replaced by true, otherwise it is replaced by false. The set Z ′ is equal to Z \ Y – ((l, Z), x = M, {x}, (l, Z ∪ {x})) for every location (l, Z) V • the invariant I ′ is such that I ′ (l, Z) = I(l) ∧ x∈X x ≤ M

• The cost function C ′ is naturally defined by

C ′ ((l, Z), gZ , Y, (l′ , Z ′ )) = C(l, g, Y, l′ ), C ′ ((l, Z), x = M, {x}, (l, Z ∪ {x})) = 0, C ′ (l, Z) = C(l). Intuitively, a location (l, Z) represents the location l where all clocks in Z are inactive (i.e. they should be strictly above the greatest constant of A, the truth value of every guard of A is thus known). The automaton A′ is clearly bounded (by M ). It is easy to check that every run ρ of TA has a corresponding run ρ′ in TA′ , and vice-versa. Moreover these two runs have exactly the same costs. Thus, computing the optimal cost in A can be reduced to computing the optimal cost in A′ . Let us notice that the two constructions needed to restrict to bounded diagonal-free timed automata induce an exponential blowup in the number of locations of the timed automaton. More precisely, the number of locations of the resulting automaton is |L| · 2|Diag| · 2|X| where |Diag| is the number of diagonal guards in the original automaton, whereas the

4.3 — Assumptions

125

number of edges becomes |E| · 2|Diag| · 2|X| + (|L| · 2|Diag| · 2|X| ) · |X|. Nevertheless, the size of the region graph of the resulting automaton remains exponential, because exponential factors are multiplied (see Remark 3.2.3). All our complexity computations thus remain correct and computing the optimal cost also remains PSpace-complete.

4.3.4

Discrete time

The whole discussion in this chapter concerns weighted timed automata on dense time. However when considering weighted timed automata on discrete time, Theorem 4.2.25 remains valid. Let us quickly explain why the cost-optimal reachability problem remains PSpace-Complete when working with discrete time. As done in the proof of Theorem 4.2.25, we deduce the PSpacehardness of the cost-optimal reachability problem from the PSpacecompleteness of the reachability problem for timed automata on discrete time (see [AL02]). The algorithm proposed in the proof of Theorem 4.2.25 remains valid when considering the cost-optimal reachability problem with discrete time. This shows that the cost-optimal reachability problem with discrete time is in PSpace and thus PSpace-Complete.

126


Chapter 5

Model-Checking In this chapter, motivated by the open problem of model-checking timed automata augmented with costs proposed in [ACD93], we introduce and study a temporal logic on weighted timed automata. This logic is called the weighted CTL logic, WCTL for short. The WCTL logic is close to the DT L logic of [BES93] and the ICT L logic of [AHH96]. Our first result is the undecidability of the model-checking problem for both discrete and dense time (see Section 5.2). Then, in Section 5.3, we limit our study to a restriction of the WCTL logic, namely the WCTLr logic. In this context we prove that for discrete time, when working with the WCTLr logic, the model-checking problem for weighted timed automata is PSpaceComplete. However for dense time, the panorama completely changes. In this case, we first prove that the WCTLr model-checking problem becomes undecidable in general. This is no longer true with 1 clock and 1 stopwatch1 since in this particular case the WCTLr model-checking problem is decidable. We also identify the precise frontier between finite and infinite bisimulations for automata with stopwatch observers. The results of this chapter are based on [BBR04, BBR06, BBM06]. Before we proceed let us give some conventions and notations that we will use through the chapter. 1A

stopwatch is a cost variable whose values are in {0, 1}.

127

128

Chapter 5 — Model-Checking

Conventions and notations In this chapter we only consider diagonal-free weighted timed automata2 A where the set of actions Σ reduces to a singleton. In this context, the set Σ is useless. To avoid to heavy notations we will thus denote weighted timed automata A by (L, X, E, I, L, C). Moreover we assume that the cost function assigns only positive costs, i.e. C : L ∪ E → Nm .

5.1

Weighted CTL

In this section, we introduce the weighted CT L logic, W CT L logic for short (close to the ICT L logic of [AHH96] and to the DT L logic of [BES93]). Two logics, discrete and dense, are proposed according to discrete or dense time. Notations. Let Z = {z1 , . . . , zm } be a set of m cost variables. A cost constraint π is of the form zi ∼ c or zi − zj ∼ c where zi , zj are cost variables, c ∈ N is an integer constant and ∼ is one of the symbols {, ≥}. Definition 5.1.1. The syntax of the discrete WCTL logic is given by the following grammar ϕ ::= p | π | ¬ϕ | ϕ ∨ ϕ | ∃ ϕ | ϕ∃Uϕ | ϕ∀Uϕ | zi · ϕ where p ∈ AP, π is a cost constraint and z ∈ Z. Dense WCTL formulae are defined in the same way, except that operator ∃ is forbidden. The WCTL logic uses freeze quantifiers “zi ·” on the cost variables zi , 1 ≤ i ≤ m. This logic allows to reset such variables and to test them. These actions are forbidden in weighted timed automata, where the cost variables are only observers. Note that the TCTL logic [ACD93] is a particular case of WCTL when each cost variable zi describes the total elapsed time. 2 i.e

the underlying timed automata is diagonal-free.

129

5.1 — Weighted CTL

Notations 5.1.2. Notation ⊤ means true and ⊥ means false. For convenience, we use the following (CTL) abbreviations: ∃3ϕ ≡ ⊤∃Uϕ, ∀3ϕ ≡ ⊤∀Uϕ, ∃2ϕ ≡ ¬∀3¬ϕ, and ∀2ϕ ≡ ¬∃3¬ϕ. We also use the following TCTL abbreviation ϕ∃Uz∼c ψ ≡ z · ϕ∃U(ψ ∧ z ∼ c) , where z is a cost variable and c ∈ N. The formulae of WCTL are evaluated on a given weighted timed automaton A. The sets AP and Z are supposed to be the same for both A and WCTL. We now give the semantics of WCTL. Definition 5.1.3. Suppose T = N. Let A be a weighted timed automaton and q = (l, ν, ω) be an extended state of the transition system TA of A. Let ϕ be a discrete WCTL formula. Then the satisfaction relation A, q |= ϕ is defined inductively as indicated below. • A, q |= p iff p ∈ L(l); • A, q |= π iff ω |= π; • A, q |= ¬ϕ iff A, q 6|= ϕ; • A, q |= ϕ ∨ ψ iff A, q |= ϕ or A, q |= ψ; • A, q |= ∃ ϕ iff there exists an extended run ρ = (qi )i≥0 in TA 1

e

with q = q0 and q0 − → q1 or q0 − → q1 (for some e ∈ E), such that A, q1 |= ϕ; • A, q |= ϕ∃Uψ iff there exists an extended run ρ = (qi )i≥0 in TA with q = q0 , there exists a position q ′ in ρ such that A, q ′ |= ψ and A, q ′′ |= ϕ for all q ′′ < q ′ ; • A, q |= ϕ∀Uψ iff for any extended run ρ = (qi )i≥0 in TA with q = q0 , there exists a position q ′ in ρ such that A, q ′ |= ψ and A, q ′′ |= ϕ for all q ′′ < q ′ ; • A, q |= zi · ϕ iff A, (l, ν, ω ′ ) |= ϕ, where ωi′ = 0 and ωj′ = ωj for all j 6= i.

130


In case T = R+ and ϕ is a dense WCTL formula, the satisfaction relation is defined in the same way, except that A, q |= ∃ ϕ does not exist. When A is clear from the context, we simply write q |= ϕ instead of A, q |= ϕ. Let us come back to the gas burner system of Example 3.3.9 and formalize some properties by WCTL formulas. Example 5.1.4. Consider the first property “there exists a run with an average leaking time always bounded by 0.5” (which formalizes 2z2 ≤ z3 ). Since the cost constraints π allowed in WCTL are of the form zi ∼ c or zi −zj ∼ c, we replace the cost C(l) = (1, 1, 0) by (1, 2, 0) in the automaton of Figure 3.12. The WCTL formula for the given property is therefore z2 · z3 · (∃2z2 ≤ z3 ). The next property we want to formalize is “in any time interval longer than 60 time units, the accumulated leaking time is at most 5% of the interval length” (that is, z1 ≥ 60 ⇒ 20z2 ≤ z1 ). Again we have to modify the automaton by replacing C(l) by (1, 20, 0). The related WCTL formula is z1 · z2 · (∀2(z1 ≥ 60 ⇒ z2 ≤ z1 )). Finally, the property “there exists a run such that the accumulated leaking time is at most 5% of the time interval length and the average leaking time is bounded by 0.5, until the system never leaks” is formalized as z1 · z2 · z3 · ((z2 ≤ z1 ∧ z2 ≤ z3 ) ∃U (∀2¬leak)) if C(l) is replaced by (1, 20, 0) and C(l, x ≤ 1, x := 0, l′ ) by (0, 0, 10). Remark 5.1.5. Let A be a weighted timed automaton and (l, ν, ω) be an extended state of A. In order to make clearer the abbreviation ϕ∃Uz∼c ψ let us give explicitly its semantic. • (l, ν, ω) |= ϕ∃Uz∼c ψ iff there exists an extended run ρw = q0 ; q ′ in TAw with q0 = (l, ν, 0), q ′ = (l′ , ν ′ , ω ′ ) |= ψ, ω ′ ∼ c and q ′′ |= ϕ for all q ′′ < q ′ .

5.2 — Model-Checking WCTL

131

When considering weighted timed automata with single cost, the semantic of some WCTL-formulae can be defined in a different way, using the notion of “cost of a run” (see Definition 3.3.12). This is the case for the formula ϕ∃Uz∼c ψ (where ϕ, ψ are supposed to be WCTL-formulae without cost constraints). Let us give its alternative semantic. In this case the satisfaction relation is defined on state of the underlying timed automata. • (l, ν) |= ϕ∃Uz∼c ψ iff there exists a run ρ = q0 ; q ′ in TA with q0 = (l, ν), q ′ = (l′ , ν ′ ) |= ψ, C(ρ) ∼ c and q ′′ |= ϕ for all q ′′ < q ′ . Let us notice that, given any extended state (l, ν, ω), by Remark 3.3.14, we clearly have that (l, ν, ω) |= ϕ∃Uz∼c ψ iff (l, ν) |= ϕ∃Uz∼c ψ. The previous remark will be useful in Section 5.4.

5.2

Model-Checking WCTL

The problem that we want to study in this chapter is the following modelchecking problem, for discrete and dense time. Problem 5.2.1. Given a weighted timed automaton A and an extended state q of TA , given a WCTL formula ϕ, does A, q |= ϕ hold ? (T = N or T = R+ ) The next theorem states that this problem is undecidable, already for automata with stopwatch observers. Theorem 5.2.2. In both cases of discrete and dense time, the WCTL model-checking problem for automata with stopwatch observers is undecidable. Corollary 5.2.3. Problem 5.2.1 is undecidable. Proof. (of Theorem 5.2.2) The proof is based on a reduction of the halting problem for a 2-counter machine. We recall that a machine with 2 coun-

132


ters C1 and C2 can be described by a linear labelled program allowing the basic3 instructions given on Table 5.1.4 goto zero test increment decrement stop

k k k k k

: : : : :

goto k ′ if Ci = 0 then goto k ′ else goto k ′′ Ci := Ci + 1 Ci := Ci − 1 STOP

Table 5.1: The possible instructions of a two-counter machine. The emulation of the 2-counter machine is done partly by an automaton with stopwatch observers A and partly by a WCTL formula ϕ. The automaton A = (L, X, E, I, L, C) has the following components. The set L contains a location for each label k of the program, which is labelled by σk ; it contains additional locations. The set X contains a single clock x. The set AP of atomic propositions labeling L contains an atomic proposition σk for each label k of the program and 4 additional atomic propositions ρ1 , ρ′1 , ρ2 and ρ′2 . The labelling function L will be describe more precisely in the sequel of the proof. The cost function C has value in {0, 1}3 (in other words we only use 3 cost variables) and the cost of each edge is null, the cost of each location will be given in the sequel of the proof. We assume without loss of generality that the first label of the program of the 2-counter machine is k0 and that the last instruction is a stop instruction labelled by kt . The 2 counters are encoded by 3 cost variables as follows: C1 = z1 − z2 ,

C2 = z1 − z3 .

3 Let us notice that the goto instruction is redundant since it can be encoded using a zero test instruction by taking k ′ = k ′′ . However for technical reasons it is sometimes convenient to encode explicitly the goto instruction. That is why in the sequel we consider two-counter machines allowing or not the goto instruction. 4 We assume that there is an if instruction before each decrementation instruction such that in the case the counter has a value zero, the counter value is not modified, otherwise it is decremented.

133

5.2 — Model-Checking WCTL

The goto and stop instructions are easily encoded in A. The instruction for incrementing counter C1 is encoded by the subautomaton given on Figure 5.1. σk

x := 0

(0, 0, 0)

σk+1

x=1 (1, 0, 1)

(0, 0, 0)

x≤1

Figure 5.1: Incrementing counter C1 . The subautomaton for incrementing C2 is similar except that the cost of the central location is (1, 1, 0). Considering the previous footnote, the instruction for decrementing counter C1 is encoded in Figure 5.2. A similar subautomaton is given for counter C2 with the cost of the central location equal (0, 0, 1). σk

x := 0

(0, 0, 0)

σk+1

x=1 (0, 1, 0)

(0, 0, 0)

x≤1

Figure 5.2: Decrementing counter C1 . The zero test instruction is encoded as indicated on Figure 5.3. The atomic proposition ρ1 is a witness that C1 > 0 while ρ′1 is a witness that C1 = 0. Since the automaton A is not allowed to test its cost variables, the formula ϕ will check if C1 = 0 or C1 > 0 depending on the values of z1 and z2 . A similar subautomaton is given for counter C2 with atomic propositions ρ2 and ρ′2 . Let us now give formula ϕ: ! ρ1 ⇒ z1 − z2 > 0 ∧ ρ′1 ⇒ z1 − z2 = 0 ∃U σkt . ∧ ρ2 ⇒ z1 − z3 > 0 ∧ ρ′2 ⇒ z1 − z3 = 0 Clearly, the 2-counter machine halts on the stop instruction if and only

134

Chapter 5 — Model-Checking ρ1 (0, 0, 0)

σk′ (0, 0, 0)

ρ′1

σk′′

(0, 0, 0)

(0, 0, 0)

σk (0, 0, 0)

Figure 5.3: zero test instruction with test on C1 .

if q |= ϕ with the following extended state q = (l, ν, ω1 , ω2 , ω3 ) = (l0 , 0, 0, 0, 0) such that l0 is the location labelled by σk0 . It follows that the modelchecking problem is undecidable. Let us make some remarks on the previous proof and on possible adaptation of this proof. Remark 5.2.4. The previous proof works for discrete or dense time. The automaton A is an automaton with stopwatch observers using 1 clock x and 3 cost variables z1 , z2 , z3 . All its edges have no cost. The formula ϕ uses cost constraints of the form zi − zj ∼ 0. It does not use any freeze quantifier. The later comment implies that the modelchecking for automata with stopwatch observers is already undecidable for the fragment of WCTL where the freeze operator is forbidden. Remark 5.2.5. The proof can be easily adapted if one prefers an automaton with all its locations having no cost. In this case, A has no clock and again 3 cost variables. In Figure 5.4 an incrementation of counter C1 is depicted. The formula ϕ remains identical. One can imagine a third proof with 1 clock and 3 cost variables, as a mix of both previous approaches, such that there exist non null costs on certain locations and on certain edges.

135

5.3 — Model-Checking WCTLr (1, 0, 1) σk

σk+1

Figure 5.4: Incrementing counter C1 with no cost in the locations.

In Section 5.3 we will restrict to a fragment of WCTL which can not compare between two cost variables. When considering the modelchecking of this fragment, we will see that discrete and dense time can not be treated uniformly anymore.

