0, (1 ≤ v ≤ n − 1). Then we have n X
1.
Ai ≤ 0 ⇒
i=1 n X
2.
n X
αi Ai ≤ 0
i=1
Ai ≥ 0 ⇒
i=1
n X
βi Ai ≥ 0
i=1
Proof:
1. Assume that
n X
Ai ≤ 0. Let Λ =
i=1
n X
αi Ai = α1 A1 + α2 A2 + . . . + αn An . As α1 ≤ α2 and
i=1
A1 > 0 so Λ ≤ α2 A1 + α2 A2 + . . . + αn An = α2 (A1 + A2 ) + α3 A3 + . . . + αn An . Similarly, as α2 ≤ α3 and A1 + A2 > 0 so Λ ≤ α3 (A1 + A2 + A3 ) + α4 A4 + . . . + αn An , and so on. Finally, we have Λ ≤ αn (A1 + A2 + . . . + An ) ≤ 0.
2. Assume that
n X
Ai ≥ 0. Let Λ =
i=1 ≥ β2 A1
n X
βi Ai = β1 A1 + β2 A2 + . . . + βn An . As β1 i=1 + βn An = β2 (A1 + A2 ) + β3 A3 + . . . + βn An .
≥ β2 and
A1 > 0 so Λ + β2 A2 + . . . Similarly, as β2 ≥ β3 and A1 + A2 > 0 so Λ ≥ β3 (A1 + A2 + A3 ) + β4 A4 + . . . + βn An , and so on. Finally we have Λ ≥ βn (A1 + A2 + . . . + An ) ≥ 0.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Discretisability of Linear Duration Invariants w.r.t. Timed Automata
9
2
Lemma 3 Let {ai }, {ti }, (i = 1..m) be two sequences of real numbers, where ti ≥ 0 for all i = 1, . . . , m. Then we can always find a real number ² ∈ [0, 1) such that m X i=1
ai ti ≤
m X
ai ti²
i=1
Proof: Let {f0 , f1 , f2 , . . . , fq } be a set of fractions of real numbers ti (i ∈ I = {1, 2, . . . , m}), such that 0 = f0 < f1 < f2 < . . . < fq < 1. Let Ik , (k = 0..q) be a set of indexes of ti ’s such that fraction X of ti equals to fk , that is Ik = {i ∈ I | δi = fk }, where δi stands for the fraction of ti . Let Ak = ai , (k = 0, 1, . . . , q). i∈Ik
Now let us partition the sequence {Ak }qk=1 into d + 1 successive segments {A1 , A2 , . . . , Ak1 }, {Ak1 +1 , Ak1 +2 , . . . , Ak2 }, . . . , {Akd−1 +1 , Akd−1 +2 , . . . , Akd }, {Akd +1 , Akd +2 , . . . , Aq } such that for each segment {Ai } (i = kj + 1..kj+1 ), the assumption on Ai ’s in Lemma 2 is satisfied. That is, the indexes k1 , k2 , . . . , kd are defined such that the sum of Ai ’s in each proper prefix of each segment is greater than 0 and the sum of all Ai ’s in each segment is less than or equal to 0. In general, the sum of all Ai ’s in the last segment (the (d + 1)th segment) is greater than 0. It is easily to see that the indexes k1 , k2 , . . . , kd can be found by the following procedure. i = 1; sum = 0; for (k = 1; k ≤ q; k++) { sum + = Ak ; if (sum ≤ 0){ki = k; sum = 0; i++; } } For simplicity, let p = kd . Let us consider the general case first, i.e. p (0 < p < q) divides sequence {Ak }qk=1 into two parts (none of them is empty). The first one consists of d segments, and the sum of Ai ’s of each segment is less than or equal to 0. The second one consists of rest Ai ’s (from Ap+1 to Aq ) and has the sum is a positive number. That is: ki+1
X
k=ki +1
Ak ≤ 0 (i = 0..d − 1), (ky convention k0 = 0) and
q X
Ak > 0
k=p+1
.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Discretisability of Linear Duration Invariants w.r.t. Timed Automata
10
ki+1
By applying Lemma 2 for all i = 0..d − 1 we have
X
fk Ak ≤ 0. Hence,
k=ki +1 d−1 kX i+1 X
q X
fk Ak ≤ 0, and
i=0 k=ki +1
(1 − fk )Ak > 0. This implies −
k=p+1
p X
fk Ak =
k=1 p X
q X
fk Ak +
k=1
(1 − fk )Ak > 0.
k=p+1
For proving the lemma, let ² = fp , we have • ti² = bti c = ti − δi if δi ≤ ² = fp , i.e. if i ∈ I1 ∪ I2 ∪ . . . ∪ Ip , and • ti² = dti e = ti − δi + 1 if δi > ² = fp , i.e. if i ∈ Ip+1 ∪ Ip+2 ∪ . . . ∪ Iq Therefore, m X
ai ti² −
i=1
= −f1
X
m X i=1
ai − . . . − fp
= −
X
fk Ak +
k=1
X
ai + +(1 − fp+1 )
ai + . . . + (1 − fq )
i∈Ip+1
X
ai
i∈Iq
(1 − fk )Ak > 0.
