ALUR–DILL AUTOMATA-THEORETIC APPROACH |
193 |
slow
Precondition: s.status = slowing
Effect:
s .status = slow
s .latest(slow) = ∞
stop
Precondition:
s.status = stopping
Effect:
s .status = stop
s .latest(stop) = ∞
7.1.6 Proving Time Bounds with Simulations
By including lower and upper time bounds on classes of the specification automaton, the Larch Prover [Garland and Guttag, 1991] has been used to perform simple simulation proofs for verifying timing properties of real-time and distributed systems.
7.2 ALUR–DILL AUTOMATA-THEORETIC APPROACH
To verify that an implementation of a system satisfies the specification of the system, we first represent or encode the specification as a Buchi automaton AS and the implementation as a Buchi automaton AI . Then we check that the implementation meets the specification iff L(AI ) L(AS ), or check for the emptiness of L(AI )∩ L(AS )C ; that is, the intersection of the languages accepted by the implementation and the languages accepted by the complement of the specification (negation of the specification) is empty.
Alur and Dill extend timed automata with a finite set of real-valued clocks to express timing constraints on non-clock variables. Clocks are like timers (or stopwatches) and thus can be reset (set to time 0). Clock values increase uniformly with time; that is, at any instant the value of a clock is equal to the time elapsed since the last time it was reset. Each transition in a timed automaton is labeled, in addition to the input symbol, with either a clock value assignment or a clock constraint. A transition with a clock constraint is enabled only if the current values of the clocks satisfy this timing constraint. We begin the discussion by reviewing untimed traces and then extend these to timed traces.
7.2.1 Untimed Traces
A trace is a linear sequence of the observable events of a process. In general, each process has a set of observable events and the behavior of this process can be modeled by the set of its traces. For example, a traffic light turning green is an event in a traffic
194 VERIFICATION USING TIMED AUTOMATA
light system, as is the opening of a valve in a fuel system. A trace is a linear sequence of sets of events in the Alur–Dill model. A trace and a process are defined formally as follows.
Untimed Trace: Given a set E of events, an untimed trace or simply a trace ρ = ρ1ρ2ρ3 · · · is an infinite word over the set of nonempty subsets of E.
A word is also known as a string in descriptions of automata and languages (chapter 2).
Untimed Process: An untimed process is a pair (E, S) where E is the set of the observable events of the process and S is the set of the possible traces of the process.
Example. Consider a traffic semaphore with three light signals. Initially the green light is on. Next, the green light turns off and then the yellow light turns on. Next, the yellow light turns off and then the red light turns on. Next, the red light turns off and then the green light turns on. This sequence is repeated infinitely often. By treating green, yellow, and red as events, the only possible trace is:
ρ P = {green}, {yellow}, {red}, {green}, {yellow}, {red}, . . . .
Keeping the notations simple by removing the set symbols, { }, this infinite sequence is denoted as
green yellow red green yellow red · · · = (green yellow red)ω.
Process P is denoted by ({green,yellow,red}, (green yellow red)ω).
Operations on processes exist that allow the definitions of complex processes by combining simpler processes. These operations include projection and parallel composition.
7.2.2 Timed Traces
In the Alur–Dill model, a real-valued time is associated with each symbol in a word to form a timed word.
Time Sequence: A time sequence τ = τ1, τ2, τ3 . . . , where τi is a positive real number, is an infinite sequence of time values such that (1) the sequence increases strictly monotonically and (2) for every real number, there is a τ j with a larger value.
Note that condition 2 prevents an infinite number of events to occur within a finite period of time.
ALUR–DILL AUTOMATA-THEORETIC APPROACH |
195 |
Timed Word: A timed word over an alphabet is a pair (ρ, τ ) where ρ is an infinite word and τ is a time sequence.
Timed Language: A timed language over an alphabet is a set of timed words over .
Using these definitions, if each symbol ρi denotes the occurrence of an event, the corresponding time value τi indicates the time of occurrence of this event.
Example. A timed language: Given an alphabet with two events, {ok, timeout}, define a timed language L consisting of all timed words (ρ, τ ) such that there is no ok after time 10.5; that is, the event timeout definitely becomes true at time 10.5 but may be true earlier. Formally, the language is:
L = {(ρ, τ ) | i((τi > 10.5) → (ρi = timeout))}.