5.3 5.3.1

Model-Checking WCTLr Weighted CTL restricted

In the sequel of the article, we will work with the WCTL logic restricted to cost constraints π of the form zi ∼ c. It is denoted WCTLr . The related model-checking problem is the following one, for discrete and dense time. Problem 5.3.1. Given a weighted timed automaton A and an extended state q of TA , given a WCTLr formula ϕ, does A, q |= ϕ hold ? (T = N or T = R+ ) Example 5.3.2. For the gas burner system of Example 3.3.9, the property “if the number of leaks is less than 5, then the leaking time is strictly bounded by 5” is formalized in WCTLr by the next formula z2 · z3 · ∀2(z3 < 5 ⇒ z2 < 5). The next property “at each position of every run, the number of leaks does not exceed 2 in any time interval less than 100 time units” is formalized by ∀2(z1 · z3 · ∀2(z1 ≤ 100 ⇒ z3 ≤ 2)). The property “as soon as a leak is detected, the gas burner stops leaking after at most 1 time unit” is formalized by ∀2(leak ⇒ z1 · ∀3(¬leak ∧ z1 ≤ 1)).

136


Finally the property “after 20 time units the gas burner does not leak any longer” is formalized by z1 · ∀2(z1 ≥ 20 ⇒ z3 · (∀2z3 = 0)). This section is devoted to the study of Problem 5.3.1. We start by recalling the link between bisimulation and model-checking, then we consider the simple case of discrete time before studying the more complex case of dense time.

5.3.2

Bisimulation and Model-Checking

An important property of bisimulations is that they preserve WCTLr formulas if they respect a well-chosen initial partition. We omit the proof since it is similar to the proof given in [ACD93], see also [TY01], for timed automata and the TCTL logic. Proposition 5.3.3. Let A be a weighted timed automaton and ϕ be a WCTLr formula. If A has a bisimulation ≈ that respects the partition P0 induced by 1. the atomic propositions σ labeling the locations of A, 2. the cost constraints π appearing in ϕ, 3. the reset of the cost variables in ϕ (operator z·), then for any extended states q, q ′ of TA such that q ≈ q ′ , we have q |= ϕ iff q ′ |= ϕ. As a consequence of this proposition, it can be proved that if each step of the bisimulation algorithm (see Section 1.6) is effective and if this procedure terminates, then Problem 5.3.1 is decidable. Note that the effectiveness hypothesis does not need to be proved since weighted timed automata are linear hybrid automata for which the effectiveness of the bisimulation algorithm is known [Hen95]. Corollary 5.3.4. Let A be a weighted timed automaton and let ϕ be a WCTLr formula. If A has a finite bisimulation respecting the partition of Proposition 5.3.3, then the WCTLr model-checking problem is decidable.

5.3 — Model-Checking WCTLr

137

Remark 5.3.5. The same result holds for WCTL (instead of WCTLr ) if the cost constraints in Condition 2 of Proposition 5.3.3 are general constraints zi ∼ c or zi − zj ∼ c.

5.3.3

Discrete Time

In the case of discrete time, the model-checking problem for WCTLr is decidable thanks to Corollary 5.3.4. Theorem 5.3.6. Let T = N. Let A be a weighted timed automaton and ϕ be a WCTLr formula. Then A has a finite bisimulation respecting the partition of Proposition 5.3.3. Proof. (Sketch) This result is proved in [HK97] for more general automata which are the discrete-time rectangular automata, but without costs on the edges. However, the proposed bisimulation remains valid5 for weighted timed automata. It is the usual bisimulation of timed automata (see Definition 3.2.10) adapted as follows: the cost variables are treated as clock variables, and for cost variables zi the constant ci is the largest constant that zi is compared with in the cost constraints of ϕ. Figure 5.3.3 indicates an example of the finite bisimulation discussed in the previous proof for 1 clock x (whose largest constant it is compared with is 2) and 1 cost variable z (whose largest constant it is compared with is 1). Corollary 5.3.7. For discrete time, the WCTLr model-checking problem for weighted timed automata is PSpace-Complete. Proof. (Sketch). The PSpace-Hardness is a direct consequence of the fact that model-checking T CT L on timed automata is PSpaceComplete [ACD93]. The PSpace-Easiness is established using classical arguments, see [ACD93]. First note that the number of equivalence classes of the bisimulation given in the proof of Theorem 5.3.6 is bounded by an exponential in the size of the input of the model-checking problem (sum of the sizes of the automaton and the formula). We can turn the 5 Since

we consider diagonal-free weighted timed automata.

138

Chapter 5 — Model-Checking z

x

Figure 5.5: Example of a finite bisimulation in the discrete case.

usual labeling algorithm used for CT L-like logics into a nondeterministic algorithm that uses polynomial space and computes the labels of regions as they are required. By Savitch’s theorem, we know that there also exists a deterministic version of this algorithm that uses polynomial space.

5.3.4

Dense Time

For dense time, the panorama is completely different since the modelchecking becomes undecidable, already for automata with stopwatch observers. Theorem 5.3.8. Let T = R+ . The WCTLr model-checking problem for automata with stopwatch observers is undecidable. Corollary 5.3.9. In the case of dense time, Problem 5.3.1 is undecidable. Proof. (of Theorem 5.3.8) As for Theorem 5.2.2, the proof is based on a reduction of the halting problem for 2-counter machines with goto instruction (see Table 5.1). The emulation of the 2-counter machine M is done partly by an automaton with stopwatch observers A and partly by a WCTLr formula ϕ. Let us denote by K the list of instructions of M. A configuration of M is given by a triple (k, C1 , C2 ) ∈ K × N2 which represents the (label

139


of the) current instruction and the value of the two counters C1 and C2 . The first instruction of M is supposed to be labelled by k0 and the stop instruction for which M halts, is supposed to be labelled by kt . The initial configuration of M is thus (k0 , 0, 0). The automaton A contains a special clock x0 which is reset to 0 whenever it reaches the value 1. The ith configuration of the machine M is encoded by the extended state of the transition system TA of A at time i (i.e. at the ith reset of x0 ). First we explain how to encode the value of the counters C1 , C2 of M. Let us consider pairs (x, z), where x is a clock and z is a cost variable, whose valuations are of the form (2−n , 1 − 2−n ), n ≥ 1, when x0 = 0. We will explain later how we obtain those values. By means of 4 pairs (x1 , z1 ), (x2 , z2 ), (x3 , z3 ) and (x4 , z4 ) whose valuations are respectively denoted (ν1 , ω1 ), (ν2 , ω2 ), (ν3 , ω3 ) and (ν4 , ω4 ), we encode the value of the 2 counters C1 and C2 as follows: C1 = m1 ⇔ (ν1 =

1 2n1

) and (ν2 =

1 2n2

) and n1 − n2 = m1 ,

C2 = m2 ⇔ (ν3 =

2n3

1

) and (ν4 =

2n4

1

) and n3 − n4 = m2 .

(5.1) We can already notice that incrementing the counter C1 corresponds to divide the clock valuation of x1 by 2, and decrementing the counter C1 corresponds to divide the clock valuation of x2 by 2 (similarly for the counter C2 ). We will explain how to proceed in detail later in the proof. The automaton A = (L, E, I, L, C) has 5 clocks (the special clock x0 and the clocks x1 , x2 , x3 , x4 ), 4 cost variables (z1 , z2 , z3 , z4 ) and no cost on its edges. The set AP of atomic propositions labeling L contains an atomic proposition σk for each label k of the instructions of K. It also contains additional atomic propositions ρi , ρ′i , ςi , ςi′ , for i = 1, 2, and µj , µ′j for j = 1, 2, 3, 4. The set L contains a location for each label k of the machine M, which is labelled by σk . For each such k, the related location is as depicted in Figure 5.6, i.e. with an invariant x0 = 0 and an outgoing edge labelled by the guard x0 = 0. So the transition system TA spends no time in these locations. This means that the ith configuration (k, C1 , C2 ) of M is encoded by the extended state of TA at time i exactly. The set L also contains additional locations that will be described later.

140

Chapter 5 — Model-Checking σk x0 := 0

x0 = 0

(0, 0, 0, 0) x0 = 0

Figure 5.6: location labelled by σk Formula ϕ will be constructed in parallel with A in a way that M starting with the initial configuration (k0 , 0, 0) halts with the stop instruction if and only if q0 |= ϕ for the extended state q0 of TA given by 1 1 1 1 1 1 1 1 q0 = (l, ν0 , ν1 , ν2 , ν3 , ν4 , ω1 , ω2 , ω3 , ω4 ) = l0 , 0, , , , , , , , 2 2 2 2 2 2 2 2 where l0 is the location labelled by σk0 . Notice that the pair (νi , ωi ), where i = 1, . . . , 4, appearing in q0 are of the desired form (2−n , 1 − 2−n). We are now ready to encode the instructions of M with A and ϕ. The stop instruction is trivially implemented by a location labelled σkt . The goto instruction is encoded by the subautomaton of A given on Figure 5.7. ∀i 6= 0 xi = 1 ; xi := 0

σk

x0 = 0

x0 = 1

(0, 0, 0, 0)

(0, 0, 0, 0)

x0 = 0

x0 ≤ 1

σk′ (0, 0, 0, 0)

x0 := 0

x0 = 0

Figure 5.7: k: goto k ′ . We do not use formula ϕ in this case. The values of the 4 pairs (νi , ωi ) (for i = 1, . . . , 4) have to be kept unchanged since the values of the 2 counters are not changed. To let the value of each ωi unchanged is simple, it suffices to assign a null cost to the cost variable zi in the locations of Figure 5.7 (i.e. C(l) = (0, 0, 0, 0)). To keep the value of νi unchanged, we use a classical trick (see for example [ACH+ 95]). Since the emulation


141

of the goto instruction takes exactly one unit of time, guaranteed by the clock x0 , it suffices to reset to 0 each clock xi whenever it reaches value 1. Considering the central location of Figure 5.7, this requires to add the 4 invariants xi ≤ 1, and several loops labelled by the guards xi = 1 and the resets xi := 0 (taking into account that 2 or more resets could be simultaneous). This is indicated on Figure 5.7 with notation ∀i 6= 0 xi = 1 ; xi := 0. Hence we can conclude that if the 4 pairs (νi , ωi ) have the desired form (2−ni , 1 − 2−ni ) in the location labelled σk , they will recover the same value when A enters the location labelled σk′ . This ends the emulation of the goto instruction. This construction, that allows to keep the value of the pairs (νi , ωi ) unchanged, will be applied again in the sequel of the proof. However we will not give an explicit construction but only refer to the widget. This widget takes exactly one time unit, and ensures that the valuation of the clocks xi are kept constant by adding loops coupled with guards, resets and invariants in order to reset xi whenever it reaches 1 (this will be indicated on the next figures by using notation ∀i 6= 0 xi = 1 ; xi := 0). We now turn to the zero test instruction. We treat the test of the counter C1 , the other case is similar. To test whether the counter C1 is equal to 0 is equivalent to test whether ν1 is equal to ν2 , see (5.1). But testing equality between two clock valuations is not6 allowed in the automaton. We need to introduce a more tricky encoding which uses both the automaton A and the formula ϕ. Let us consider the subautomaton of A given on Figure 5.8. The atomic proposition ρ1 is a witness for ν1 = ν2 and the atomic proposition ρ′1 is a witness for ν1 < ν2 .7 Since A is not allowed to compare its clocks, we use instead the branching power of WCTLr through ϕ. To check if ν1 = ν2 in the location labelled by ρ1 is equivalent to check later on that ν1 = ν2 = 1 (letting time elapse), that is to check with a subformula ψ1 of ϕ that the location labelled ς1 can be reached from it. We proceed in a similar way to check if ν1 < ν2 in the location labelled 6 Recall that by assumptions, in this chapter, we work with diagonal-free timed automata. 7 The index 1 in ρ and ρ′ is used to recall that it is counter C which is tested. 1 1 1

142

Chapter 5 — Model-Checking ς1 (0, 0, 0, 0) widget ∀i 6= 0, xi = 1; xi := 0

(x1 = 1) ∧ (x2 = 1) ρ1 x0 = 0

σk′

x0 = 1

x0 = 0

(0, 0, 0, 0)

(0, 0, 0, 0)

x0 := 0

(0, 0, 0, 0) x0 = 0

σk ∀i 6= 0, xi = 1; xi := 0

(0, 0, 0, 0) x0 = 0 x0 = 0

ρ′1 (0, 0, 0, 0)

σk′′

x0 = 1

x0 = 0 (0, 0, 0, 0)

(x1 < 1) ∧ (x2 = 1)

x0 := 0

(0, 0, 0, 0) x0 = 0

widget ς1′

(0, 0, 0, 0)

Figure 5.8: k: if C1 = 0 then goto k ′ else goto k ′′ .

ς1′ . This subformula ψ1 is defined as follows: ψ1 ≡ (ρ1 ⇒ ρ1 ∃U ς1 ) ∧ (ρ′1 ⇒ ρ′1 ∃U ς1′ ). In the zero test instruction, depending on whether C1 = 0 or C1 > 0, there is a goto k ′ or a goto k ′′ . This is encoded in the automaton of Figure 5.8 by using two widgets such that the value of the pairs (νi , νi ) are left unchanged. The zero test instruction for counter C2 is treated similarly. The subautomaton is the same except that atomic propositions ρ2 , ρ′2 , ς2 and ς2′ are used instead of ρ1 , ρ′1 , ς1 and ς1′ , and clocks x3 , x4 are used instead of x1 , x2 . The subformula is the following one: ψ2 ≡ (ρ2 ⇒ ρ2 ∃U ς2 ) ∧ (ρ′2 ⇒ ρ′2 ∃U ς2′ ).

143


It remains to emulate the incrementation and decrementation instructions. In both cases, it suffices to divide the valuation of a clock by 2 while the valuations of the other clocks remain unchanged. We only go into detail for the instruction C1 := C1 + 1, the other cases being similar. Let us consider the subautomaton of A given on Figure 5.9. In order to increment C1 , if A enters the location labelled σk with (ν1 , ω1 ) = (2−n , 1 − 2−n ), it has to reach the location labelled σk′ with (ν1′ , ω1′ ) = (2−(n+1) , 1 − 2−(n+1) ), the values of the 3 other pairs (νi , ωi ) being unchanged. To force A to adopt this behaviour, we again use the branching aspect of the logic through the following subformula8 : ϕ1 ≡ µ1 ⇒ µ1 ∃U(µ′1 ∧ z1 = 1)

(5.2)

where the atomic propositions µ1 and µ′1 are witness that the pair (ν1 , ω1 ) is modified. widget ∀i 6= 0, 1 xi = 1 ; xi := 0 σk (0, 0, 0, 0)

∀i 6= 0, 1 xi = 1 ; xi := 0 (x0 = 1)∧ (0 < x1 < 1)

x0 = 0 (0, 0, 0, 0)

(1, 0, 0, 0) x1 := 0

l1

l2

x0 := 0 l3

µ1

x0 = 0

σk+1

(0, 0, 0, 0)

(0, 0, 0, 0)

x0 = 0

x0 = 0

l4

l9 x0 = 0

(0, 0, 0, 0)

µ′1 (0, 0, 0, 0)

x0 = 1

µ1

µ1

x1 = 1

(1, 0, 0, 0)

(0, 0, 0, 0)

l6

l5

x0 = 1 l8

l7

Figure 5.9: k: C1 := C1 + 1.

The proof that the evolution of the pair (ν1 , ω1 ) is done correctly is rather technical and is formalized in Lemma 5.3.10. The other pairs are left unchanged using the widget (see locations l2 , l3 and l4 of Figure 5.9). 8 The

index 1 in µ1 and µ′1 is used to recall that the pair (x1 , z1 ) is modified.

144


We have a similar subautomaton and subformula for decrementing C1 such that x1 , z1 , µ1 , µ′1 and ϕ1 are replaced respectively by x2 , z2 , µ2 , µ′2 and ϕ2 . (Similarly for the incrementation and the decrementation of counter C2 by using indexes 3 and 4). We are now able to give the whole formula ϕ: ϕ ≡ (ψ1 ∧ ψ2 ∧ ϕ1 ∧ ϕ2 ∧ ϕ3 ∧ ϕ4 ) ∃U σkt .