k=p+1
For the rest cases, if p = 0, we can see easily that if p = q, we have
ai (1 − δi )
i∈Ip+1 ∪...∪Iq
i∈Ip q X
X
ai δi +
i∈I1 ∪...∪Ip
i∈I1 p X
X
ai ti = −
m X
ai ti² −
i=1
So, finally we have
m X i=1
m X
a i ti = −
i=1
ai ti² ≥
m X
q X
m X i=1
ai ti² −
m X
q X (1 − fk )Ak > 0, and ai ti =
i=1
k=1
fk Ak > 0.
k=1
ai ti for all cases. The proof is complete.
2
i=1
Lemma 4 Let σ = (s, t, [b, e]) ∈ M(A) be a DC model of timed automaton A. Let s = s0 , s1 , . . . ; t = t0 , t1 . . . and tu−1 < b ≤ tu , tv ≤ e < tv+1 . Then for all ² ∈ [0, 1), σ² = (s, t² , [b² , e² ]) is an integral model of A, i.e. σ² ∈ MI (A), where t² = t0² , t1² , . . . . Proof: To prove that σ² is also a DC model of A we have to prove that (s0 , t0² )(s1 , t1² ) . . . is a behaviour of A.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Discretisability of Linear Duration Invariants w.r.t. Timed Automata
11
Figure 3: A case of discretising model σ
• Monotonicity of time: Let j ≥ i. As σ is a DC model of automaton A, we have tj ≥ ti . From Lemma 1, this implies tj² − ti² ≥ 0. • Progress of time: Let T be any integer. As σ is a behavior, it holds that ∃ti : ti ≥ T . This implies ti² ≥ T . • Consecutive Transitions: For all i > 0, we have to prove that ti² is a time point at which the automaton transits to si . In fact, due to the fact that σ is a model, at time point ti the automaton transits to si by some switch hsi−1 , ϕ, a, λ, si i. By induction, we can prove that hsi−1 , ϕ, a, λ, si i is also the switch A takes to transit to to si at time ti² in σ² . The proof is based on the following observation. Assume that ϕ consists of time constraints of the form a ≤ x ≤ b, and assume that tj is the time for the last reset of clock x before the automaton transits to state si in the model σ. Then, the value of x at time point ti is ti − tj in σ, and hence a ≤ ti − tj ≤ b. By Lemma 1, we also have a ≤ ti² − tj² ≤ b. Hence, by inductive hypothesis, tj² is also the time for the last reset of x in σ² , and the value of x at ti² is ti² − tj² which satisfies time constraint ϕ. 2 Of course, σ² is an integral behavior of A. Figure 3 illustrates digitising σ to σ² .
3.2
Discretisability of LDIs
Definition 6 Given a timed automaton A and a linear duration invariant D. D is said to be discretisable with respect to A if A |= D exactly when MI (A) |= D. Theorem 1 Any linear duration invariant D which has the premise A ≤ ` ≤ B in which A and B are integral, is discretisable with respect to timed automaton A (here we consider ∞ as an integer by our convention).
Proof: We have to prove that M(A) |= D ⇔ MI (A) |= D.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
12
The “only if” part is obvious because MI (A) ⊆ M(A). The “if” part is proved as follows. Let σ ∈ M(A) such that σ 6|= D. We prove that there exists ² ∈ [0, 1) such that σ² 6|= D, where σ² is the digitisation of σ w.r.t. ². Assume that σ = (s, t, [b, e]) with s = s0 , s1 , . . . and t = t0 , t1 , . . .. Let indexes u and v be such that tu−1 < b ≤ tu , tv ≤ e < tv+1 . σ 6|= D implies that A ≤ e − b ≤ B and θ(σ) > M . By the definition of LDI, it follows from equation (2): θ(σ) =
v X
ai ti + csv e − csu−1 b > M
i=u
From Lemma 3, ∃² ∈ [0, 1) such that follows from A ≤ e − b ≤ B that A ≤ σ² is an integral DC model of A, and
v X
ai ti² + csv e² − csu−1 b² ≥ θ(σ) > M . By Lemma 1 it i=u e² − b² ≤PB (notice that A, B are integers). By Lemma 4 θ(σ² ) = vi=u ai ti² + csv e² − csu−1 b² . Hence, θ(σ² ) > M .
Thus, we have obtained an integral model σ² which does not satisfy D.
2
Now that the assumption that two integral bounds A and B in the premise of LDIs is not too restricted, and the result can be extended to the case that A and B are rationals using the well-known technique. From this theorem, from now on we will consider only the integral DC models of timed automaton A, i.e. models σ = (s, t, [b, e]) ∈ MI (A).