This concept of a time value associated to an event occurrence is similar to the time value given by the occurrence function in real-time logic (chapter 6) and the chronos variable in time ER nets (chapter 8). An occurrence function assigns a time to the occurrence of an instance of an event. A variable chronos assigns a timestamp to the production of a token in a Petri net.
The following Untime operation is a projection of a timed trace (ρ, τ) on the first component, the sequence of event occurrences ρ. This operation effectively deletes the time values corresponding to the event occurrence symbols and is useful when we do not need the absolute time values.
Untime Operation: Given a timed language L over an alphabet , Untime(L) is the ω-language with words ρ such that (ρ, τ) L for some time sequence τ.
Example. We apply the Untime operation to the above language L:
Untime(L) = ω-language with words containing only finitely many oks.
Timed Trace: A time trace over a set E of events is a pair (ρ, τ) where ρ is a (untimed) trace over the set E and τ is a time sequence.
Timed Process: A timed process is a pair (E, L) where E is a (finite) set of events and L is a set of timed traces over the set E.
Example. A timed process: Consider the climate control system example shown in Figure 2.13 (chapter 2). To simply this example, we focus on the events in the heater section. Assume that the initial instances of the events occur at fixed times and that subsequent instances of the corresponding events occur at fixed time intervals. The event turn on heater happens 10 s after the event cold occurs, followed by the
196 VERIFICATION USING TIMED AUTOMATA
event comfort 5 s later, followed by the event turn off heater 5 s later, followed by the event cold 30 s later. Suppose the event cold first occurs at time 0. This process is represented by a timed process:
PT = ({cold,turn on heater,comfort,turn off heater}, {ρP })
and it has a single time trace
ρP = (cold, 0), (turn on heater, 10), (comfort, 15), (turn off heater, 20),
(cold, 50), (turn on heater, 60), (comfort, 65), (turn off heater, 70),
(cold, 100) . . .
Again, the Untime operation can be used to delete the time values corresponding to events.
Untime Operation for a Process: Given a timed process P = (E, L), Untime
[(E, L)] is the untimed process where E is the event set and the trace set with traces ρ such that for some sequence ρ, (ρ, τ ) L.
Example. Automaton α1: Consider again the example of the automatic air conditioning and heating system (Figure 2.13) in chapter 2, which specifies the operations of a climate control system according to changes to a room temperature. The automaton representing this system can only specify relative ordering of the events but cannot specify when these events should occur. Hence, it cannot be used to verify a timing-dependent climate control system. Now we introduce timing constraints to the transitions of this automaton, yielding the timed automaton shown in Figure 7.1.
Two clocks (clock variables) are present in the transition table, c1 and c2. Suppose the automaton starts in state s0 and reads the input symbol cold, then it takes the transition (indicating that the room temperature falls below 68◦F) and moves to state s4. The clock c1 is reset (set to 0 by the assignment c1 := 0) along this transition. In
|
on |
heater |
|
|
|
10)? |
|
|
_ |
|
|
_ |
< |
|
|
turn |
|
|
|
(c |
1 |
|
|
S5 |
|
|
|
1comfort |
|||
c |
|
|
|
:= |
|
|
|
|
0 |
|
|
S4 |
|
|
|
|
|
|
|
|
S1 |
|
|
|
|
|
cold |
|
|
|
|
|
turn |
|
|
||
|
|
|
|
|
|
|
|
on |
|
|||
|
c |
|
|
|
|
|
0 |
|
_ |
|
|
|
|
|
|
hot |
|
2 |
|
_ |
|
||||
|
|
|
|
|
|
ac |
||||||
|
|
:= |
|
|
|
:= |
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
< |
|
|
||
|
|
|
0 |
|
c |
2 |
|
|
5)? |
|
||
|
|
|
|
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
S0 |
|
|
|
|
|
|
|
S2 |
|
|
|
heater |
turn |
|
|
comfort:= |
|
||||
|
off |
|
2)? |
< |
|
|
|
|||||
|
|
|
|
|
|
_ |
|
|
|
|
|
|
|
|
_ |
|
(c |
off |
|
|
|
|
0 |
||
_ |
|
|
|
2 |
|
_ |
|
|
|
|
||
|
< |
|
|
|
ac |
|
c 2 |
|
||||
turn |
|
|
|
|
2)? |
|
|
|
||||
|
(c |
1 |
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
||||
S6 |
|
|
|
|
|
|
|
S3 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
Figure 7.1 Automaton α1 for automatic air conditioning and heating system.