(5.3)

Clearly M halts on the stop instruction if and only if q0 |= ϕ. It follows that the model-checking problem for automata with stopwatch observers is undecidable. Lemma 5.3.10. Let us consider Figure 5.9. If A enters location l1 with valuation (ν1 , ω1 ) = (2−n , 1 − 2−n ) for the pair (x1 , z1 ) and if formula ϕ1 is satisfied at location l4 , then A enters location l9 with the valuation (2−(n+1) , 1 − 2−(n+1) ) for the pair (x1 , z1 ). Proof. By hypothesis, A enters location l1 with (ν1 , ω1 ) = (2−n , 1 − 2−n ) and ν0 = 0. By construction, we can see that the valuation of (x1 , z1 ) is given by (0, 1 − 2−n ) when entering location l3 . Since ϕ1 is satisfied at location l4 , we have that the valuation of z1 is 1 in location l7 . This implies that the valuation of z1 equals the valuation of x0 equals to 1 in location l7 and so the valuations of x0 and z1 are equals when leaving location l5 with clock valuation of x1 being 1. We have to show that the valuation of (x1 , z1 ) in l4 is (2−(n+1) , 1 − −(n+1) 2 ). Let us notice that the valuation of (x1 , z1 ) entering l5 is equal to its valuation in l4 . Figure 5.10 represents the evolution of the variables x1 , z1 and x0 along the path from l3 to l5 . It indicates in bold face a quantity α kept constant along the lines. In the first line, recall that (x1 , z1 ) has valuation (0, 1 − 2−n ). In the second line, it has valuation (α, β) with β = 1 − 2−n + α. In the third line, we have α + β = 1 showing that α = 2−(n+1) . Thus (x1 , z1 ) has value (2−(n+1) , 1 − 2−(n+1) ) at location l4 .

145

5.3 — Model-Checking WCTLr entering l3

leaving l3 being in l4 entering l5

x1

z1

0

x0

1

α x1

α z1

0

1

β leaving l5

0

α z1 = x0

x1 1

Figure 5.10: Evolution of the variables from l3 to l5 .

The previous proof uses an automaton A with stopwatch observers and a WCTLr formula ϕ. The automaton has 5 clocks and 4 cost variables (clock x0 and pairs (xi , zi ), 1 ≤ i ≤ 4). It has no cost on its edges. The formula does not use the freeze operator. In particular, the model-checking problem for automata with stopwatch observers is already undecidable for the fragment of WCTLr where the freeze operator is forbidden. In the next corollary, we show that the WCTLr model-checking problem is already undecidable for automata with stopwatch observers using 5 clocks and 1 cost variable only. The proof will now use the freeze operator. The fact that we were able to reduce the number of cost variables to only one is very interesting, when one recalls that the minimum-cost reachability problem has been proved to be decidable for weighted timed automata with 1 cost variable [ALP01] [BFH+ 01]. Corollary 5.3.11. Let T = R+ . The WCTLr model-checking problem is undecidable for automata with stopwatch observers using 5 clocks and 1 cost variable. Proof. Let us show how to modify the proof of Theorem 5.3.8 in a way to use only 1 cost variable. We first recall the role of the 4 cost variables zi in the proof of Theorem 5.3.8. In addition to the special clock x0 , the clocks xi , 1 ≤ i ≤ 4,

146


are used to encode the 2 counters as indicated in (5.1). Each clock xi is coupled with the cost variable zi whose valuations (νi , ωi ) are of the form (2−n , 1 − 2−n ), n ≥ 1, when ν0 = 0. Looking at the encoding of each basic instruction of the 2-counter machine, we notice that the cost variables zi are useful only for the incrementation and decrementation instructions (see Figure 5.9). We are now going to show that the 4 cost variables zi can be replaced by a single cost variable z. The encoding of the stop, goto and if instructions is done exactly as in the proof of Theorem 5.3.8, except that the 4-tuple (0, 0, 0, 0) appearing in the locations of Figures 5.6, 5.7 and 5.8 is replaced by z˙ = 0. It remains to detail the encoding of the incrementation and decrementation instructions. We explain the idea for the incrementation of counter C1 . Considering Figure 5.9, we have shown in the proof of Theorem 5.3.8 that if the automaton A enters location l1 with (ν1 , ω1 ) = (2−n , 1 − 2−n ), it will reach location l9 with (ν1′ , ω1′ ) = (2−(n+1) , 1 − 2−(n+1) ), the values of the 3 other pairs (νi , ωi ) being unchanged. Figure 5.11 is now used instead of Figure 5.9 such that z is the only cost variable and µ, µ′ are the witness that z is correctly used to modify the pair (ν1 , ω). widget

σk z˙ = 0

∀i 6= 0, 1 xi = 1 ; xi := 0

∀i 6= 0, 1 xi = 1 ; xi := 0

z˙ = 0

z˙ = 1

x0 = 0 x1 := 0

(x0 = 1)∧ (0 < x1 < 1) x0 := 0

µ

x0 = 0

σk+1

z˙ = 0

z˙ = 0

x0 = 0

x0 = 0

l1 x0 = 0

µ′ z˙ = 0

z˙ = 0

x0 = 1

µ z˙ = 1

x1 = 1

µ z˙ = 0

x0 = 1

Figure 5.11: k: C1 := C1 + 1 (with the cost variable z) Assume that in Figure 5.11, one enters l1 with ν1 = 2−n and the valuation of z equal to 0. Then it is easy to replace location l1 of Figure 5.11

147


by a subautomaton in a way that if one enters it with (2−n , 0) for the valuations of (x1 , z), one leaves it with (ν1 , ω) = (2−n , 1 − 2−n ). This subautomaton is given on Figure 5.12. widget ∀i 6= 0, 1 xi = 1 ; xi := 0 σk ; ξ

x0 = 0

∀i xi = 1 ; xi := 0 x1 = 1

z˙ = 0

z˙ = 1

x0 = 0

x1 ≤ 1

x0 = 1 z˙ = 0

x1 := 0

z≤1

z˙ = 0 x0 := 0

x0 = 0 l′1

l1

Figure 5.12: Modification of the valuation of (x1 , z) from (2−n , 0) to (2−n , 1 − 2−n ) On the later figure, one can verify that if one enters l1 with valuation of (x1 , z) equal to (2−n , 0), then the valuation of z is equal to 1 − 2−n when the guard x1 = 1 is satisfied, and thus one reaches l1′ with valuation of (x1 , z) equal to (2−n , 1 − 2−n ). Finally, to impose that the valuation of z is equal to 0 at location l1 of Figure 5.12 is done thanks to the logic, since this is impossible inside the automaton. This means that formula ϕ1 of (5.2) is replaced by ϕ′ ≡ ξ ⇒ z · (µ ⇒ µ∃U(µ′ ∧ z = 1)) where ξ is a witness that the cost variable z must be reset to 0. Subautomata for decrementing C1 , incrementing and decrementing C2 are constructed in a similar way. The same formula ϕ′ can be used in each of these cases since it concerns the unique cost variable z. Notice that whereas incrementing or decrementing a counter requires one time unit for their encoding in the proof of Theorem 5.3.8, it here requires two time units. To complete the proof, the final formula ϕ given in (5.3) must be replaced by: ϕ ≡ (ψ1 ∧ ψ2 ∧ ϕ′ ) ∃U σkt .

148

5.4


Improved undecidability result

In this section we prove that Problem 5.3.1 is already undecidable when considering weighted timed automata with three clocks and one stopwatch. We will use the semantic of WCTLr as defined in Remark 5.1.5. Our results rely on a new encoding of the two-counters machine, and on tricks to get rid of the “tick” clock, i.e. the clock which is reset every time unit (the clock x0 is the proof of Theorem 5.3.8). These results can be found in [BBM06].

5.4.1

Shape of the Reduction

Given a two-counter machine M, we build a weighted timed automaton AM (with three clocks and one stopwatch cost) and a WCTLr formula ϕ such that given q0 , a well-chosen extended state of AM , we have that M halts if, and only if, q0 |= ϕ. The two counters C1 and C2 will be encoded alternatively by three clocks x1 , x2 and x3 . The value of c1 is encoded by ν(x) = 21c1 (with x ∈ {x1 , x2 , x3 }) whereas the value of c2 is encoded by ν(x′ ) = 31c2 (with x′ ∈ {x1 , x2 , x3 }). To each instruction will be associated up to six modules, one for each injective function {x, x′ } → {x1 , x2 , x3 }. Incrementation of counter C1 We consider the following instruction: k : Ci := Ci + 1. We also assume that the initial value of C1 is stored in clock x1 whereas that of C2 is stored in x2 . We construct the automaton Autk1,+ (x1 , x2 , x3 ) as in Fig. 5.13. In that figure (and in all the other ones), cost that are omitted are equal to zero. The superscript 1, + is a remainder to indicate that instruction k is an incrementation of counter c1 (we might omit it when it is not necessary), the tuple (x1 , x2 , x3 ) indicates which clocks encode counters c1 and c2 : here, c1 is initially stored in x1 and c2 is initially stored in x2 . At the end of this module, the values of c1

149

5.4 — Improved undecidability result

and c2 will be stored in x3 and x2 , resp.; that is why we add a transition ′ from Dxk1 ,x2 ,x3 to Akx3 ,x2 ,x1 . x2 =1,x2 :=0

Akx1 ,x2 ,x3

x2 =1,x2 :=0

x1 =1,x1 :=0

Bxk1 ,x2 ,x3 x3 :=0

Cxk1 ,x2 ,x3

cost=1 ′

Dxk1 ,x2 ,x3

Power2 (x1 , {x2 , x3 })

Akx3 ,x2 ,x1

Test(x1 = 2x3 , {x2 })

Power3 (x2 , {x1 , x3 }) Figure 5.13: Automaton Autk1,+ (x1 , x2 , x3 ) The valuation of x1 when arriving in Akx1 ,x2 ,x3 is supposed to be 21c1 , whereas the valuation of x2 when arriving in Akx1 ,x2 ,x3 is supposed to be 31c2 . This module encodes the incrementation of counter c1 , thus the valuation of x3 when arriving in location Dxk1 ,x2 ,x3 (and when arriving in ′ location Akx3 ,x2 ,x1 ) should be 2c11+1 and the valuation of x2 should be 31c2 . One way to enforce this is to ensure the three following requirements: • the delay between arrivals in Akx1 ,x2 ,x3 and in Dxk1 ,x2 ,x3 is 1 time unit, • the valuation of x3 when entering Dxk1 ,x2 ,x3 is valuation of x1 when entering Akx1 ,x2 ,x3 ,

ν1 2 ,

where ν1 is the

• the delay in Dxk1 ,x2 ,x3 is 0. To ensure the last point, we will use a global WCTLr -formula which will ensure that no cost is accumulated in location Dxk1 ,x2 ,x3 . To ensure the second point, we will construct a module Test(x1 = 2x3 , {x2 }) together

150


with a WCTLr -formula ϕ1 such that the formula holds in the module if, and only if, the valuation of x1 when entering the module is twice the valuation of x3 when entering the module (see Section 5.4.2). Finally, to ensure the first point, it is sufficient (see Lemma 5.4.1 below) to fulfill the following two properties: 1. the valuation of x1 when arriving in Dxk1 ,x2 ,x3 is of the form some n ∈ N,

1 2n

for

2. the valuation of x2 when arriving in Dxk1 ,x2 ,x3 is of the form some m ∈ N.

1 3m

for

These two requirements will be enforced by two modules that we will “plug” in location Dxk1 ,x2 ,x3 . The first module, Power2 (x1 , {x2 , x3 }), will be used to check, using clocks x2 and x3 , that the valuation of x1 is of the form 21n for some n ∈ N. We will also construct a WCTLr formula ϕ2 that holds in this module if, and only if, the value of x1 when entering the module is of the form 21n for some nonnegative integer n (see Section 5.4.2). Note that the formula ϕ2 is independent of x1 . Similarly we build a second module Power3 (x2 , {x1 , x3 }) and a WCTLr -formula ϕ3 (independent of x2 ), such that ϕ3 holds in the module if, and only if, the valuation of x2 when entering the module is of the form 31m for some m. We now prove that those two tests are sufficient to encode the “tick”: Lemma 5.4.1. If a trajectory enters location Akx1 ,x2 ,x3 with the valuation of x equal to 21c1 , the valuation of x2 equal to 31c2 and enters location Dxk1 ,x2 ,x3 τ units of time later with the valuation of x1 being of the form 1 1 2n for some n, and the valuation of x2 being of the form 3m for some m, then the value of τ is 1, n = c1 and m = c2 . Proof. We prove this lemma by elementary arithmetical manipulations. Due to the form of the automaton Autk1,+ (x1 , x2 , x3 ) (see Fig. 5.13) we have the following system of equalities: (

1 2c1 1 3c2

+τ −1= +τ −i=

1 2n 1 3m

(5.4)

151


for some integer i ≥ 1 (corresponding the number of times clock x2 is reset). This implies that 21c1 − 31c2 + (i − 1) = 21n − 31m . It is easy to get that i = 1 or i = 2 (using the fact that each fraction involved in this equality is in the interval (0, 1]). We first assume that i = 1. We get that distinguish several cases.

1 2c1

−

1 2n

=

1 3c2

−

1 3m ,

and

• Assume max(c1 , n) = c1 , then immediately max(c2 , m) = c2 . We multiply the two sides of the equality by 2c1 3c2 . We get that 3c2 (1 − 2c1 −n ) = 2c1 (1 − 3c2 −m ). We assume that 1 − 3c2 −m 6= 0, which is equivalent to c2 6= m. In case c1 > 0, 2 has to divide 1 − 2c1 −n , which implies that c1 = n, and consequently c2 = m, which is a contradiction. In case c1 = 0, as max(c1 , n) = n, we get n = c1 = 0, and then c2 = m, which is a contradiction. Thus, c2 = m, and then c1 = n. • The other case (max(c1 , n) = n) can be handled similarly. We also get that c1 = n and c2 = m. We then assume that i = 2. We get that 1 = 21n − 21c1 + 31c2 − 31m . If n ≥ 1 and c2 ≥ 1, then the right-hand side of the above equality is strictly less than 1, which is not possible. Thus, n = 0 or c2 = 0. We max(c2 ,m) has to be assume n = 0, we get that 21c1 = 31c2 − 31m . Thus, 3 2c1 an integer, or c2 = m. In the first case, we get that max(c2 , m) = c1 = 0. The second case is not possible as 21c1 can not be equal to 0. Finally, c1 = c2 + n = m = 0. We assume that c2 = 0. We get that 31m = 21n − 21c1 . max(n,c1 )

is an integer or n = c1 . As previously, the second case is Thus 2 3m not possible. In the first case, we get that n = c1 = m = c2 = 0, this implies that τ = 1 and τ = 2, see (5.4), which is of course not possible. Thus i = 1.

This concludes the proof of the lemma (from c1 = n and c2 = m, we immediately get τ = 1). Similar ideas can be used to design an automaton Autk2,+ (x1 , x2 , x3 ) that increments the second counter, using module Test(x1 = 3x3 , {x2 }).

152


Decrementation of a counter We now consider a decrementation instruction (directly preceded by a test instruction): k : if (C1 > 0) then C1 := C1 − 1; goto k ′ else goto k ′′ . We will not detail the reduction, but only give the construction of automaton Autk1,− (x1 , x2 , x3 ), which is a slight variation of the construction for the incrementation. This automaton implements the decrementation of the first counter, this counter being initially stored in x1 while the other one is initially stored in x2 . x2 =1,x2 :=0

A′k x1 ,x2 ,x3 x1 0, then by applying Lemma 5.4.1 we have that ρ

155

5.4 — Improved undecidability result ′

k reaches Dα,β,γ (and then the next sub-automaton Autk (γ, β, α)) after exactly 1 time unit and with valuation hγ = 2α0 = 1/2n−1, β = β0 , α = α0 i.

It is now easy to prove, by induction, that whenever ρ enters the first location of a sub-automaton Autk (α, β, γ), then α has the form 1/2n and β has the form 1/3m , for some integers n and m. Now, according to Φ, ρ eventually enters state ASTOP . In the meantime, it traverses a (finite) sequence (Ai )i of sub-automata of the form Auti (α, β, γ). Thus, we can associate to ρ a sequence of tuples si = (ki , C1,i , C2,i ) as follows: • ki is the index k of the sub-automaton Ak , • c1,i is the integer s.t. α = 1/2c1,i it the valuation of the first clock when ρ enters Ak , • c2,i is the integer s.t. β = 1/2c2,k it the valuation of the second clock when ρ enters Ak . Quite obviously, our construction ensures that the values of the counters between si and si+1 are updated according to instruction ki of the two-counter machine M. The sequence (si )i thus corresponds to an halting computation of M. Conversely, if M has a halting computation, we can exactly mimic this computation with a run in AM . The arguments are similar to the ones above in order to prove that this run satisfies Φ. We thus have the following theorem: Theorem 5.4.3. Problem 5.3.1 is already undecidable when considering weighted timed automata with three clocks and one stopwatch cost. Note that our reduction holds for a restriction of WCTLr not involving equality-constraints.

5.4.2

Modules

We describe below the modules needed for the different tests of our reduction.