4
4.1
Checking Linear Duration Invariants of Timed Automata with Graph Search Integral Reachability Graph of Timed Automata
In this section, we present a technique for partitioning the space of clock interpretations into regions. This technique was proposed by Alur and Dill in [1] and has become well-known. The main idea of the technique is to group clock interpretations into regions such that all interpretations in one region satisfy the same set of clock constraints. Hence, the states of system are also grouped into equivalence classes which are also called regions. The number of regions is finite. We will build a reachability region graph with vertices being regions, and equip vertices and edges with weight defined from D and A. By exploring the graph we can decide the satisfaction of a LDI by the original timed automata. Let Kx be the largest constant compared with the clock x ∈ X in the time constraints and the invariants of A and let K = max {Kx | x ∈ X} + 1. An equivalence relation restricted into the
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
13
set of all integral clock interpretations of A is defined as follows.
Definition 7 Let ν1 , ν2 be two integer clock interpretations. We say that ν1 is equivalent to ν2 and denoted by ν1 ∼ = ν2 iff for all x ∈ X either ν1 (x) = ν2 (x) or ν1 (x) ≥ Kx +1 ∧ ν2 (x) ≥ Kx +1. It is obvious that ∼ = is an equivalence relation on the set of integer clock interpretations of A. The equivalence class containing ν is denoted by [ν] and is called integral clock region. Every clock region can be characterized by a set of simple clock constraints of the form x = c or x ≥ Kx + 1, where c ≤ Kx . For our convenience, we assume that the clocks are enumerated as X = b {x1 , x2 , . . . , xk }, and we represent a clock region by a tuple [c1 , c2 , . . . , ck ], where ci is either the integral number in the constraint xi = ci or the symbol 0 ∗0 if the constraint for xi is xi ≥ Ki + 1 for that region. That means, a clock region [c1 , c2 , . . . , ck ] represents the set of clock interpretations ν = (v1 , v2 , . . . , vk ), where vi = ci if ci 6= 0 ∗0 and vi ≥ Ki + 1 if ci = 0 ∗0 . For example, [2, 0, ∗, 1] expressed a region containing clock interpretations of the form (2, 0, a, 1), where a ≥ K3 + 1. Similarly, [1, ∗, ∗] = {ν = (1, a, b) | a ≥ K2 + 1 ∧ b ≥ K3 + 1}. It is easy to see that number of integral clock regions is bounded by (K + 1)k (recall that k is number of clocks). Let us denote π0 = [0, 0, . . . , 0], and πK = [∗, ∗, . . . , ∗], i.e. π0 is the clock region containing the clock interpretation that assigns all clock variables to 0, and a πK contains infinite number of clock interpretations that assigns each clock variable xi to a value greater than Ki . Given a clock region π = [c1 , c2 , . . . , ck ] and an integer d ≥ 0. We define: • π + d is a clock region [c01 , c02 , . . . , c0k ], where c0i = ci + d if ci 6= 0 ∗0 and ci + d ≤ Ki , otherwise c0i = 0 ∗0 , for all i = 1..k. • π[λ := 0] is a clock region [c01 , c02 , . . . , c0k ], where c0i = 0 if xi ∈ λ and otherwise c0i = ci . ∼ ν2 then ν1 + d ∼ Note that, if ν1 = = ν2 + d for all d ≥ 0 and ν1 [λ := 0] ∼ = ν2 [λ := 0], for all 0 of time constraints λ. Hence, we can easily prove that if ν = ν + d then [ν 0 ] = [ν] + d and if ν 0 = ν[λ := 0] then [ν 0 ] = [ν][λ := 0], thus if ν 0 = (ν + d)[λ := 0] then [ν 0 ] = ([ν] + d)[λ := 0]. Besides, if there exists d ≥ 0 such that π + d = πK then π + d0 = πK for all d0 ≥ d. Due to π + K = πK for all π so π + d = πK for all π and d ≥ K. i.e. πK + d = πK with any d ≥ 0. For example, assume that K1 = 4, K2 = 1, K3 = 7, π = [1, ∗, 3], then π + 4 = [∗, ∗, 7], π + 5 = π + 6 = . . . = [∗, ∗, ∗]. Due to K = 8, for any π, π + 8 = π + 9 = . . . = [∗, ∗, ∗]. With λ = {x2 , x3 } we have π[λ := 0] = [1, 0, 0]. A region π is said to satisfy the time constraints ϕ iff every clock interpretation in it satisfies ϕ and is denoted by π |= ϕ. By the definition of ∼ =, π |= ϕ iff there is ν ∈ π such that ν |= ϕ.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
14