ALUR–DILL AUTOMATA-THEORETIC APPROACH |
197 |
state s4, clock c1 shows the time passed since the reading of the input symbol cold (the occurrence of the event cold).
The automaton can move from state s4 to state s5 only if this clock value is less than 10 (seconds). In other words, this transition is enabled only if c1 is less than 10 (indicated by (c1 < 10)? along the transition). This timing constraint can be considered as the maximum delay for the turn on heater event to happen after detecting the cold event. This is the same as saying the deadline for the occurrence of the turn on heater event is less than 10 since the cold event is detected.
In state s5, if the automaton reads the input symbol comfort, then it takes the transition (indicating that the room temperature is at least 68◦F) and moves to state s6. The clock c1 is again reset (set to 0 by the assignment c1 := 0) along this transition. In state s6, clock c1 shows the time passed since the reading of the input symbol comfort (the occurrence of the event comfort).
The automaton can move from state s6 back to state s0 only if this clock value is less than 2 (seconds). In other words, this transition is enabled only if c1 is less than 2 (indicated by (c1 < 2)? along the transition). As before, this timing constraint can be considered as the maximum delay for the turn off heater event to happen after detecting the comfort event. This is the same as saying the deadline for the occurrence of the turn off heater event is less than 2 since the comfort event is detected.
The behavior of the automaton starting from the initial state s0 if the input symbol hot (indicating that the room temperature is above 78◦F) is read is similar except that the air conditioner will be turned on and the deadlines are different. Note that different clocks can be reset or restarted at different times and they are independent (need not be synchronized). In this example, we can use a single clock to impose the timing constraints since either the heater or the air conditioner can be activated but not both at the same time. This automaton accepts the language:
L1 = {((cold turn on heater comfort turn off heater
hot turn on ac comfort turn off ac)ω, τ )
| x((τ4x+5 < τ4x+4 + 10)(τ4x+7 < τ4x+6 + 2) (τ4x+2 < τ4x+1 + 5)(τ4x+4 < τ4x+3 + 2))}.
Example. Automaton α2: Consider the timed transition table of the example automaton (Figure 7.2) representing the receiving of two messages (msg1 and msg2) and their corresponding acknowledgments (ack1 and ack2). ack1 must be sent 2 s after receiving msg1, and ack2 must be sent within 5 s of receiving msg2. ack1 must be sent before sending ack2. This last condition effectively requires that ack1 must be sent 2 s after receiving msg1 and within 5 s of receiving msg2 so that ack2 can be sent within 5 s of receiving msg2. This automaton has two clocks and accepts the language:
L2 = {((msg1 msg2 ack1 ack2)ω, τ)| x((τ4x+3 > τ4x+1 +2)(τ4x+4 < τ4x+2 +5))}.
Having described two examples, we now define the types of comparisons allowed in specifying a clock constraint.
198 VERIFICATION USING TIMED AUTOMATA
msg1
S0 
S1 i := 0
ack2 |
|
msg2 |
(j < 5)? |
|
j := 0 |
|
|
|
ack1
S3 
S2
(i > 2)?
Figure 7.2 Automaton α2 for message sending and acknowledgment.
Clock Constraints: An atomic constraint is of the form c operator t, where c is a clock variable, t is a time constant (a nonnegative rational number), and operator is either < or ≤. A clock constraint is an atomic constraint or a conjunction of atomic constraints.
Next we define an assignment of values to clocks, called a clock interpretation.
Clock Interpretation: A clock interpretation for a set of clocks is an assignment of a positive real value to each clock. A clock constraint may contain one or more clocks. A clock interpretation v for a set C of clocks is said to satisfy a clock constraint δ over C iff the assignment of the values in v to these clocks makes δ true. Given a positive real t, the expression v + t is a clock interpretation that assigns the value v(c) + t to every clock c.
We are now ready to define a state extended with a clock interpretation.
Extended State: Given a timed transition table, an extended state s, v is a state s S extended with a clock interpretation v for C.