156


Adding ν or 1−ν to the cost variable, where ν is a clock valuation This construction is inspired from the proof of Theorem 6.3.1. Module Add+ (x1 , {x3 }), displayed on Figure 5.15, is an automaton to increase the cost variable by the initial valuation of clock x1 (assuming ν1 ∈ [0, 1]). Module Add− (x1 , {x3 }), displayed on Figure 5.16, increases the cost by 1 − ν1 (still assuming ν1 ∈ [0, 1]). In both cases, variable x3 is used as a “tick”.

x2 =1,x2 :=0 z:=0

ℓ0

x2 =1,x2 :=0

x1 =1,x1 :=0

cost=1

ℓ1

x3 =1,x3 :=0

cost=0

Figure 5.15: Automaton Add+ (x1 , {x3 })

x2 =1,x2 :=0 z:=0

ℓ0 cost=0

x2 =1,x2 :=0

x1 =1,x1 :=0

ℓ1

x3 =1,x3 :=0

cost=1

Figure 5.16: Automaton Add− (x1 , {x3 }) Those automata clearly satisfy the following Lemma: Lemma 5.4.4. If a run enters location ℓ0 of Add+ (x1 , {x3 }) with ν1 = α0 ∈ [0, 1], ν2 = β0 ∈ [0, 1] and cost = γ0 , it then leaves location ℓ1 with the same values for x1 and x2 , and with cost = γ0 + α0 . If a run enters location ℓ0 of Add− (x1 , {x3 }) with ν1 = α0 ∈ [0, 1], ν2 = β0 ∈ [0, 1] and cost = γ0 , it then leaves location ℓ1 with the same values for x1 and x2 , and with cost = γ0 + 1 − α0 .

157

5.4 — Improved undecidability result Checking ν2 = 2ν1

We now describe the module that checks if the initial valuations of two clocks x1 and x2 resp. denoted ν1 and ν2 satisfy ν2 = 2ν1 . This is achieved by the automaton Test(x2 = 2x1 , {x3 }) displayed on Figure 5.17, in which the extra clock x3 is required as a “tick”. x3 :=0

S

x3 =0

Add+ (x1 , {x3 })

Add− (x2 , {x3 })

cost=0

T cost=0

Add+ (x1 , {x3 }) Figure 5.17: Automaton Test(x2 = 2x1 , {x3 }) Let ϕ1 = S ∧ ∃3≤1 T ∧ ∃3≥ 1T . Roughly, it states that the (unique) trajectory from S to T has a total cost of exactly one. Clearly enough, the following Lemma holds: Lemma 5.4.5. Formula ϕ1 holds in S along module Test(x2 = 2x1 , {x3 }) with ν1 ∈ [0, 1] and ν2 ∈ [0, 1] if, and only if, ν2 = 2ν1 . This construction can easily be adapted for other tests, especially for building a module Test(x2 = 3x1 , {x3 }) testing if x2 = 3x1 . Checking that the valuation of x is of the form

1 2d

We describe below the module Power2 (x1 , {x2 , x3 }), testing if the valuation of clock x1 equals 1/2d for some non-negative integer d. Clock x3 is used as a “tick”, and clock x2 is used for “multiplying” the valuation of clock x1 by 2. That module is displayed on Figure 5.18. It should be noticed that this module uses an update “x1 := x2 ”, instead of classical resets. This is for the sake of simplicity, and the module could be adapted (by duplicating the periodic part) in order to only have standard resets [BDFP04]. We let ϕ2 = P2 ∧ ((Q2 → (Q2 ∃Uϕ1 ))∃UR2 ). We have the following Lemma:

158

Chapter 5 — Model-Checking x1 =1 x1 :=0

x3 :=0

P2

x3 =1∧x1 ≤1 x2 :=0

x3 :=0

Q2

x3 =0

Test(x2 = 2x1 , {x3 })

x3 =0,x1 :=x2 x1 =1,x3 =0

R2

Figure 5.18: Automaton Power2 (x1 , {x2 , x3 }) Lemma 5.4.6. Formula ϕ2 holds in P2 along Power2 (x1 , {x2 , x3 }) with clock valuation of x1 equal to ν1 ∈ (0, 1] if, and only if, there exists a non-negative integer d s.t. ν1 = 1/2d. Proof. By abuse of notation, we denote by P2 the location labelled by the atomic proposition P2 . We do the same abuse for Q2 and R2 . In this proof we denote by q0 the configuration (P2 , hν1 , ·, 0i) when entering P2 for the first time. Let us first prove that if Power2 (x1 , {x2 , x3 }), q0 |= ϕ2 , then there exists an integer d such that ν1 = 1/2d. By hypothesis, there exists a run ρ, starting from q0 , reaching R2 , and verifying formula (Q2 ⇒ (Q2 ∃Uϕ1 )) in-between. Thus, since we never let time elapse in Q2 , Lemma 5.4.5 ensures that the valuation of x2 is always twice the valuation of x1 when entering Q2 . We denote by n the number of times ρ enters the location Q2 . Let us remark that if n = 0, then we have ν1 = 1 = 20 , hence the desired result by setting d = 0. Now, fix n > 0. We prove by induction that the valuation of x1 is 2n−1 ν1 when entering Q2 for the k-th times along ρ, for any k ≤ n. • The base case is obvious, since exactly 1 time unit elapses between the entrance in P2 and the entrance in Q2 . Since x1 ≤ 1 when entering Q2 , it must be reset between P2 and Q2 . Thus the valuation of x must be ν1 the first time ρ enters Q2 . • Assume the result holds for some k ≥ 1. Then, the valuation of


159

x1 equals 2n−2 ν1 when entering Q2 for the (n − 1)-st time. According to the remark above, x2 equals 2n−1 ν1 at that time. Thus, x1 is set to that valuation when entering P2 anew, since no time is spent in Q2 . Using the same arguments as in the base case, clock x1 has the same valuation when entering Q2 as when entering P2 , namely 2n−1 ν1 . Thus, the last time trajectory ρ enters Q2 , the valuation of x1 is 2n−1 ν1 , and ν2 = 2n ν1 . From that point on, ρ must reach state R2 without running in Q2 anymore. This requires that the last valuation of x2 in Q2 is 1. Thus ν1 = 1/2n, as required (by letting d = n). Conversely, if there exists a non-negative integer d s.t. ν1 = 1/2d we have to prove that Power2 (x1 , {x2 , x3 }), q0 |= ϕ2 . We have to exhibit a run ρd starting from q0 , reaching R2 , and such that formula (Q2 ⇒ (Q2 ∃Uϕ1 )) always holds along ρ. We build the run by induction on d. • If d = 0: in that case, we simply take the trajectory (P2 , h1, −, 0i) → (R2 , h1, −, 0i). • Now, pick some integer d > 0, and assume that we can build a trajectory ρd−1 from (P2 , h1/2d−1, ?, 0i) to (R2 , h1, ?, 0i). We build ρd as follows:

1−2α0 P2 x1 =α0 x3 =0

α0

α0 ρd−1 Q2 x1 :=x2 x3 :=0 x1 :=0 x1 =α0 x1 =α0 x =1−α0 x1 =1 x1 =0 x1 =1−α0 1 x1 =2α0 x2 =α0 x2 =α0 x2 =2α0 x2 =2α0 x =0 x3 =1−2α0 2 x3 =0 x3 =0 x3 =1−2α0 x3 =1−α0 x3 =1−α0 x3 =1 P2

x2 :=0

One can be convinced that the run ρd are runs of Power2 (x1 , {x2 , x3 }) and satisfy ϕ2 . It is easy to adapt the previous construction in order to build a module Power3 (x1 , {x2 , x3 }), using Test(x2 = 3x1 , {x3 }), that checks if the valuation of x1 is of the form 1/3d, for some non-negative integer d. We note ϕ3 , involving atomic propositions P3 , Q3 and R3 , the formula which checks that property.

160

5.5


Bisimulations of Automata with Stopwatch Observers

In the previous sections, we have shown that in the case of dense time, the WCTLr model-checking problem for automata with stopwatch observers is undecidable (Theorem 5.3.8 and Theorem 5.4.3). Looking at the proof of this result, it follows by Corollary 5.3.4 that there exist an automaton with stopwatch observers using 3 clocks and 1 cost variable and a WCTLr formula ϕ for which any bisimulation respecting the partition P0 of Proposition 5.3.3 is infinite. In this section, we will identify the precise frontier between finite and infinite bisimulations for the class of automata with stopwatch observers. The next theorem states that there are already infinite bisimulations in the case of 1 clock and 2 cost variables, as well as of 2 clocks and 1 cost variable. Theorem 5.5.1. Let T = R+ . There exist an automaton with stopwatch observers A using either 1 clock and 2 cost variables, or 2 clocks and 1 cost variable, and a WCTLr formula ϕ, such that no bisimulation respecting the partition P0 of Proposition 5.3.3 is finite. Proof. The two automata that we are going to consider are given in Figures 5.19 and 5.20. Note that these automata have several empty x := 0 z˙ 1 = 0 z˙ 2 = 0

z˙ 1 = 1 z˙ 2 = 0

z˙ 1 = 0 z˙ 2 = 1

z˙ 1 = 1 z˙ 2 = 1

x1 := 0 z˙ = 0

z˙ = 1

x2 := 0

l

Figure 5.19: 1 clock and 2 cost variables.

Figure 5.20: 2 clocks and 1 cost variable.

edges and no labeling of the locations by atomic propositions.

5.5 — Bisimulations of Automata with Stopwatch Observers

161

The proof is based on the bisimulation algorithm and Proposition 3.3.16 with the initial partition P0 given in Proposition 5.3.3. Note that Condition 1 of Proposition 5.3.3 is trivially satisfied. Let us begin with the case of 1 clock variable x and 2 cost variables z1 , z2 . (1) 1 clock variable x and 2 cost variables z1 , z2 . As initial partition, instead of the partition P0 of Proposition 5.3.3, we take the partition P induced by the bisimulation given in Definition 3.2.1 (for diagonal-free timed automata). The following discussion justifies this choice. At location of Figure 5.19 where z˙1 = z˙2 = 1 (we denote this location by l), the behaviour of z1 , z2 is the one of a clock. We have thus 3 clocks x, z1 , z2 at location l. As shown in [AD94], if x, z1 and z2 are compared with constant 1, then the bisimulation algorithm leads to the bisimulation ≈t of Definition 3.2.7 in the cube [0, 1]3 and in location l. A way to get these comparisons with constant 1 is simply to add some guard or invariant x = 1 in the automaton of Figure 5.19 and to consider some WCTLr formula ϕ with the two cost constraints π1 and π2 respectively equal to z1 = 1 and z2 = 1. Again by the bisimulation algorithm, the bisimulation ≈t is transfered to the other locations by applying Prea on the empty edges9 of the automaton. Therefore, as announced before, we can take as partition P the partition of the cube [0, 1]3 induced by ≈t . Let us now show that the bisimulation algorithm applied on partition P does not terminate because it generates an infinite number of regions Rn , n ≥ 1 10 , each containing exactly one point (ν, ω1 , ω2 ) such that11 1 3n + 1 . (ν, ω1 , ω2 ) = 0, n , 3 2 · 3n (a) We need to work with a particular region generated by the bisimula9 where

a is the unique action contained in the set of actions Σ. were able to discover the particular regions Rn with experiments performed with the HyTech tool [HHWT95]. 11 When speaking about the constructed regions, we can omit the locations since the empty edges transfer the information to each location. 10 We

162


tion algorithm (see Figure 5.21) S :

0 = x < z1 < z2 < 1, 2z2 − z1 = 1.

It is constructed as (see Figure 5.22) • S ′ = Pret (P1 ) ∩ P2 with P1 : 0 < z1 = z2 < x = 1, P2 : 0 < z1 < z2 = x < 1, and z˙1 = 1, z˙2 = 0, • S = Pret (S ′ ) ∩ P3 with P3 : 0 = x < z1 < z2 < 1, and z˙1 = z˙2 = 0. z2 1

z1 = z2

1 2

x

0

z1

Figure 5.21: Region S (x = 0).

0

z1

z2 = x

z1

z2

x P 1

S′

S 1

Figure 5.22: Its construction.

Looking at the bold intervals in Figure 5.22, we see that on line S, we have ω(z2 ) − ω(z1 ) = 1 − ω(z2 ). It follows that 2ω(z2 ) − ω(z1 ) = 1 must be satisfied in S 12 . (b) The first region R1 = {0, 13 , 23 } is then constructed as (see Figures 5.23 and 5.24) • R1′ = Pret (P1 ) ∩ P2 with P1 : 0 < x = z1 < z2 = 1, P2 : 0 = x < z1 < z2 < 1, and z˙1 = 0, z˙2 = 1, • R1 = Prea (R1′ ) ∩ S. Looking at the bold intervals in Figure 5.24, one verifies that R1′ is the region R1′ : 0 = x < z1 < z2 < 1, z1 + z2 = 1. In Figure 5.23, the intersection of R1′ and S, which is nothing else than R1 = Prea (R1′ ) ∩ S, is the point (0, 13 , 23 ). 12 Notice

that P1 , P2 and P3 belong to partition P.

163

5.5 — Bisimulations of Automata with Stopwatch Observers R′1

z2

R1

1

1 2

0

x = z1

x 1 2

z1

z1

0

Figure 5.23: Region R1 .

z2 P1

z2

R′1 1

Figure 5.24: Its construction.

(c) It remains to explain how to construct Rn+1 from Rn , assuming that n It is done as follows (see Figures 5.25 Rn is the point (0, 31n , 32·3+1 n ). and 5.26) • S1′ = Prea (Rn ) ∩ P1 with P1 : 0 < z1 < z2 < x = 1, • S2′ = Pret (S1′ ) ∩ P2 with P2 : 0 < x = z1 < z2 < 1, and z˙1 = 0, z˙2 = 0, • S3′ = Pret (S2′ ) ∩ P3 with P3 : 0 < x < z1 < z2 < 1, and z˙1 = 0, z˙2 = 1, ′ • Rn+1 = Pret (S3′ ) ∩ P4 with P4 : 0 = x < z1 < z2 < 1, and z˙1 = 1, z˙2 = 0, ′ • Rn+1 = Prea (Rn+1 ) ∩ S. n

Recall that Rn = (0, 31n , 32·3+1 Thus looking at the bold intervals of n ). ′ Figure 5.26 (in particular at lines Rn+1 , S3′ and Rn )), the next equality ′ must hold on Rn+1 3n + 1 ω(z1 ) + ω(z2 ) = . 2 · 3n ′ On Figure 5.25, the intersection of Rn+1 and S, which is Rn+1 , is there1 3n+1 +1 fore the point (0, 3n+1 , 2·3n+1 ). This completes the proof of the case of 1 clock variable and 2 cost variables. We now proceed to the case of 2 clock variables and 1 cost variable.

164

Chapter 5 — Model-Checking x R′1

z2 1

R′n+1

z1

z2

Rn

z1

z2

x S′ 1

z2

S2′

x = z1 R1 Rn+1

1 2

0

Figure Rn+1 .

x z1

x z1

1 2

5.25:

Region

z1

z2

S3′

z2

0

1

R′n+1

Figure 5.26: Its construction from Rn .

(2) 2 clock variables x1 , x2 and 1 cost variable z. The proof for this second case is in the same vein as before; it will be less detailed. As before, we consider the partition P induced by ≈t as initial partition. Let us show that the bisimulation algorithm here generates the regions Rn , n ≥ 1, each formed by the unique triple 1 1 (ν1 , ν2 , ω) = 0, 1 − n , n . 2 2 (a) We first consider the particular region S :

0 = x1 < z < x2 < 1, x2 + z = 1

constructed as R = Pret (P1 ) ∩ P2 with P1 : 0 < x1 = z < x2 = 1, P2 : 0 = x1 < z < x2 < 1, and z˙ = 0. This construction is the same as in Figure 5.24 except that x1 , z, x2 respectively replace x, z1 , z2 . (b) The first region R1 = {0, 21 , 21 } is then constructed as S except that P2 equals 0 = x1 < z = x2 < 1 (instead of z < x2 ). (c) The construction of Rn+1 from Rn is performed as follows (see Figures 5.27 and 5.28) • S1′ = Prea (Rn ) ∩ P1 with P1 : 0 < z < x2 < x1 < 1, • S2′ = Pret (S1′ ) ∩ P2 with P2 : 0 = x2 < x1 < z < 1, and z˙ = 0,

165

5.5 — Bisimulations of Automata with Stopwatch Observers x1

x2 Rn+1

R′n+1

x2

Rn

z

x2 x1

S1′

x2 x1

z

x1

z

S2′

R2

R′2

R1

z

Figure Rn+1 .

z

5.27:

Region

x1

z

0

x2

x2 1

S3′ R′n+1

Figure 5.28: Its construction from Rn .