The equivalence relation ∼ = on the set of clock interpretations is extended to equivalence relation ≡ on the space of states of A as follows. Definition 8 Two states q1 = (s1 , ν1 ) and q2 = (s2 , ν2 ) of timed automaton A are regionequivalent (denoted by q1 ≡ q2 ) iff ν1 ∼ = ν2 and s1 = s2 . The equivalence relation ≡ partitions space of states of A into classes of states, each class is characterized by a couple of a location s and a clock region π and is denoted by hs, πi. We also call hs, πi a region. It is obvious that the number of regions is bounded by |L|(K + 1)k . Example 2 With timed automaton A in Figure 1, we have that the set of clock is X = {x, y}, and Kx = 8 and Ky = 10. Clock interpretations ν1 = (6, 11) and ν2 = (6, 15) are equivalent, and they are in the same region characterized by the tuple [6, ∗]. There are infinite number of elements in this region. Each element (a clock interpretation) is a tuple (6, a), where a ≥ Ky + 1 = 11. Hence, states (s0 , ν1 ) and (s0 , ν2 ) are equivalent, and their location is s0 . Given a region hs, πi and a switch e = hs, ϕ, a, λ, s0 i, we can calculate all of successor regions of hs, πi as follows. For each d = 0..K, if π + d |= (I(s) ∧ ϕ) and π 0 = (π + d)[λ := 0] |= I(s0 ) then d,a
hs0 , π 0 i will be successor of hs, πi and we denote this by hs, πi → hs0 , π 0 i. The property of equivalence relation ∼ = is translated into the following property for equivalence relation ≡, which says the correspondence between the integral behaviours of timed automaton A and the paths in the integral region graph of A: d,a
d,a
d,a
Lemma 5 If (s, ν) → (s0 , ν 0 ) then hs, [ν]i → hs0 , [ν 0 ]i, and reversely, if hs, πi → hs0 , π 0 i then for d,a
each ν ∈ π, there exists ν 0 ∈ π 0 such that (s, ν) → (s0 , ν 0 ). Based on the equivalence relation ≡, the integral reachability graph RG = (V, E) of the timed automaton A is built as follows. Each vertex v ∈ V is an region hs, πi. E is initialised to ∅, and V is initialised to {hs0 , π0 i}, where s0 is initial location of A and π0 is region with 0 as the value of all of clocks. Then, V is expanded as follows. If a vertex hs, πi ∈ V has a successor hs0 , π 0 i then hs0 , π 0 i is added into V and e = (hs, πi , hs0 , π 0 i) is an edge in E. Besides, each edge e is labelled by an interval [l(e), u(e)], where l(e) and u(e) are minimal and maximal integer time delay that automaton can stay at location s before transits into location s0 . l(e) and u(e) are defined as: n o d,a l(e) = inf d ≥ 0 | d ∈ N, hs, πi → hs0 , π 0 i , n o d,a u(e) = inf d ≥ 0 | d ∈ N, hs, πi → hs0 , π 0 i . From the definition of hs, πi and hs0 , π 0 i, either l(e) = u(e) or u(e) = ∞. We will denote a labeled edge e by (v, v 0 , [l, u]).
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
15
More precisely, graph RG can be built by the algorithm in Table 1.
Procedure Integral-Reachability-Graph; begin V := {hs0 , π0 i}; E := ∅; mark hs0 , π0 i as unexplored; while (true) do begin if all of vertexes in V are marked with “explored” then exit; let unexplored vertex v = hs, πi ∈ V; for each transition e = (s, ϕ, a, λ, s0 ) do for d = 0 to K do begin if (π + d) 6|= I(s) ∧ ϕ then goto loop; if (π + d)[λ := 0] 6|= I(s0 ) then goto loop; π 0 := (π + d)[λ := 0]; if hs0 , π 0 i 6∈ V then begin add hs0 , π 0 i into V; mark hs0 , π 0 i as unexplored end; if (hs, πi , hs0 , π 0 i) 6∈ E then begin add e = (hs, πi , hs0 , π 0 i) into E; if π + d 6= πK then l(e) := u(e) := d; else begin l(e) := d; u(e) := ∞; end; end; loop end; mark hs, πi as explored; end; end.
Table 1: Algorithm for building integral reachability graph of timed automata Figure 4 shows an integral reachability region graph of the timed automata in Figure 1. In this figure, labels of all of edges have lower bounds (l) equal to upper bounds (u), and hence, [l, u] in figure are replaced by l for short.
4.2
Relationship between Muv (A) ∩ MI (A) and Reachability Graph RG w.r.t. LDI D
As mentioned above, in this section we consider only integral models. The restriction of Muv (A) and M(A) on the integral DC models for A are Muv (A)I = b Muv (A) ∩ MI (A) and MI (A), respectively. Let RG be the reachability graph of A.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
16
Figure 4: An integral reachability region graph of timed automaton
Definition 9 Let p = v1 v2 . . . vm be a path in RG, and let d = d1 , d2 , . . . , dm−1 be a sequence of integers, where di ∈ [l(vi , vi+1 ), u(vi , vi+1 )], for i = 1..m − 1. The sequence ℘ = v1 d1 v2 d2 . . . vm−1 dm−1 vm (written as ℘ = (p, d) for short) is called weighted interpretation of p.
Definition 10 Pm−1 • Let ℘ = (p, d) be a weighted interpretation of path p. We define l(℘) = b b i=1 di and θ(℘) = Pm−1 i=0 cvi di and call them length and cost of ℘ respectively, where cvi is the coefficient csi in formula D when si is the location of vi . • A weighted interpretation ℘ is said to satisfy D, denoted by ℘ |= D, iff A ≤ l(℘) ≤ B ⇒ θ(℘) ≤ M • The graph RG is said to satisfy LDI D and is denoted by RG |= D iff ℘ |= D for all weighted interpretations ℘ of RG.
The following lemma plays a key role for our checking technique. Lemma 6 For any DC model σ ∈ Muv (A)I , there exists a weighted interpretation ℘ of RG such that l(σ) = l(℘) and θ(σ) = θ(℘), and vice versa.
Proof:
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
17
• Let σ = (s, t, [tu , tv ]) ∈ Muv (A)I . Then, s = s0 . . . su . . . sv . . . , t = t0 . . . tu . . . tv . . . , v−1 X l(σ) = t − t = (ti+1 − ti ), v u i=u m v−1 X X θ(σ) = c (tj+1 − tj ). s i i=1 j=u sj =si
δu ,au
From the definition of model σ, σ corresponds to the sequence of transitions (su , νu ) → (su+1 , νu+1 )
δu+1 ,au+1
→
...
δv−1 ,av−1
→
(sv , νv ), where δi = ti+1 − ti , for all i = u..v − 1. δu+1 ,au+1
δu ,au
δv−1 ,av−1
By Lemma 5 we have: hsu , [νu ]i → hsu+1 , [νu+1 ]i → ... → hsv , [νv ]i. Consequently, the weighted interpretation ℘ = (p, d), where p = hsu , [νu ]i hsu+1 , [νu+1 ]i . . . hsv , [νv ]i and d = δ1 , δ2 , . . . , δv , satisfies the requirement of the lemma, i.e. l(℘) = l(σ), θ(℘) = θ(σ). • To prove the reverse direction, assume that ℘ = (p, d) is a weighted interpretation of RG, where p = vu vu+1 . . . vv , d is a sequence of integers du , du+1 . . . , dv , and vi = hs, πi i for i = u..v. Due to the fact that RG is a reachability graph of A, there exists sequence of δu+1 ,au+1
δu ,au
δv−1 ,av−1
switches ei (i = u..v − 1) such that hsu , πu i → hsu+1 , πu+1 i → ... → hsv , πv i. By Lemma 5 we can find model σ ∈ Muv (A), i.e sequence of clock interpretations νi ∈ πi δu ,au
such that (su , νu ) → (su+1 , νu+1 ) θ(σ) = θ(℘).
δu+1 ,au+1
→
...
δv−1 ,av−1
→
(sv , νv ). Hence, l(σ) = l(℘) and
2 This lemma allows us, instead of checking Muv (A) |= D, to check RG |= D which can be done by using popular searching techniques. Removing infinitive edges We now give some lemmas to simplify RG before doing search. Lemmas 7 and 8 say that the label [l, ∞) of an edge in RG either makes RG not satisfy D or can be replaced by a finite label [l, u] without any change to the result of checking RG |= D. Recall that the premise of LDI D is A ≤ ` ≤ B. Lemma 7 Assume that e = ((v, v0 ), [l, ∞)) is an infinite edge of region graph RG. Then if B = ∞ and cv > 0 then RG 6|= D. Proof: Let ℘ = (p, d) be a weighted interpretation where p contains only the edge e = ((v, v0 ), [l, ∞)), and d = max {A, d(M + 1)/cv e}. Therefore, we have l(℘) = d and θ(℘) = cv d. By the definition of d, we have A ≤ l(℘) < ∞ and θ(℘) ≥ M + 1 > M , i.e ℘ 6|= D, which implies RG 6|= D. 2
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
18
Lemma 8 Assume that e = ((v, v0 , [l, ∞)) is an infinite edge of RG. Then label [l, ∞) can be replaced as follows without any change to the result of checking RG |= D. • If B = ∞ and cv < 0, replace [l, ∞) by [l, u] with u = max{l, A}. • If B < ∞, replace [l, ∞) by [l, u] with u = max{l, B}.
Proof: We only have to prove that if there exists a weighted interpretation ℘ of RG such that ℘ contains edge (v, v0 , [l, ∞)) with weight d ∈ [l, ∞) and ℘ 6|= D then we can construct a weighted interpretation ℘0 such that it contains edge (v, v0 , [l, u]) with weight d0 ∈ [l, u] and ℘0 6|= D. It follows from ℘ 6|= D that A ≤ l(℘) ≤ B and θ(℘) > M . • When B < ∞, from A ≤ l(℘) ≤ B it follows d ≤ B, i.e. l ≤ d ≤ u. Thus, take ℘0 = ℘. • If B = ∞ and cv < 0 then u = max{l, A} ≥ A. If d ≤ u then take ℘0 = ℘. If d > u, let d0 = u, and let ℘0 be ℘ with d being replaced by d0 . We have d0 ∈ [l, u] and from d0 ≥ A we have A ≤ l(℘0 ) < ∞. Besides, because θ(℘0 ) = θ(℘) − cv (d − d0 ) with cv < 0 and d > d0 , θ(℘0 ) > θ(℘) > M holds. Hence ℘0 6|= D.