• S3′ = Prea (S2′ ) ∩ P3 with P3 : 0 < x1 < z < x2 = 1, ′ • Rn+1 = Pret (S3′ ) ∩ P4 with P4 : 0 = x1 < z < x2 < 1, and z˙ = 1, ′ • Rn+1 = Prea (Rn+1 ) ∩ S. ′ From the bold and dashed intervals of Figure 5.28, we see that on Rn+1 , 1 we must have ω(z) + (1 − ν(x2 )) = 2n . Thus on Rn+1 , the intersection 1 1 of this equality with S is the point (0, 1 − 2n+1 , 2n+1 ).

From the previous theorem, it follows that the remaining case to fix the precise frontier between finite and infinite bisimulations is the case of 1 clock variable and 1 cost variable. Indeed for the case of no cost variable, i.e. the case of timed automata, it is known that they have a finite bisimulation (see Definition 3.2.7). Theorem 5.5.2. Let T = R+ . Let A be an automaton with stopwatch observers using 1 clock variable x and 1 cost variable z. Let ϕ be a WCTLr formula. Then A has a finite bisimulation respecting the partition P0 of Proposition 5.3.3. Proof. (Sketch) The proposed bisimulation is the one of Definition 3.2.7, where z is treated as a clock. It is not difficult to verify that the conditions of Definition 3.2.12 are satisfied. The next result follows by Corollary 5.3.4.

166


Corollary 5.5.3. In the case of dense time, the WCTLr model-checking problem for automata with stopwatch observers using 1 clock variable and 1 cost variable is decidable.13 Comments. All the results of this section are concerned with automata with stopwatch observers. If we consider weighted timed automata, the frontier between finite and infinite bisimulations is easily established. There exist weighted timed automata with 1 clock variable x and 1 cost variable z such that z˙ = d1 , z˙ = d2 , with d1 , d2 > 0 two integer constants, for which no finite bisimulation exists [Hen96] (see Figure 5.29). If for automata with 1 clock x and 1 cost variable z, we impose that there exists an integer constant d > 0 such that z˙ ∈ {0, d} in each location, then a finite bisimulation exists. It is the bisimulation of Definition 3.2.1, where z is treated as a clock and each diagonal z − x = c is replaced by z − dx = c (see Figure 5.30). x

x

z

Figure 5.29: d1 = 1, d2 = 3.

z

Figure 5.30: d = 3.

Note that a finite bisimulation still exists if we allow to add to the variables x and z additional cost variables z2 , . . . , zm having a null cost on the locations and an arbitrary cost on the edges. In Example 3.3.9, z3 is such a variable. The required finite bisimulation is a direct product of the bisimulation given before for x and z with the bisimulation of Definition 3.2.1 applied to the variables z2 , . . . , zm treated as clocks.

13 This

result also holds for the WCTL logic, since when there is only 1 cost variable, the two logics WCTL and WCTLr are equivalent.

Chapter 6

Control In the previous chapters we studied weighted timed automata as closed systems, where every transition is controlled. If we want to distinguish between actions of a controller and actions of an environment we have to consider games on weighted timed automata. This is the subject of this chapter. In this context, we can ask if the controller can force the environment to update the control of the automaton in a way to reach a target location with a cost bounded by a given value. We can also ask to compute the optimal cost for the controller winning such a game. This problem has already been studied independently (in dense time) in [ABM04] and in [BCFL04]. In [ABM04], the authors study the kbounded optimal game reachability problem, i.e. given an initial state s of a weighted timed automaton A, a cost bound C and a set T of locations, determine if Player 1 has a strategy to enforce the game started in state s into a location of T within k rounds, while ensuring that the cost is bounded by C. Their algorithmic solution has an exponential-time worst case complexity. In [BCFL04], the authors study winning strategies to reach a set of target locations with an optimal cost in a weighted timed automaton A. To compute the optimal cost and to synthesize an optimal winning strategy, they provide a semi-algorithm for which they can guarantee the termination under a condition called strict nonzenoness of cost. This condition imposes that every cycle in the region 167

168

Chapter 6 — Control

automaton of A has a cost bounded away from zero. The general case where this condition is not imposed, is left open in both papers [ABM04] and [BCFL04]. In this chapter, we prove the unexpected negative result that for weighted timed automata, the existence of a winning strategy with a cost bounded by a given value is in general undecidable. On the positive side, we show that if we restrict the number of clocks to one and we limit the cost rate to 0 or d where d is a fixed integer, then the two problems mentioned above are decidable. We always prove that these two problems are decidable when working with discrete time. The results of this chapter are based on [BBR05, BBM06]. Conventions and notations In this chapter we only consider timed automata A = (L, X, Σ, E, I, L) where the labelling function L maps every location to the empty set. In this context, the function L are useless. To avoid to heavy notations we will thus denote timed automata A by (L, X, Σ, E, I). We will only consider weighted timed automata with single non-negative cost, i.e. C : L ∪ E → N, and use the semantic given by Definition 3.3.12. Moreover we will only consider canonical run of the form τ

e

e

τ

τ

e

2 k k 2 1 1 · · · −→ qk′ −→ qk+1 · · · , q2′ −→ q2 −→ q1′ −→ ρ = q1 −→

that we will denote shortly by τ ·e

τ ·e

τ ·e

2 2 1 1 k k −→ · · · −− −→ qk+1 · · · . −→ q2 −− ρ = q1 −−

We also introduce the following notation. Let A = (L, X, Σ, E, I) be a timed automaton. For a transition e = (l, a, g, Y, l′) ∈ E, the label of e is a, and is also denoted by Action(e).

6.1

Timed games and related cost problems

In this section, we recall the notion of timed game on a weighted timed automaton. In this context we introduce the concept of winning strategy

169

6.1 — Timed games and related cost problems

and the related cost problems. We start by the definition of weighted timed game. Definition 6.1.1. Let A = (L, X, Σ, E, I, C) be a weighted timed automaton. We say that A together with a set LF ⊆ L of target location is a weighted timed game, if the set of action Σ contains a particular action denoted u. In this context the transitions labelled with u are called the uncontrollable transitions. The other ones are called the controlled transitions. Notations 6.1.2. We denote by Σc the set of actions Σ \ {u}. In this chapter, without loss of generality, we make the assumption e

e′

that a weighted timed game A is c-deterministic, i.e. if q − → q ′ and q −→ q ′′ with e, e′ two controlled transitions such that Action(e) = Action(e′ ), then q ′ = q ′′ . Hypothesis 6.1.3. A weighted timed game A is supposed to be cdeterministic. We now give the semantic of weighted timed game and some related problems. Let us first explain the semantic intuitively. Let A = (L, X, Σ, E, I, C, LF ) be a weighted timed game. The game is played by two players, Player 1 (the controller) and Player 2 (the environment). At any state q, Player 1 picks a time τ and an action τ ·e a ∈ Σc such that there is a transition q −−→ q ′ with Action(e) = a. Player 2 has two choices: • either it can decide to wait for time τ and execute the1 transition τ ·e q −−→ q ′ proposed by Player 1, • or it can wait for time τ ′ , 0 ≤ τ ′ ≤ τ , and execute a transition τ ′ ·e′

q −−−→ q ′′ with Action(e′ ) = u. The game then evolves to a new state (according to the choice of Player 2) and the two players proceed to play as before. 1 Recall

that A is assumed to be c-deterministic.

170


Remark 6.1.4. In the definition of a timed game, it is implicitly supposed that Player 1 can always formulate a choice (τ, a) in any reachable state q of the game. We will now formalize the semantic through the concept of strategy. Definition 6.1.5. A (Player 1, memoryless) strategy is a function λ : L × Tn 7→ T × Σc . We now define what is means for a run to be played according to a strategy. Definition 6.1.6. Let A be a weighted timed game and λ be a strategy. τk ·ek τ2 ·e2 τ1 ·e1 −→ · · · −− −→ qk+1 · · · is said −→ q2 −− A finite or infinite run ρ = q1 −− to be played according to λ if for every i, if λ(qi ) = (τi′ , ai ), then either τi = τi′ and Action(ei ) = ai , or τi ≤ τi′ and Action(ei ) = u. In this context let us define the notion of winning run and winning strategy. τ ·e

τ ·e

τ ·e

2 2 k k 1 1 −→ · · · −− −→ qk+1 · · · is −→ q2 −− Definition 6.1.7. The run ρ = q1 −− winning if for some i, qi = (li , νi ) with li ∈ LF being a target location.

Definition 6.1.8. Let q be a state and λ be a strategy. We denote by Outcome(q, λ) the set of runs starting from q and played according to λ. The strategy λ is winning from state q if all runs of Outcome(q, λ) are winning. Let us now define the cost of a winning run. Definition 6.1.9. Let ρ be a winning run. Suppose that qi is the first state of ρ such that li ∈ LF , and let ρ′ be the prefix run of ρ equal to ti−1 ·ei−1 t1 ·e1 −→ · · · −−−−−−→ qi . Then we say that C(ρ′ ) is the cost of ρ to reach q1 −− LF and we abusively denote it by C(ρ). Finally, we define two notions of cost as proposed in [BCFL04], and we state the problems studied in this chapter.

6.1 — Timed games and related cost problems

171

Definition 6.1.10. The cost Cost(q, λ) associated with a winning strategy λ and a state q is defined by Cost(q, λ) = sup{C(ρ) | ρ ∈ Outcome(q, λ)}. Intuitively, the presence of the supremum is explained by the fact that Player 2 tries to make choices that lead to cost W (ρ) as large as possible. Definition 6.1.11. Let A be a weighted timed game. The optimal cost OptCost(q) is then equal to OptCost(q) = inf{Cost(q, λ) | λ is a winning strategy}. A winning strategy λ from q is called optimal whenever Cost(q, λ) = OptCost(q). Let us now define the two control problems we are going to study. Problem 6.1.12. Given a weighted timed game A, a state q of A and a constant c ∈ N, decide if there exists a winning strategy λ from q such that Cost(q, λ) ≤ c. Problem 6.1.13. Given a weighted timed game A and a state q of A, determine the optimal cost OptCost(q) and decide whether there exists an optimal winning strategy. Remark 6.1.14. Concerning Problem 6.1.13, there is an optimal winning strategy from state q iff the infimum can be replaced by a minimum in the definition of OptCost(q). Notice that Problem 6.1.12 is decidable if Problem 6.1.13 can be solved. Indeed, there exists a winning strategy λ from q such that Cost(q, λ) ≤ c iff either OptCost(q) < c, or OptCost(q) = c and there is an optimal strategy from q. In order to understand the difference between the cost-optimal reachability problem (as discussed in Chapter 4) and Problem 6.1.13, let us give an example. Example 6.1.15. This example continues Example 3.1.6. Let us first consider the weighted timed automaton of Figure 6.1. This automata,

172


where all the transitions are controlled, is a weighted timed automata as considered in Chapter 4. In this context, one can compute the infimum of the costs of the runs starting from (l0 , 0, 0) and reaching location l4 (see Definition 4.1.1). By using techniques described in Chapter 4 we find that OptCost (l0 , 0, 0), l4 = inf min(5t + 10(2 − t) + 1, 5t + (2 − t) + 7) = 9. t≤2

This optimal cost is realized by the following run: 0·a

0·a

2·a

ρ = (l0 , 0, 0) −−→ (l1 , 0, 0) −−→ (l3 , 0, 0) −−→ (l4 , 2, 3). a ; x2 = 0 l0 5

a ; x1 ≤ 2 x2 := 0

l2 10

a ; x1 ≥ 2 1

l1

l4

x2 = 0 a ; x2 = 0

l3 1

a ; x1 ≥ 2 7

Figure 6.1: OptCost (l0 , 0, 0), l4 = 9

We can now turn the previous weighted timed automaton into a weighted timed game (see Figure 6.2) by replacing some controllable transition by an uncontrollable transition and setting LF = {l4 }. In this new context, we would like to solve Problem 6.1.13 with q = (l0 , 0, 0). In this context, due to the presence of the uncontrollable transition (from l1 to l3 ) the determination of the optimal cost (see Definition 6.1.11) is given by 1 OptCost (l0 , 0, 0) = inf max(5t + 10(2 − t) + 1, 5t + (2 − t) + 7) = 14 + . t≤2 3

This optimal cost is obtained by waiting τ = 43 timed units in location l0 . The optimal strategy for the controller is thus given by 4 λ (l0 , 0, 0) = ,a . 3

173

6.2 — Symbolic analysis a ; x2 = 0 l0 5

a ; x1 ≤ 2 x2 := 0

l2 10

a ; x1 ≥ 2 1

l1

l4

x2 = 0 u ; x2 = 0

l3 1

Figure 6.2: OptCost (l0 , 0, 0) = 14 +

a ; x1 ≥ 2 7 1 3

This shows that in the context of weighted timed game there is no results analog to the one of Chapter 4 stating that optimal runs (in the totally controlled context) only contain time-transitions with a time τ arbitrarily closed to an integer. We now proceed with symbolic analysis of weighted timed games.

6.2

Symbolic analysis

In order to symbolically analyze weighted timed games, we present a controllable predecessor operator. The main result is Proposition 6.2.3 relating the iteration of this operator with the existence of a winning strategy with a bounded cost. The content of this section is close to [BCFL04], but with a different presentation.2 Let A = (L, X, Σ, E, I, C, LF ) be a weighted timed game. In this context, an extended state of A is a tuple (l, ν, w) where l ∈ L is a location, ν is a clock valuation over X, and w ∈ T is called the credit3 . Intuitively, the credit models a sufficient amount of resource that allows Player 1, when in state (l, ν), to reach a target location of LF whatever Player 2 decides to do, with a cost less than or equal to w. The set of extended states is denoted by QE . 2 In [BCFL04], weighted timed games are reduced to games on linear hybrid automata where the cost is one of the variables. 3 This notion of extended state where w models the credit differs from the notion of extended state (l, ν, ω) given by Definition 3.3.5.

174


We now define the following CPre operator. Definition 6.2.1. Let A be a weighted timed game and R ⊆ QE . Then (l, ν, w) ∈ CPre(R) if and only if there exist τ ∈ T and a controlled transition e ∈ E such that τ ·e

• there exists an extended state (l′ , ν ′ , w′ ) ∈ R, with (l, ν) −−→ (l′ , ν ′ ), and w ≥ w′ + C(l) · τ + C(e), • and for every τ ′ , 0 ≤ τ ′ ≤ τ , every uncontrolled transition e′ ∈ E, τ ′ ·e′

and every state (l′ , ν ′ ) such that (l, ν) −−−→ (l′ , ν ′ ), there exists an extended state (l′ , ν ′ , w′ ) ∈ R with w ≥ w′ + C(l) · τ ′ + C(e′ ). The CPre operator satisfies the following nice properties. Given a weighted timed game A, we define the set Goal as follows Goal = {(l, ν, w) | l ∈ LF and w ≥ 0}, and the set CPre∗ (Goal) =

[

CPrek (Goal).4

k≥0

A set R ⊆ QE of extended states is said upward closed if whenever (l, ν, w) ∈ R, then (l, ν, w′ ) ∈ R for all w′ ≥ w. The above definition leads immediately to the following results. Lemma 6.2.2.

1. Given R ⊆ QE , the set CPre(R) is upward closed.

2. The set Goal and CPre∗ (Goal) are upward closed. Proposition 6.2.3. Let A be a weighted timed game. If there exists k ∈ N s.t. πk (Goal) = πk+1 (Goal) then π∗ (Goal) = πk (Goal) and (l, ν, w) ∈ CPre∗ (Goal) iff there exists a winning strategy λ from state q = (l, ν) such that Cost(q, λ) ≤ w. Proof. We first prove the only if implication. The winning strategy λ S will be defined on the states5 of CPre∗ (Goal) = k≥0 CPrek (Goal) by induction on k. The case k = 0 is immediate by definition of Goal. 4 For k = 0, CPrek (Goal) = Goal, and for k > 0, CPrek (Goal) ` ´ CPre CPrek−1 (Goal) . 5 on the states (l, ν) such that (l, ν, w) ∈ CPre∗ (Goal), for some w ∈ T.