2 In summary, for checking Muv (A) |= D, we can apply the above lemmas first and either we discover Muv (A) 6|= D early or we can convert the infinite edges of RG into finite ones. From now on, we assume that RG does not contain infinitive edges.
4.3
Weighted Graph for Checking LDI
Similarly to checking LDP, we can also construct a weighted graph G from reachability graph RG (not containing infinitive edges) such that RG |= D if and only if G |= D. Weighted graph G = (V, E, ω) is constructed from RG = (VR , ER ) by the following procedure: Step 1. V := VR , E := ER . Step 2. For each edge e = ((vi , vj ), [lij , uij ]) ∈ ER , n o 1 , v2 , . . . , vuij −1 and ω(vk ) := c for all k = 0..u − 1 (where v0 = v and 1. V := V ∪ vij vi ij i ij ij ij ij u
vijij = vj ),
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
19
Figure 5: ”Discretising” graph of region graph.
2. E := E \ {e}, n o k+1 k k , vk+1 ) := 1 for all k = 0..u − 1, 3. E := E ∪ (vij , vij ) | k = 0..uij − 1 , and ω(vij ij ij n o k , v ) | k = l ..u − 1 , and ω(vk , v ) := 0 for all k = l ..u − 1. 4. E := E ∪ (vij j ij ij ij ij ij j Roughly speaking, G is built by ”splitting” each edge e = (v, v0 , [l, u]) of RG into u small edges with the length (weight) 1 by adding u − 1 sub-vertices. All of these sub-vertices and v are assigned a weight as the coefficient cs in LDI, where s is location of vertex v (s ∈ v). On the other hand, from sub-vertices vl to vu−1 there are edges joining these sub-vertexes to v0 of the edge e with length 0. Hence, from v we can reach v0 of the edge e through path passing through only sub-vertexes in G with the integer lengths between l and u. For the simplicity of presentation we call vertices v and v0 of edge e mother vertices and call the sub-vertexes in e child vertices. Besides, all the paths joining v and v0 that go through only child vertices of e (in RG) are also called paths belongs to e. Figure 5 gives an example how to build graph G from simple graph G0 with 2 edges. In order to make use of G, we have to show that G is compatible to RG w.r.t checking LDI. First, we define length, cost and satisfaction of a path p in G w.r.t LDI D.
Definition 11 Let p = v1 v2 . . . vm be a path in G. The length l(p) and the cost θ(p) of p are defined as m−1 m−1 X X l(p) = b ω(vi , vi+1 ), θ(p) = b ω(vi )ω(vi , vi+1 ). i=1
i=1
A path p satisfies D iff A ≤ l(p) ≤ B ⇒ θ(p) ≤ M . Lemma 9 Each integral weighted interpretation ℘ = (p, d) of RG corresponds to a path p0 in G such that l(℘) = l(p0 ), θ(℘) = θ(p0 ), and reversely, each path p0 in G corresponds to an integral weighted interpretation ℘ = (p, d) of RG such that l(℘) = l(p0 ), θ(℘) = θ(p0 ).
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
20
Proof: It is obvious from the definition of G that for each edge (vi , vj , [l, u]) of RG and an integer 1 . . . vd v of G such that l(p) = d, θ(p) = c d and vice-versa. d ∈ [l, u] there exists a path p = vi vij vi ij j Hence, the lemma is correct. 2 From Lemma 9 we can conclude that if there exists an integral model σ ∈ Muv (A) not satisfying LDI D then there exists a path that joins mother vertexes of G and does not satisfy LDI and reversely. A similar result for any integral model of A and any path (joining two child vertexes) of G is formulated by following lemma. Lemma 10 Given timed automaton A, a LDI D and weighted graph G as above. Then if there exists a path p ∈ P(G) such that p 6|= LDI then there exists an integral model σ ∈ MI (A) such that σ 6|= LDI and vice-versa. Proof: Assume that there exists a path p ∈ P(G) (from child vertex x to child vertex y) and p 6|= LDI. Let vu and vv be the mother vertexes that respectively appear first and last in p. In general a path p is of the form p1 p2 p3 where p1 is a path consisting of child vertexes joining x to vu and belongs to edge (vu−1 , vu ) in G, p2 is a path from vu to vv and p3 is a path joining vv to y and belongs to edge (vv , vv+1 ) in G (see figure 6). From Lemmas 5 and 9 for p2 there exists integral model σ 0 = (s, t, [tu , tv ]) ∈ MI (A), such that l(σ 0 ) = l(p2 ) and θ(σ 0 ) = θ(p2 ). Integral model σ = (s, t, [b, e]) is obtained from σ 0 by extending observation bounds tu , tv to b = tu −l(p1 ) and e = tv +l(p3 ), we have l(σ) = e−b = tv −tu +l(p1 )+l(p3 ) = l(p1 )+l(p2 )+l(p3 ) = l(p). Similarly, we can prove that θ(σ) = (tu −b)csu−1 +θ(σ 0 )+(e−tv )csv = θ(p1 )+θ(p2 )+θ(p3 ) = θ(p). Hence if p 6|= LDI then we have σ 6|= LDI. Reversely, let σ = (s, t, [b, e]) ∈ MI (A) be a integral model that does not satisfy LDI. So, σ expresses the observation interval from time point b to e of sequences of time-stamped locations (s0 , t0 ), (s1 , t1 ) . . ., where δi = ti+1 − ti , i ≥ 0 is time duration automaton stays at si before transits to si+1 . Moreover, there exist indexes u, v such that tu−1 < b ≤ tu and tv ≤ e < tv+1 . Let σ 0 be integral model (s, t, [tu , tv ]) (see figure 6). By the definition of l(σ) and θ(σ), from the assumption σ 6|= D, we have ½
A ≤ (tu − b) + l(σ 0 ) + (e − tv ) ≤ B csu−1 (tu − b) + θ(σ 0 ) + csv (e − tv ) > M
(3)
The above constraints are equivalent to ½
A − (tu − b) − (e − tv ) ≤ l(σ 0 ) ≤ B − (tu − b) − (e − tv ) θ(σ 0 ) > M − csu−1 (tu − b) − csv (e − tv )
(4)
By Lemmas 5 and 9, there exists a weighted interpretation ℘ = vu du vu+1 du+1 . . . dv−1 vv in G, where vi 3 si , di ∈ N (i = u..v − 1) such that:
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Checking Linear Duration Invariants of Timed Automata with Graph Search
21
Figure 6: A path in weighted graph G.
½
A − (tu − b) − (e − tv ) ≤ l(℘) ≤ B − (tu − b) − (e − tv ) θ(℘) ≥ θ(σ 0 ) > M − csu−1 (tu − b) − csv (e − tv )
(5)
By Lemma 9 there exists a path in G corresponding to ℘, i.e there exists path p2 joins vu and vv such that l(p2 ) = l(℘), θ(p2 ) = θ(℘). Hence: ½
A − (tu − b) − (e − tv ) ≤ l(p2 ) ≤ B − (tu − b) − (e − tv ) θ(p2 ) > M − csu−1 (tu − b) − csv (e − tv )
(6)
From the sequence of locations s in model σ we can easily prove that there exist edge (vu−1 , vu ) and (vv , vv+1 ) in RG (vu−1 3 su−1 , vv+1 3 sv+1 ). Let path p1 belongs to edge (vu−1 , vu ) joining to vu and have the length tu − b, and let p3 belongs to edge (vv , vv+1 ) from vv and have the length e − tv in G. The remaining that we have to prove is the existence of p1 , p3 . In fact, p1 , p3 are sequence of tu − b + e − tv edges with length 1. We have tu − b ≤ tu − tu−1 ≤ uu−1 and similarly e − tv ≤ tv+1 − tv ≤ uv , where uu−1 and uv are upper bounds of edges (vu−1 , vu ) and (vv , vv+1 ) respectively. Hence, from the construction of G, both p1 and p3 exist. In summary, we have l(p) = l(p1 ) + l(p2 ) + l(p3 ) and θ(p) = θ(p1 ) + θ(p2 ) + θ(p3 ). It easily to see l(p1 ) = tu − b, θ(p1 ) = csu−1 (tu − b), l(p3 ) = e − tv and θ(p3 ) = csv (e − tv ). Combining with equalities in 6 we have A ≤ l(p) ≤ B and θ(p) > M , i.e. p 6|= D. 2 Theorem 2 Checking the satisfaction of LDI D by timed automaton A is equivalent to checking the satisfaction of LDI D by the set of paths P(G). That is, A |= D if and only if P(G) |= D. This theorem follows immediately Lemma 10 and the discretisability of LDI w.r.t timed automata A.
4.4
Algorithm for Checking LDI
In this section we present the idea an algorithm for checking A |= D based on traversing the weighted graph G. The algorithm uses procedure Traverse(vstart) and procedure Checking-
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
Conclusion
22
LDI. The procedure Traverse(vstart) explores every path starting from fixed vertex vstart to see if it satisfies D, and the procedure Checking-LDI calls procedure Traverse(vstart) for all vertices vstart ∈ V for deciding satisfaction of D by A. The procedure Traverse(vstart) uses back tracking technique to explore the graph. Starting from vertex vstart of G, the procedure constructs the current path p (l(p) and θ(p) = 0 initialised to 0) while going along out-going edges to their destination vertexes at which l(p) and θ(p) are re-calculated and A ≤ l(p) ≤ B ⇒ θ(p) < M is verified. The procedure goes back when the current path p cannot be expanded (see the next paragraph how a path can be expanded) or the length of current path exceeds B, and terminates when either A ≤ l(p) ≤ B ⇒ θ(p) < M is violated or it goes back to the starting vertex vstart with no more out-going edge to go. The current path p cannot be expanded when there is no new out-going edge to go when the number of repetitions of cycles has reached the limit. This applies only when B = ∞. When a positive cycle is discovered, i.e. a cycle p0 (which is a sub-path of p) with θ(p0 ) > 0, the procedure returns A 6|= D. When there is no positive cycle in p, p cannot be expanded when the number of cycle repetitions has reached k = d A−c 4c e, where c is the length of the shortest cycles in p. Any more repetition of a cycle will make θ(p) smaller. So, there is no need to check with expansion of p by more repetitions of cycles. So, either there is a positive cycle in G, or eventually, either p will become not expandable, or l(p) > B will be reached for a path p starting from vstart. So, the procedure Traverse(vstart) will terminate eventually. The detailed technical construction of the algorithm can be worked out easily, and is omitted here.