=

175

6.2 — Symbolic analysis

Suppose by induction hypothesis that a winning strategy λ has been S defined on the set R = 0≤i≤k CPrei (Goal) such that if (l, ν, w) ∈ R, then Cost((l, ν), λ) ≤ w. We consider the set [ S = R ∪ CPre(R) = CPrei (Goal) 0≤i≤k+1

and we show how to appropriately extend the definition of λ from R to S. Let (l, ν, w) ∈ S. If (l, ν, w) ∈ R, then λ has already been defined on the state (l, ν) by induction hypothesis. So suppose that (l, ν, w) ∈ S \ R. By Definition 6.2.1, there exist τ ∈ T and e ∈ E with Action(e) = a 6= u such that τ ·e

(i) there exists an extended state (l′ , ν ′ , w′ ) ∈ R, with (l, ν) −−→ (l′ , ν ′ ), and w ≥ w′ + C(l) · τ + C(e), (ii) and for every τ ′ , 0 ≤ τ ′ ≤ τ , every e′ ∈ E with Action(e′ ) = u, and τ ′ ·e′

every (l′ , ν ′ ) such that (l, ν) −−−→ (l′ , ν ′ ), there exists an extended state (l′ , ν ′ , w′ ) ∈ R with w ≥ w′ + C(l) · τ ′ + C(e′ ). Let us denote C(l) · τ + C(e) by ∆ and C(l) · τ ′ + C(e′ ) by ∆′ . We define6 λ on the state q = (l, ν) by λ(q) = (τ, a). Let us prove that λ is a winning strategy from q with Cost(q, λ) ≤ w. Let ρ ∈ Outcome(q, λ), two situations are possible when considering the first transition of ρ. In the first situation, the first transition of ρ is the one proposed by τ ·e Player 1, that is, (l, ν) −−→ (l′ , ν ′ ) as given in (i). Let us denote by ρ′ the tail7 of ρ. Thus Cost(ρ) = ∆ + Cost(ρ′ ). On the other hand, by (i), the credits of the extended states (l, ν, w) ∈ S and (l′ , ν ′ , w′ ) ∈ R satisfy w ≥ w′ + ∆. And Cost(ρ′ ) ≤ w′ by induction hypothesis. Therefore Cost(ρ) ≤ ∆ + w′ ≤ w. In the second situation, the first transition of ρ is the one chosen by τ ′ ·e′

Player 2, that is, a transition (l, ν) −−−→ (l′ , ν ′ ) like in (ii). By (ii), we obtain Cost(ρ) ≤ w as done previously. 6 or redefine (Indeed it may happen that (l, ν, w) ∈ S \ R with (l, ν, w ′ ) ∈ R for some w ′ 6= w) 7 obtained by deleting the first transition of ρ.

176


It follows that the cost of each run in Outcome(q, λ) is bounded by w, showing that Cost(q, λ) ≤ w. We now prove the if implication. We proceed ab absurdo. We suppose that there exists a winning strategy λ from state q = (l, ν) such that Cost(q, λ) ≤ w, and (l, ν, w) 6∈ CPre∗ (Goal). Since (l, ν, w) 6∈ CPre∗ (Goal), there exist an extended state (l1 , ν1 , w1 ) τ1 ·e1 −→ (l1 , ν1 ), such and a run in Outcome(q, λ) with first transition (l, ν) −− that w ≥ w1 + C(l) · τ1 + C(e1 ) and (l1 , ν1 , w1 ) 6∈ CPre∗ (Goal) (Apply Definition 6.2.1 with R = CPre∗ (Goal) and notice that CPre(R) ⊆ CPre∗ (Goal)). By repeating this argument with (l1 , ν1 , w1 ), there exists an extended state (l2 , ν2 , w2 ) and a run in Outcome(q, λ) with the first τ2 ·e2 τ1 ·e1 −→ (l2 , ν2 ), such that (l2 , ν2 , w2 ) 6∈ −→ (l1 , ν1 ) −− two transitions (l, ν) −− CPre∗ (Goal), and so on. Therefore, there exists an infinite sequence of τ1 ·e1 −→ extended states (li , νi , wi ) 6∈ CPre∗ (Goal) and an infinite run (l, ν) −− τ ·e τ2 ·e2 i+1 i+1 −→ · · · (li , νi ) −−−−−−→ · · · in Outcome(q, λ). By definition of (l1 , ν1 ) −− the set Outcome(q, λ), we must have li ∈ LF for some i, in contradiction with (li , νi , wi ) 6∈ Goal. Proposition 6.2.3 leads to several comments in the case a symbolic representation8 for CPre∗ (Goal) can be computed. In such a case, we say that CPre∗ (Goal) has an effective representation. Remark 6.2.4. By Proposition 6.2.3, Problem 6.1.12 is decidable if (i) CPre∗ (Goal) has an effective representation, and (ii) the belonging of an extended state (l, ν, w) to CPre∗ (Goal) can be effectively checked. We will see (from Theorem 6.3.1) that one of the conditions (i), (ii) cannot be fulfilled in general. Remark 6.2.5. Let A be a weighted timed game and q = (l, ν) be a state of A. Problem 6.1.13 asks to determine the optimal cost OptCost(q). This is possible under the following hypotheses: (i) CPre∗ (Goal) has an effective representation, (ii) the value inf{w | (l, ν, w) ∈ CPre∗ (Goal)} can be effectively computed. This value is exactly OptCost(q). 8 For

instance this representation could be given in a decidable logical formalism like the first-order theory of the reals with order and addition, or Presburger arithmetic.

6.3 — Dense time

177

Moreover the existence of an optimal winning strategy from q is decidable if one can determine the value c = OptCost(q), and the belonging of (l, ν, c) to CPre∗ (Goal) can be effectively checked. Indeed, an optimal strategy exists iff c is the minimum value of the set {w | (l, ν, w) ∈ CPre∗ (Goal)} (see Remark 6.1.14).

6.3

Dense time

In this section we study Problem 6.1.12 and Problem 6.1.13 in the dense time context. The results are the following: (i) Problem 6.1.12 is in general undecidable, thus by Remark 6.1.14, this implies that Problem 2 cannot be solved; (ii) Problem 6.1.13 (and thus Problem 6.1.12) can be solved in the particular case of weighted timed game with one clock and such that for any location l, C(l) ∈ {0, d} with d ∈ N a given constant.

6.3.1

Undecidability results

This subsection is devoted to the main result of this chapter, that is, Problems 6.1.12 is undecidable. By Remark 6.1.14, it follows Problem 2 cannot be solved. Theorem 6.3.1. Problem 6.1.12 is undecidable. Proof. The idea of the proof is the following one. Given a two-counter machine M, we will construct a weighted timed game A and propose a timed game on A. In this game, Player 1 will simulate the execution of M, and Player 2 will observe the possible simulation errors done by Player 1. We will prove that for a well-chosen state q, there exists a winning strategy λ from q with Cost(q, λ) ≤ 1 iff the machine M halts. It will follow that Problem 6.1.12 is undecidable. Recall that the instruction of two-counter machine are given in Table 5.1. We are consider two-counter machine without goto instruction. A configuration of the machine M is given by a triple (k, C1 , C2 ) which represents the (label of the) current instruction of M and two counter values. The first instruction of M is supposed to be labelled by k0 and

178


the stop instruction for which M halts, is supposed to be labelled by ks . The initial configuration of M is thus (k0 , 0, 0). We first define how the counter values are encoded in the states of A. We encode the value of counter C1 using three clocks x1 , x2 , x3 and the value of counter C2 using three clocks x′1 , x′2 , x′3 . The clock values are always between 0 and 1. In this proof, to keep the notation simple, we use the same notation to denote the clock or its valuation. Counter C1 has value n ∈ N, C1 = n

(6.1)

iff one of the following three conditions is satisfied : • 0 ≤ x1 ≤ x2 ≤ x3 ≤ 1, x2 − x1 = • 0 ≤ x3 ≤ x1 ≤ x2 ≤ 1, x2 − x1 =

1 2n+1 ,

and x1 + (1 − x3 ) =

1 2n+1 ,

• 0 ≤ x2 ≤ x3 ≤ x1 ≤ 1, (1 − x1 ) + x2 =

and x1 − x3 =

1 2n+1 ,

1 2n+1 ,

1 2n+1 ,

and x1 − x3 =

1 2n+1 .

The encoding of C2 is done is a similar manner by replacing x1 (resp. x2 , x3 ) by x′1 (resp. x′2 , x′3 ). The first condition is given in Figure 6.3.9 x1 x2 x3 α

1 2n+1

β

Figure 6.3: One encoding of C1 = n, with α + β =

1 2n+1 .

We say that the encoding of C1 (resp. C2 ) is in normal form if x1 = 0 (resp. x′1 ) (see Figure 6.4). x1 x2 x3 1 2n+1

1 2n+1

Figure 6.4: The encoding of C1 = n in normal form. The automaton A = (L, X, Σ, E, I, C, LF ) has thus a set X of six clocks (x1 , x2 , x3 , x′1 , x′2 , x′3 ). The costs given by function C to the 9 The

tion.

two other conditions are cyclic– or mod 1, representations of the first condi-

179

6.3 — Dense time

locations are either 0 or 1. The function C assigns a null cost to each transition.10 The set L contains a location for each label k of the machine M, which is labelled by σk in a way to remember the label k. For each such k, the related location l is as depicted in Figure 6.5 where x1 can either be x′1 . We notice that the control spends no time in location l, and that one of the two counters, Ci , is encoded in normal form. This is the way configurations (k, C1 , C2 ) of the machine M are encoded by states (l, ν) of the automaton A with locations l like in Figure 6.5. In particular, the stop instruction of M which is labelled by ks is encoded by a location l like in Figure 6.5, such that σks replaces σk and l ∈ LF is a target location. x1 = 1 ; x1 := 0 x2 = 1 ; x2 := 0 x3 = 1 ; x3 := 0 x1 := 0

l σk

l

x1 = 0

x1 ≤ 1 ∧ x2 ≤ 1 ∧ x3 ≤ 1

Figure 6.5: Location labelled by σk

Figure 6.6: Widget to let the value of a counter unchanged.

In the sequel, we present widgets used by Player 1 to simulate the instructions of the machine M. These widgets are fragments of the automaton A; they are depicted in Figures 6.6–6.13. In these figures, target locations l ∈ LF are surrounded by a double circle, uncontrolled transitions are labelled by the action u, and controlled transitions are those that are not labelled. It is supposed that controlled transitions leaving a given location are labelled by distinct actions of Σc , in a way to have a c-deterministic weighted timed game A (see Hypothesis 6.1.3). Notice that the constructed automaton A will satisfy the assumptions of Remark 6.1.4. With the construction of these widgets and a particular state q of A, we will see that the machine M halts iff Player 1 has a winning strategy λ from q with Cost(q, λ) ≤ 1. Let us describe this idea, the complete proof will be given later: 10 In

the following figures, the cost if not indicated is supposed to be equal to zero.

180


• If M halts, then the strategy of Player 1 is to faithfully simulate the instructions of M. If Player 2 lets Player 1 playing, then the cost of simulating M equals 0, otherwise the cost equals 1. In both cases the game always reaches a target location. This shows that λ is a winning strategy with Cost(q, λ) ≤ 1. • Suppose that M does not halt. Either the timed game simulates the instructions of M and thus never finishes. Or it does not simulate the instructions of M and Player 2 is able to force the game to reach a target location with a cost strictly greater than 1. Therefore in both cases, Player 1 has no winning strategy λ with Cost(q, λ) ≤ 1. Widget W1 to let a counter value unchanged - The first widget allows, when time elapses in a location l, to keep the value of counter C1 unchanged. Such a widget is useful when, for instance, the value of one counter is incremented while the value of the other counter is not modified. See Figure 6.6. If the control enters location l at time τ with clock values x1 , x2 , x3 encoding the value n of counter C, and leave location l at time τ ′′ ≥ τ , then for all τ ′ , τ ≤ τ ′ ≤ τ ′′ , the current clock values x1 + τ ′ , x2 + τ ′ , x3 + τ ′ still encode the value n. Indeed the clock values cyclically rotate among the three possible conditions for encoding n (see (6.1)). One can easily adapt widget W1 in order to keep the value of counter C2 unchanged. The widget W1 is often useful in combination with other widgets. To keep the figures of those widgets readable, we often omit widget W1 inside them. Widget W2 for normal form - Figure 6.7 presents a widget to put the encoding of counter C1 in normal form (a similar widget can be constructed for C2 ). When the control enters location l with clocks values x1 , x2 , x3 encoding the value n of counter C1 , the control reaches location l′ with x1 , x2 , x3 encoding n and x1 = 0. The control instantaneously leaves location l′ due to the invariant x1 = 0. Widget W3 for zero test - We here indicate how to simulate a zero test instruction for counter C1 , i.e. an instruction k : if C1 = 0 then goto

181

6.3 — Dense time x2 = 1 ; x2 := 0 x3 = 1 ; x3 := 0 l

x1 = 1 ; x1 := 0

x1 ≤ 1 ∧ x2 ≤ 1 ∧ x3 ≤ 1

l′ x1 = 0

Figure 6.7: Widget to put encoding of counter C1 in normal form. k ′ else goto k ′′ . The widget for zero test is given in Figure 6.811 . We assume that the control reaches location l with the value n of counter 1 C1 encoded by x1 , x2 , x3 in normal form12 , that is, x1 = 0, x2 = 2n+1 1 and x3 = 1 − 2n+1 . We notice that location l is like locations described in Figure 6.5. No time can elapse in l. Clearly to test that n = 0 is equivalent to test that x2 = x3 as done in this widget. The zero test instruction for counter C2 is done similarly. x2 = x3

instr. k ′

l σk x1 = 0 x2 < x3

instr. k ′′

Figure 6.8: Widget for zero test. Widget W4 for increment of counter C1 - In this paragraph, we indicate how to simulate an increment instruction k : C1 := C1 + 1, increment for counter C2 can be handle similarly. While the previous widgets have controlled transitions only, and null costs on every location, the widget for incrementing counter C1 uses two uncontrolled transitions, and have cost equal to 1 for certain locations. This widget is composed of several parts. 11 A

more tricky encoding using diagonal-free weighted timed automata is possible. is always possible by using widget W2 .

12 This

182

Chapter 6 — Control x1 := 0 x2 := 0 l0 l1 l2 σk x1 = 0 x3 < 1 x1 = 0 Figure 6.9: First part of the widget for increment.

(1) First part of widget W4 . Consider Figure 6.9. We can suppose that the control reaches location l0 with the value n of counter C1 encoded by x1 , x2 , x3 in normal form, 1 1 and x3 = 1 − 2n+1 . The transition from such that x1 = 0, x2 = 2n+1 l0 to l1 has to be taken immediately. As the transition from l1 to l2 is controlled, Player 1 has to choose the amount of time τ that it waits in l1 before taking the transition to l2 . Because of the invariant labeling l1 , 1 we know that τ < 2n+1 . When entering location l2 , the clock values are 1 + τ . Note that to faithfully as follows: x1 = 0, x2 = τ and x3 = 1 − 2n+1 1 simulate the increment of counter C1 , Player 1 should choose τ = 2n+2 . It is easy to verify that in location l2 , τ=

1 2n+2

⇔ x2 + x3 = 1.

(6.2)

So, we are in the following situation: to verify that Player 1 has faithfully chosen τ to simulate the increment of counter C1 , we simply have to check that in l2 , x2 + x3 = 1. Hereafter, we show how Player 2 observes in location l2 the possible simulation errors of Player 1. Notice that in l2 , the clock values x1 , x2 , x3 satisfy 0 = x1 < x2 < x3 ≤ 1. (2) Part of widget W4 to check if x2 + x3 6= 1. For clarity, we distinguish the case where (i) x2 + x3 > 1 from the case where (ii) x2 + x3 < 1. We begin with Case (i). The widget W> is given in Figure 6.10. Notice that the first location of this widget is equal to the last one of the widget of Figure 6.9, and that the first transition is uncontrolled. Location l7 is a target location, i.e. l7 ∈ LF . The idea is as follows: we use the cost C(ρ) of the run ρ from l2 to l7 to compute the value x2 + x3 . The cost of each location is null except for locations l4 and l6 where C(l4 ) = 1 and C(l6 ) = 1. Let ρ be a run from l2 to l7

183

6.3 — Dense time

l2 0 x1 = 0

l7 0

x3 = 1 ; x3 := 0 x2 = 1 x2 := 0 u l3 0 x2 ≤ 1 ∧ x3 ≤ 1

l4 1 x1 ≤ 1

x1 = 1 x1 := 0 x2 = 1 ; x2 := 0 x3 = 1 x1 = 1 x3 := 0 l x1 := 0 l6 5 1 0 x1 ≤ 1 ∧ x2 ≤ 1 x3 ≤ 1 Figure 6.10: Widget W> .

such that x2 and x3 are clock values in l2 . Recall that in location l2 , the clock values x1 , x2 , x3 satisfy 0 = x1 < x2 < x3 ≤ 1. We can verify that the cost of ρ is equal to x2 + x3 (a cost x2 in location l4 and a cost x3 in location l6 ). Hence we have x2 + x3 > 1 ⇔ C(ρ) > 1.

(6.3)

We now consider Case (ii). The widget W< is given in Figure 6.11. As for widget W> the first location of this widget is equal to location l2 of Figure 6.9, and the first transition is uncontrolled. Location l6′ is a target location. The idea is similar to Case (i) : along the run ρ′ from l2 to l6′ , the value n of counter C1 is left unchanged, and the cost of ρ′ is equal to (1 − x2 ) + (1 − x3 ) (a cost 1 − x2 in l3′ and a cost 1 − x3 in l5′ ). As x2 + x3 < 1 is equivalent to (1 − x2 ) + (1 − x3 ) > 1, then x2 + x3 < 1 ⇔ C(ρ′ ) > 1.

(6.4)

(3) Complete widget for increment. The complete widget for increment is composed of the widgets given in Figures 6.9, 6.10 and Figure 6.11, as it is schematically given in Figure 6.12. The counter that we want to increment has value n. First the control enters the first part of the widget for incrementation with x1 = 0, 1 1 , x3 = 1 − 2n+1 . As we have seen before, Player 1 has to choose x2 = 2n+1 the amount of time τ that it waits in l1 before taking the transition to

184

Chapter 6 — Control x3 = 1 ; x3 := 0 x2 = 1 u x ′ 2 := 0 l3 l4′ 1 0 x2 ≤ 1 ∧ x3 ≤ 1 x1 ≤ 1 x1 = 1 ; x1 := 0 x3 = 1 x3 := 0 ′ l6′ l5 0 1 x3 ≤ 1

l2 0 x1 = 0

Figure 6.11: Widget W< . l2 . The only way to reach l2 with x2 + x3 = 1 is to simulate faithfully the increment of the counter (see (6.2)). Then in location l2 , Player 1 proposes to Player 2 to move the control to the widget that encodes the next instruction of the machine M. Player has three choices: either accept the move of Player 1, or move the control to the widget W> , or move the control to the widget W< . l0 x1 = 0

x2 := 0

x1 := 0 l1

l2

x3 ≤ 1

u x =0 u 1 widg.W>

next inst.

widg.W
, W< , and the game reaches a target location with a cost equal to 1 (see (6.3) and (6.4)). So whatever the Player 2’s decision, the cost is bounded by 1. Suppose now that Player 1 does not simulate the increment instruction, i.e. x2 + x3 6= 1, then Player 2 can take a decision

185

6.3 — Dense time

such that the game reaches a target location with a cost strictly greater than 1. Indeed, if x2 + x3 > 1, it decides to use the widget W> (see (6.3)), otherwise it uses the widget W< (see (6.4)). Widget W5 for decrement of counter C1 - As for the increment, the widget for decrement is in several parts. We only present the first part in details, where Player 1 has to faithfully simulate the decrement. The other parts where Player 2 observes the possible errors of Player 1 are identical to Cases (i), (ii) of the increment widget. Again decrement of counter C2 can be handle similarly. Let us assume that we enter location l0 of the widget of Figure 6.13 1 1 and x3 = 1 − 2n+1 . We also assume that with x1 = 0, x2 = 2n+1 n > 1 (since we assume there is a zero test before each decrementation instruction). x2 = 1 ; x2 := 0 x3 = 1 x1 := 0

x1 = 1 x1 := 0

x3 := 0

l0

l1

l2

l3

l4

x1 = 0

x3 ≤ 1

x2 ≤ 1

x1 ≤ 1 ∧ x2 ≤ 1

x1 = 0

Figure 6.13: First part of the widget for decrement. When the control leaves location l1 , the clock values are respectively 1 1 equal to x1 = 0, x3 = 1, and x2 = 2n+1 + 2n+1 . Then Player 1 has to choose the amount of time τ that it waits in location l2 before taking the transition to l3 . To faithfully simulate the decrement, Player 1 should choose τ = 21n . In location l4 , we are now in the same situation as in location l2 of the increment widget (see Figure 6.12): τ = 21n ⇔ x2 + x3 = 1. So, we just have to plug in l4 the two widgets W> , W< and a transition to the next instruction of the machine M. The situation is the same as for the increment. Indeed if Player 1 faithfully simulates the decrement instruction, then the cost is bounded by 1 whatever the Player 2’s decision. If Player 1 does not simulate it, then Player 2 can take a decision such that the game reaches a target location with a cost strictly greater than 1. It should now be clear why we can reduce the halting of a two-counter

186


machine to the existence of a winning strategy for Player 1 to reach a target location with a cost bounded by 1. Let M be a two-counter machine and A the weighted timed game constructed from the widgets as above. The target locations of A are either the location associated with the stop instruction of M, or the target locations of the widgets of Figures 6.10 and 6.11. Let q = (l, ν) be the state of A encoding the initial configuration (k0 , 0, 0) of M, that is, l is the location labelled by σk0 , and ν is the clock valuation such that x1 = x2 = 0 and x2 = x3 = x′2 = x′3 = 1 2 . Let us prove that M halts iff there exists a winning strategy λ from q with Cost(q, λ) ≤ 1. Suppose that M halts, then the strategy λ of Player 1 is to faithfully simulate the instructions of M. Let ρ be a run of Outcome(q, λ). If along ρ, Player 2 lets Player 1 simulating M, then ρ reaches the target location of A associated with the stop instruction of M with a cost C(ρ) = 0. If Player 2 decides to use one of the two widgets W> , W< , then ρ reaches the target location of this widget with C(ρ) = 1. Therefore, λ has a winning strategy from q satisfying Cost(q, λ) ≤ 1. Suppose that there is a winning strategy λ from q with Cost(q, λ) ≤ 1. Assume that M does not halt, the contradiction is obtained as follows. If λ consists in simulating the instructions of M, then Player 2 decides to let Player 1 simulating M. The corresponding run ρ ∈ Outcome(q, λ) will never reach a target location since M does not halt. This is impossible since λ is winning. Thus suppose that λ does not simulate the instructions of M, and let ρ ∈ Outcome(q, λ). As soon as Player 2 observes a simulation error along ρ, it decides to use one of the widgets W> , W< such that ρ reaches the target location of this widget with C(ρ) > 1. This is impossible since λ is winning with a cost Cost(q, λ) ≤ 1. Remark 6.3.2. In [BCFL04], Problem 6.1.13 has been solved for the class of weighted timed games A such that the cost function of is strictly non-zeno, i.e. every cycle in the region automaton associated with A has a cost which is bounded away from zero. The authors of this paper translate Problem 6.1.13 into some linear hybrid automata where the cost is one of the variables. For this class of hybrid automata, the conditions mentioned above in these remarks are fulfilled. Of course the automaton

6.3 — Dense time

187

we have constructed in the proof of Theorem 6.3.1 does not fall into this class of automata.

6.3.2

Improved undecidability result

In this section we briefly explain how the techniques introduced in Section 5.4 can be used in order to prove that Problem 6.1.12 is already undecidable when considering weighted timed games with three clocks. Theorem 6.3.3. Problem 6.1.12 is already undecidable with three clocks and one stopwatch cost. Proof. (Sketch) Given a two-counter machine M we construct a weighted timed game A with one cost variable. The shape of the automaton is similar to the one described in Section 5.4.1, we only point out the few differences: • When arriving in state ASTOP we add a discrete cost 3; • All arrows leading to a test module (dashed on the Figures 5.13 and 5.14) are uncontrollable; • The module for checking that x2 = 2x1 is split into two branches, one setting the cost to 2 + 2x1 + (1 − x2 ), and the other to 1 + 2(1 − x1 ) + x2 (these two branches are slight adaptations of Figure 5.17 and transitions leading to one or the other branch are uncontrollable). If the relation x2 = 2x1 does not hold, the environment has a strategy to set the cost up to a value strictly greater than 3 (if x2 < 2x1 , he takes the branch storing 2 + 2x1 + (1 − x2 ) in the cost, otherwise he takes the other branch). If the relation x2 = 2x1 holds, then whatever branch chooses the environment, the accumulated cost will be exactly 3, and the controller will win the game; • The module for checking that x2 = 3x1 is similar, and has two branches, one setting the cost to 2 + 3x1 + (1 − x2 ), and the other one setting the cost to 3(1 − x1) + x2 . Thus, if the relation x2 = 3x1 does not hold, the environment has a strategy to set the cost up to a value strictly greater than 3 (if x2 < 3x1 , he takes the branch

188

Chapter 6 — Control storing 2 + 3x1 + (1 − x2 ) in the cost, otherwise he takes the other branch). If the relation x2 = 3x1 holds, then whatever branch chooses the environment, the accumulated will be exactly 3, and the controller will win the game;

• The modules Power2 and Power3 are similar to the one for WCTLr (tests x2 = 2x1 (resp. x2 = 3x1 ) are done as described above). In this module, if the controller cheats, that is because at some point of the loop he does not satisfy x2 = 2x1 (resp. x2 = 3x1 ), which can be detected by the environment going to the corresponding test module, or that’s because he will not be able to reach a location labelled by R2 (or R3 ). In the first case, a state labelled by T will be reached (the play will thus be winning), but the cost will be strictly greater than 3, whereas in the second case, the play will not be winning. Following the lines of the proofs of Theorem 6.3.1 and Theorem 5.4.3: M halts if and only if the controller has a winning strategy in A to enforce one of the states labelled by {STOP, T, R2 , R3 } with cost less than or equal to 3. This is true because if the environment does not do any uncontrollable action, then the controller will have to never wait in states with a positive cost (otherwise the global cost will be strictly greater than 3). If the environment does an uncontrollable action, it means that he wants to check that the controller has played correctly, and if (and only if) the latter has really played correctly, he will be able to reach a state labelled by T , R2 or R3 with cost less than or equal to 3.

6.3.3

One clock

In the previous subsections, Problem 6.1.12 was shown undecidable by a reduction of the halting problem of a two-counter machine. The weighted timed game in the proof uses three clocks, has no cost on the transitions and cost 0 or 1 on the locations. We here study weighted timed games with one clock and such that for any location l, C(l) ∈ {0, d} with d ∈ N a given constant. For this particular class of automata, we solve Problem 6.1.13 by following the

189

6.3 — Dense time

lines of Remark 6.2.5. By Remark 6.1.14, Problem 6.1.12 is thus also solved. The proof is only detailed for d = 1. To facilitate the computation of the CPre operator, we first introduce another operator denoted by π, that is largely inspired from the one of [BCFL04]. We need to generalize transitions to extended states13 : a timeτ τ transition (l, ν) − → (l′ , ν ′ ) is extended to (l, ν, w) − → (l, ν ′ , w − C(l) · τ ), e e similarly with switch-transition (l, ν) − → (l′ , ν ′ ) extended to (l, ν, w) − → (l′ , ν ′ , w − C(e)). Given R ⊆ QE and a ∈ Σ we define e

Prea (R) = {r ∈ QE | ∃r′ ∈ R such that r − → r′ with Action(e) = a}, as well as Prec (R) = ∪a∈Σc Prea (R), and Preu (R) = Preu (R). We also define the following set tPre(R, S), with R, S ⊆ QE . Intuitively, an extended state r is in tPre(R, S) if from r we can reach some r′ ∈ R by time elapsing and along the timed transition from r to r′ we avoid S. This set is defined by τ → r′ , r′ ∈ R, tPre(R, S) = r ∈ QE | ∃τ ∈ R+ with r − and Post[0,τ ] (s) ⊆ S τ′

where Post[0,τ ] (s) = {r′ ∈ QE | ∃τ ′ , 0 ≤ τ ′ ≤ τ, such that r −→ r′ }. The new operator π is then defined by : (6.5) π(R) = tPre Prec (R), Preu (R) . The next lemmas indicate useful properties of the various operators.

Lemma 6.3.4.

1. Prec (R1 ∪ R2 ) = Pre(R1 ) ∪ Prec (R2 ),

2. Preu (R1 ∪ R2 ) = Preu (R1 ) ∪ Preu (R2 ), 3. tPre(R1 ∪ R2 , S) = tPre(R1 , S) ∪ Pret (R2 , S), 4. tPre(R, S1 ∪ S2 ) = tPre(R, S1 ) ∩ Pret (R, S2 ). Lemma 6.3.5.

1. If R ⊆ QE is upward closed, then π(R) = CPre(R).

13 As already mention the notion of extended state where w models the credit differs from the notion of extended state (l, ν, ω) given by Definition 3.3.5; that is why we need to redefine time- and switch-transitions.

190


2. CPre∗ (Goal) = π ∗ (Goal). Proof. Consider the first statement of the lemma. Since π(R) ⊆ CPre(R), we only have to prove that CPre(R) ⊆ π(R). For the rest of this proof, we denote C(l) · τ + C(e) by ∆ and C(l) · τ ′ + C(e′ ) by ∆′ . Let (l, ν, w) ∈ CPre(R). By Definition 6.2.1, there exist a time τ ∈ R+ and a controlled transition e ∈ E such that τ ·e

(i) there exists (l′ , ν ′ , w′ ) ∈ R, with (l, ν) −−→ (l′ , ν ′ ), and w ≥ w′ + ∆, (ii) and for every τ ′ , 0 ≤ τ ′ ≤ τ , every uncontrolled transition e′ ∈ E, τ ′ ·e′

and every (l′ , ν ′ ) s.t. (l, ν) −−−→ (l′ , ν ′ ), there exists (l′ , ν ′ , w′ ) ∈ R with w ≥ w′ + ∆′ . τ ·e

We first consider the transition (l, ν, w) −−→ (l′ , ν ′ , w − ∆) of case (i). Since (l′ , ν ′ , w′ ) ∈ R, w − ∆ ≥ w′ , and R is upward closed, it follows that (l′ , ν ′ , w − ∆) ∈ R. Secondly, in case (ii), for all τ ′ , 0 ≤ τ ′ ≤ τ , all τ ′ ·e′

e′ ∈ E, and all extended states (l′ , ν ′ , w − ∆′ ) such that (l, ν, w) −−−→ (l′ , ν ′ , w − ∆′ ), we can conclude that (l′ , ν ′ , w − ∆′ ) ∈ R by a similar argument. Therefore by Definition of π, we have (l, ν, w) ∈ π(R). The second statement of the lemma follows from the first statement and Lemma 6.2.2. We now study weighted timed games A with one clock x, such that C(l) ∈ {0, 1} for every location l. Let C be the largest constant used in the guards of A. As done in [AD94] for timed automata, we define an equivalence relation on QE in order to obtain a partition of this set. Definition 6.3.6. Let (ν, w), (ν ′ , w′ ) ∈ (R+ )2 . Then (ν, w) ∼ (ν ′ , w′ ) if the following conditions hold. 1. Either ⌊ν⌋ = ⌊ν ′ ⌋, or ν, ν ′ > C;

⌊w⌋ = ⌊w′ ⌋;

2. For ν, ν ′ ≤ C, fract(ν) = 0 iff fract(ν ′ ) = 0; fract(w′ ) = 0;

fract(w) = 0 iff

3. For ν, ν ′ ≤ C, fract(ν) + fract(w) ∼ 1 iff fract(ν ′ ) + fract(w′ ) ∼ 1, with ∼ ∈ {}.

191

6.3 — Dense time w

w

x Figure 6.14: The relation ∼

x Figure 6.15: The partition P2

An example of equivalence relation ∼, where C = 4, is given in Figure 6.14. We extend the relation ∼ to QE by defining (l, ν, w) ∼ (l′ , ν ′ , w′ ) iff l = l′ and (ν, w) ∼ (ν ′ , w′ ). Let P be the partition of QE obtained with this relation. The partition P is stable under π, that is, given R ∈ P, π(R) is a union of equivalence classes of P. The reader could convince himself as follows. Let R ∈ P. Clearly, the sets Prec (R) and Preu (R) are union of equivalences classes of P. Now due to Lemma 6.3.4, it remains to check that given R, S ∈ P, the set tPre(R, S) is a union of equivalence classes taking into account that C(l) ∈ {0, 1}. We summarize this result in the next lemma. Lemma 6.3.7. P is stable under π. By this lemma, the next corollary is straightforward since Goal is a union of equivalence classes of P and by Lemmas 6.2.2 and 6.3.5. Corollary 6.3.8. The set CPre∗ (Goal) is a union of equivalence classes of P. Given a state q of A, the optimum cost OptCost(q) is a non-negative integer. Even if the proposed partition P is infinite, we are able to prove that the computation of CPre∗ (Goal) terminates. We first define the set Up(P) of upward closed sets w.r.t. P : Up(P) = {R | R = ∪Ri , Ri ∈ P and R is upward closed}. Lemma 6.3.9. The partially ordered set hUp(P), ⊇i is Artinian14 . 14 Every

decreasing chain is finite.