5
Conclusion
Exploring reachability graphs is one of popular methods for checking reachability property and some properties concerning time instants of real time systems. However, paths in the reachability graph do not preserve time durations of system locations, and hence, cannot be used for checking duration properties. By equipping edges of reachability graphs with the minimal and maximal bounds of state transitions, we are able to use this technique for checking duration properties. We have proposed an algorithm for checking LDI of timed automata using this technique. our algorithm has the same time-complexity as the algorithm presented in [11]. In this paper we have proved the discretisability of LDI, and proposed an algorithm based on this result to check if a timed automaton satisfies a IDI in the general semantics. Although the complexity of this algorithm is high, it can serve, at least, for showing that checking LDI of time automata is decidable. We do believe that checking is feasible for some specific LDI and abstract timed automata.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
References
23
References [1] R. Alur and D.L. Dill. A Theory of Timed Automata. Theoretical Computer Science, pp. 183–235, 1994. [2] R. Alur. Timed Automata. Proceedings of 11th International Conference on ComputerAided Verification, LNCS 1633, pp. 8–22, Springer-Verlag, 1999. [3] Victor A. Braberman and Dang Van Hung. On Checking Timed Automata for Linear Duration Invariants. Technical Report 135, UNU/IIST, P.O.Box 3058, Macau, February 1998. Proceedings of the 19th Real-Time Systems Symposium RTSS’98, December 2–4, 1998, Madrid, Spain, IEEE Computer Society Press 1998, pp. 264–273. [4] E. Clarke, O. Grumberg, and D. Peled. Model Checking. The MIT Press, Cambridge, Massachusetts, 1999. [5] Y. Kesten, A. Pnueli, J Sifakis, and S. Yovine. Integration Graphs: A Class of Decidable Hybrid Systems. In Hybrid Systems, volume 736 of Lecture Notes in Computer Science, pages 179–208. Springer Verlag, 1994. [6] Thomas A. Henzinger, Zohar Manna and Amir Pneuli. Towards Refining Temporal Specifications into Hybrid Systems, Hybrid Systems I, LNCS 736,Springer-Verlag, 1993. [7] Li Xuan Dong and Dang Van Hung. Checking Linear Duration Invariants by Linear Programming. Research Report 70, UNU/IIST, P.O.Box 3058, Macau, May 1996. Published in Joxan Jaffar and Roland H. C. Yap (Eds.), Concurrency and Parallelism, Programming, Networking, and Security LNCS 1179, Springer-Verlag, Dec 1996, pp. 321–332. [8] Li Yong and Dang Van Hung. Checking Temporal Duration Properties of Timed Automata. Technical Report 214, UNU/IIST, P.O.Box 3058, Macau, October 2001. Published in Journal of Computer Science and Technology, Vol. 17, No. 6, Nov. 2002. pp. 689 – 698. [9] Pham Hong Thai and Dang Van Hung. Checking a Regular Class of Duration Calculus models for Linear Duration Invariants. Technical Report 118, UNU/IIST, P.O.Box 3058, Macau, July 1997. Proceedings of the International Symposium on Software Engineering for Parallel and Distributed Systems (PDSE’98), Kyoto, Japan, 20 – 21, April 1998. Bernd Kramer, Naoshi Uchihira, Peter Croll and Stefano Russo (Eds). IEEE Press 1998, pp. 61 – 71. [10] S. Tripakis, S. Yovine. Analysis of timed systems based on time-abstracting bisimulations. Formal Methods in System Design, 18, 25–68, 2001. Kluwer Academic Publishers, Boston. [11] Zhao Jianhua and Dang Van Hung. Checking Timed Automata for Some Discretisable Duration Properties. Technical Report 145, UNU/IIST, P.O.Box 3058, Macau, August 1998. Published in Journal of Computer Science and Technology, Volume 15, Number 5, September 2000, pp. 423–429. [12] Zhou Chaochen , C.A.R. Hoare, and Anders P. Ravn. A calculus of durations. Information Processing Letters, 40(5):269–276, 1991.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
References
24
[13] Zhou Chaochen, Zhang Jingzhong, Yang Lu, and Li Xiaoshan. Linear Duration Invariants. Research Report 11, UNU/IIST, P.O.Box 3058, Macau, July 1993. Published in: Formal Techniques in Real-Time and Fault-Tolerant systems, LNCS 863, 1994. [14] Zhou Chaochen and Hansen M. R., Duration Calculus. A Formal Approach to Real-Time Systems, Springer, 2004.
Report No. 306, June 2004
UNU-IIST, P.O. Box 3058, Macau