192


Proof. We first introduce some definitions concerning the equivalence classes of P. Given R ∈ P, we consider its projection Proj(R) = {(l, ν) | (l, ν, w) ∈ R}. The set Px = {Proj(R) | R ∈ P} is a finite subset of P. Indeed Px is the set of regions15 of the underlying one clock timed automaton. We call these regions x-regions and we denote the size of Px by K. Let Rx ∈ Px be an x-region. The tube of Rx , denoted by tube(Rx ) is given by {(l, ν, w) | (l, ν) ∈ Rx , w ∈ R+ }. The set up(Rx ) associated with Rx is composed of the upward closed sets which are union of equivalence classes of P included in tube(Rx ), that is, up(Rx ) = {R | R = ∪Ri , Ri ∈ P, R ⊆ tube(Rx ) and R is upward closed}. With all these definitions, notice that each R ∈ Up(P) is a finite union S of sets of Rx ∈Px up(Rx ). We can now give the proof. The sets up(Rx ) are totally ordered by ⊇. Moreover we clearly have that hup(P ), ⊇i is isomorphic to hN, ≤i.16 We extend this total order to up(Rx ) ∪ {∅}, this extension is isomorphic to hN ∪ {∞}, ≤i. We conclude that hUp(P), ⊇i is isomorphic to h N ∪ K {∞} , ≤i. Indeed given R, R′ ∈ Up(P), we have R ⊇ R′ iff for all Rx ∈ Px , tube(Rx ) ∩ R ⊇ tube(Rx ) ∩ R′ . Corollary 6.3.10. CPre∗ (Goal) can be effectively computed. S Proof. We are going to prove that π ∗ (Goal) = 0≤i≤k π i (Goal) for some k ≥ 0. First notice if R ∈ Up(P), then π(R) ∈ Up(P) (see Lemma 6.3.7). When computing π ∗ (Goal) we obtain the following decreasing chain in hUp(P), ⊇i Goal ⊆ Goal ∪ π(Goal) ⊆ Goal ∪ π(Goal) ∪ π 2 (Goal) ⊆ · · · Hence by Lemma 6.3.9, there exists k ∈ N such that [ π ∗ (Goal) = π i (Goal). 0≤i≤k

15 In

the classical sense introduced in [AD94]. the regions of the tube from low to high values of w.

16 Enumerate

193

6.4 — Discrete time The conclusion follows from Lemma 6.3.5. Looking at Remark 6.2.5, we get the next corollary.

Corollary 6.3.11. Let A be a weighted timed game with one clock such that C(l) ∈ {0, 1} for all locations l. Then Problems 6.1.12 and 6.1.13 can be solved. Remark 6.3.12. The arguments given in this section are easily extended to a cost function C(l) ∈ {0, d} for any location l, where d ≥ 1 is a fixed integer. The same approach holds but with a partition Pd different from P. This partition is similar to P, except that we only need horizontal lines of the form w = d·n (with n ∈ N) and each anti-diagonal of the form x+w = c is removed and replaced by the lines of equations d·x+w = d·n (with n ∈ N). See Figure 6.15. Remark 6.3.13. The approach proposed in this section to solve Problem 6.1.12 and 6.1.13 is no longer valid with two clocks. Indeed the example given in Figure 6.16 is a weighted timed game with two clocks x1 and x2 and an optimal cost of reaching LF from (l0 , 0, 0) equal to 12 . u ; x1 ≤ 1 x2 := 0 l0

0 x2 = 0 a ; x1 = 1

x1 = 1

a

1

b

0

0

x2 = 1

1

x2 = 1

0

x1 = 1

Figure 6.16: A two-clock automaton with optimum cost

6.4

1 2

Discrete time

In this section we briefly explain how to adapt the techniques of Subsection 6.3.3 in order to prove that both Problems 6.1.12 and Problem 6.1.13 can be solved when considering weighted timed games on discrete time. Let us first notice that the definition of π, see (6.5), easily adapt to discrete time; moreover Lemma 6.3.4 and Lemma 6.3.5 remain valid. In

194


this context given A a (diagonal-free) weighted timed game we defined an equivalence relation on its set of extended states QE = Nn+1 . Definition 6.4.1. Let (ν, w), (ν ′ , w′ ) ∈ Nn+1 . Then (ν, w) ∼d (ν ′ , w′ ) if the following conditions hold. 1. ν ≈t ν ′ (where ≈t is the clock equivalence of Definition 3.2.10); 2. w = w′ . As usual we extend the relation ∼d to QE by defining (l, ν, w) ∼d (l′ , ν ′ , w′ ) iff l = l′ and (ν, w) ∼d (ν ′ , w′ ). Let Pd be the partition of QE obtained with this relation. In this context, one can prove the following lemma. Lemma 6.4.2. Pd is stable under π. By adapting the proof of Lemma 6.3.9 we get that hUp(Pd ), ⊇i is Kd , ≤i where artinian. Indeed hUp(Pd ), ⊇i is isomorphic to h N ∪ {∞} Kd is the finite number of (classical) regions induced by ≈t on Nn . By Corollary 6.3.10, CPre∗ (Goal) can be effectively computed, and this leads naturally to the following result. Corollary 6.4.3. Let A be a weighted timed game on discrete time. Then Problems 6.1.12 and 6.1.13 can be solved.

6.5

Using cost-optimal reachability

In this section, we propose an application of Theorem 4.2.25 in the context of optimal reachability timed games. From Theorem 6.3.1, we know that in general Problem 6.1.13 cannot be solved. In particular given a weighted timed game A and a state q of A, we cannot determine the optimal cost OptCost(q) nor decide whether there exists an optimal winning strategy. However as an application of Theorem 4.2.25, given a weighted timed game A and a strategy λ, we can compute the infimum (resp. supremum) cost obtained when considering executions of AG played according to λ. This allows to compare two given strategies on a weighted timed game.

195

6.5 — Using cost-optimal reachability

A natural criterion to prefer a strategy to another one could be to choose the strategy with lower supremum cost. Let us illustrate how it works on the game A of Example 6.1.15. Example 6.5.1. When looking at Figure 6.2, one can easily be convinced that a strategy on A only consists in choosing the elapse of time τ at location l0 . The possible values for τ are in the interval [0, 2]. Hence there are three natural strategies to consider: λi which imposes to stay i time units in location l0 where i = 0, 1, 2. Considering the executions of A played according to λi is equivalent to consider the executions of the weighted timed automaton Ai depicted on Figure 6.17. Let us notice that the weighted timed automaton Ai has not to be considered as a timed game anymore. y=0 l0 5

x=i y := 0

l2 10 x≤2

x=2 1

l1

l4

y=0 y=0

l3 1 x≤2

x=2 7

Figure 6.17: The weighted timed automaton Ai Following Theorem 4.2.25 one can compute the infimum cost InfCost (resp. supremum cost SupCost) among the runs ρ reaching location l4 from (l0 , 0). The different cases are illustrated on Figure 6.18. The results are as follows. • On A0 , InfCost = 9 and SupCost = 21, • On A1 , InfCost = 13 and SupCost = 16, • On A2 , InfCost = 11 and SupCost = 17 Thus if the criterion to prefer a strategy to another one is the lowest supremum cost, strategy λ1 is here the preferred one.

196

Chapter 6 — Control 21

17 16 13 11 9

0

1 time

2

Figure 6.18: InfCost and SupCost for the strategies λi , i = 0, 1, 2

Let us now briefly explain how we can use Theorem 4.2.25 in general in order to compare strategies. Given a weighted timed game AG and a strategy λ, the first step is to compute the weighted timed automaton which results from the weighted timed game constrained by the strategy. Let us call Aλ this automaton. The first question we have to ask is the following. “Is there an infinite run of Aλ that always avoids the winning locations ?”. If the answer is yes, the strategy λ has to be rejected, since it does not ensure reaching a winning location. Otherwise, if the answer is no, we directly apply Theorem 4.2.25 to the weighted timed automaton Aλ . This leads to an upper bound SupCost and a lower bound LowCost on the cost obtained by the executions of AG played according to λ. Therefore different strategies λ for a weighted timed game AG can be compared by referring to these values SupCost and InfCost.

Chapter 7

Conclusion and Future Work Let us conclude Part I of this document, concerning weighted timed automata, by giving a brief summary of our results and some perspectives for future works.

Optimal Reachability In Chapter 4 we settled the exact complexity of the cost-optimal reachability problem, for both discrete and dense time, by proving its PSpaceCompleteness, see also [BBBR06]. Our contributions compared with the related works are summarized on Figure 7.1. Time Discrete Dense

Cost

Opt. Reach.

Related Ref.

Z valued N valued N valued Z valued

PSpace-Complete ExpTime Decidable PSpace-Complete

[ALP01] [BFH+ 01]

Figure 7.1: Summary of the results concerning optimal reachability 197

198

Chapter 7 — Conclusion and Future Work

One could investigate the complexity of the (implemented) algorithm proposed in [BFH+ 01] and investigate how the algorithm we proposed behaves when we put it into practice.

Model-Checking In Chapter 5, motivated by the open problem proposed in [ACD93], we introduce the logic WCTL and study its model-checking. The results we obtained (in [BBR04, BBR06, BBM06]) are recalled in Figure 7.2. Time

Logic

Clock

Stopw.

Bisim.

Mod.-Check.

Discrete

W CT L W CT Lr W CT L W CT Lr

1 any 1 1 1 2 3

3 any cost var. 3 1 2 1 1

Infinite Finite Infinite Finite Infinite Infinite Infinite

Undecidable Decidable Undecidable Decidable ??? ??? Undecidable

Dense

Figure 7.2: Summary of the results concerning model-checking Let us mention that in the recent paper [BLL+ 06], the authors prove that the model-checking of WCTLr remains decidable when considering weighted timed automata with one clock and one cost variable (which is not necessary a stopwatch). The cases of weighted timed automata with two clocks and one stopwatch or one clock and two stopwatches remain open. When looking at the proofs presented in Chapter 5, it is clear that the branching power of WCTLr is essential in order to prove undecidability of the related model-checking problem. Thus it would be interesting to consider a linear version of WCTLr . Another possible future work could be to study parametric extensions of WCTLr in the discrete case, as it has been done in [BDR03] for a parametric extension of T CT L.

199 Control In Chapter 6 we study control problems on weighted timed games. Our results (from [BBR05, BBM06]) compared with the existing ones are summarized on Figure 7.1. Time

Clock

Hypothesis

Control

Discrete Dense

any any any 1 1 2 3

none k-bounded cost non-zenoness C(l) = 0, d none ??? C(l) = 0, 1

Decidable Decidable Decidable Decidable Decidable ??? Undecidable

Related Ref [ABM04] [BCFL04] [BLL+ 06] ???

Figure 7.3: Summary of the results concerning control Again the case of weighted timed automata with two clocks remains open. Several other interesting problems are still to be considered. The idea of using the cost-optimal reachability problem, in the game framework (see Section 6.5) should be investigated further. One could also consider other winning conditions...

200

Chapter 7 — Conclusion and Future Work

Part II

Words, bisimulations and o-minimality

201

Chapter 8

Introduction More and more real-life systems are automatically controlled. It is of a capital importance to know whether the programs governing these systems are correct. In order to be able to manipulate these real-life systems, various mathematical models have been introduced (finite automata [MP43], Kripke structures [Kri65], Petri nets [Kos82], timed automata [AD94], hybrid systems [Hen96],...) making the study of the abstract systems a wide and interesting domain of research. Unfortunately even the abstract systems are not always that easy to handle, the main problem being their infinite size. One way to solve this problem is to reduce these infinite systems to finite systems in such a way that enough information is preserved. It is known that bisimulations (see [Acz88, Cau95, Hen95]) are a “reduction” of particular interest since they preserve a lot of interesting properties (reachability problem, modelchecking branching logic... [HNSY94, ACH+ 95, AHLP00], see also Section 1.8 of this document). That is why we focus our attention on systems admitting a finite bisimulation. Let us mention that this technique has been successfully applied several times in the literature. It has been used in [AD94] to prove the decidability of the reachability problem on timed automata and also to prove the decidability of the model-checking of TCTL again on timed automaton [ACD93]. In [BMRT04] in order to prove the existence of a finite bisimulation for 203

204


an extended class of o-minimal hybrid systems 1 , we encode the continuous dynamics through words (see also [BM05]). In the previous two papers we limit ourselves to the encoding of o-minimal dynamical systems (i.e. dynamical systems definable in an o-minimal structure [PS86]; see also [Dri98] for a nice overview on o-minimality.). In particular we only had to manipulate finite words. Then in [Bri06b] we propose a systematic study of this encoding technique. In particular we give a symbolic procedure (Bisiω) that aims to build a bisimulation on a dynamical system through a partition. Our hope is that this systematic study will lead to the discovery of some new general classes of dynamical systems (through partition) which admit finite bisimulations. Let us mention that some analogue to the word encoding technique already appeared in the literature (the notion of signature for example in [ASY01, Sch02]). Let us also notice that bisimulations of dynamical systems has been studied independently in [Sch04] but in a different framework, indeed the dynamical systems they study are defined with differential equations, which is not our case (see Definition 9.1.1). Recently our word encoding technique was used by Korovina and Vorobjov in order to compute a doubly exponential bound on the size of the coarsest finite bisimulation of pfaffian hybrid systems (see [KV04]). They lately improved their results by reducing the bound to a single exponential and prove that this bound is tight (see [KV05]). In this document we have decided to present the results previously described in an order different from the chronological one. We hope this new presentation will help the reader to get a more global view of the results. The rest of this part is organized as follows. In Chapter 9 we define the notion of dynamical system in our context and illustrate its richness through several examples. We associate transition systems to dynamical systems and consider bisimulations on dynamical systems. Then in Chapter 10 we start by explaining how to associate a word with a trajectory in this general context; we also introduce several notions of dynamical types. The dynamical types will allow to recover symbolically the continuous dynamics of the dynamical 1 introduced

in [LPS00].

205 systems through pieces of a partition of the state space. These tools being formalized we introduce a conceptual semi-algorithm called Procedure Bisiω in Chapter 11. We prove that this procedure computes a bisimulation when it terminates. In Chapter 12 we apply the previously introduced machinery (word encoding technique, dynamical type, Procedure Bisiω) to the particularly interesting case of o-minimal dynamical systems. In this context we discuss bisimulation finiteness result, effectiveness of the construction, (un)decidability and complexity issues. The study of o-minimal dynamical systems naturally extends to o-minimal hybrid systems, these are the subject of Section 12.6. We end this part with Chapter 13 by considering control of o-minimal hybrid systems. This last section is based on the recent paper [BBC06] where we discovered that the suffix dynamical type (introduced in Subsection 10.2.1) is of particular interest for questions related to the control of timed systems. In particular we obtain decidability of the control problem for o-minimal hybrid systems.

206


Chapter 9

Bisimulations of dynamical systems In this chapter we first define what we mean by the words dynamical system in this document. We then associate transition systems to dynamical systems. We show that our dynamical systems, through the transition systems associated with, naturally encompass the behaviour of several systems such as finite automata, timed automata, hybrid automata or two-counter machines. Finally we consider bisimulations on dynamical systems. Let M be a structure. In the sequel when we say that some relation, subset, function is definable, we mean it is first-order definable (possibly with parameters) in the sense of the structure M. General references for first-order logic are [Sac72, CK73, Hod93, Hod97, Mar02].

9.1

Dynamical systems

In this section we define our notion of dynamical system. Definition 9.1.1. A dynamical system is a pair (M, γ) where: • M = hM,