7.2.3 Alur–Dill Timed Automata
Alur and Dill extend the ω-automata to accept timed words, yielding a theory of timed regular languages. The definition of a timed Buchi automaton is based on a Buchi automaton extended with a finite set of clocks and clock constraints.
Timed Transition Table: A timed transition table A is a 5-tuple , S, S0, C, E , where is a finite alphabet, S is a finite set of states, S0 S is a set of start states, C is a finite set of clocks, and E is a set of transitions. A transition on input symbol α s, s , α, λ, δ is represented by an edge from state s to state s . λ is the finite set of clocks to be reset with this transition. δ is a clock constraint over C.
The corresponding region automaton R(A) for a timed transition table A =, S, S0, C, E is a transition table over the alphabet .
ALUR–DILL AUTOMATA-THEORETIC APPROACH |
199 |
The states of R(A) are pairs s, α where s S and α is a clock region. The initial states of R(A) are pairs s0, [v0] where s0 S0 and v0(x) = 0 for all x C. An
a
edge s, α , s , α , a exists in R(A) iff s, v → s , v for some v α and some v α .
Now we define a run of a timed transition table, which is an execution path with events and their corresponding occurrence times.
Run of a Timed Transition Table: A run r = (s, v) of a timed transition table (as defined above) over a timed word (ρ, τ ) is an infinite sequence
ρ1,τ1 |
, v1 |
ρ2,τ2 |
ρ3,τ3 |
r : s0, v0 −→ s1 |
−→ s2 |
, v2 −→ · · · |
where si S for all i ≥ 0 and vi is a clock interpretation for C such that
1.s0 S0 and for all t C, v0(t) = 0; and
2.an edge in E si−1, si , ρi , λi , δi exists for all i ≥ 1 such that (vi−1 +τi −τi−1) satisfies δi and vi = [λi → 0](vI −1 + τi − τI −1).
Example. A run of a timed transition table: Consider again the timed transition table of the example automaton above representing the receiving of two messages (msg1 and msg2) and their corresponding acknowledgments (ack1 and ack2). ack1 must be sent 2 s after receiving msg1, and ack2 must be sent within 5 s of receiving msg2. Suppose we have the word
(msg1, 1), (msg2, 2.6), (ack1, 4), (ack2, 5.8), . . . .
Note that the occurrence time values for the events satisfy the clock constraints. With a clock interpretation given by the values [i, j], the initial part of the run is:
msg1,1 |
msg2,2.6 |
|
[1.6, 0] |
r : s0, [0, 0] −→ |
s1, [0, 1] −→ s2, |
||
ack1,4 |
ack2,5.8 |
s4 |
, [4.8, 3.2] · · · . |
−→ s3, [3, 1.4] −→ |
|||
Initially, all the clocks have value 0. Starting from state s0, the automaton takes the transition on reading msg1 at time 1 and moves to state s1. The clock assignment along this transition resets clock i to 0 whereas clock j advances to 1, hence the clock interpretation in state s1 is [0, 1].
Then, on reading msg2 at time 2.6, the automaton moves to state s2. The clock assignment along this transition resets clock j to 0 whereas clock i advances to 1.6 since absolute time has advanced 1.6 s (the time interval between the receipt of msg1 and the receipt of msg2), hence the clock interpretation in state s2 is [1.6, 0].
Next on reading ack1 at time 4, the automaton moves to state s3. Absolute time has advanced 1.4 s since reading msg2, so both clocks advance 1.4 s, hence the clock
200 VERIFICATION USING TIMED AUTOMATA
interpretation in state s3 is [3, 1.4]. Note that this transition is taken more than 2 s after receiving msg1.
Finally, on reading ack2 at time 5.8, the automaton moves to state s4. Absolute time has advanced 1.8 s since reading ack1, so both clocks advance 1.8 s, hence the clock interpretation in state s4 is [4.8, 3.2]. Note that this transition is taken within 5 s of receiving msg2.
Now we are ready to define timed languages and timed Buchi automata by combining time transition tables and acceptance criteria. We need to define the inf set first. inf(r) is a set of states in s S where s = si for infinitely many i ≥ 0.
Timed Buchi Automaton: A timed Buchi automaton (TBA) is a 6-tuple , S, S0, E, C, F , where the first five components of the tuple form a timed transition table and the last component, F, is a set of accepting states.
Accepting Run: A run r = (s, v) of a TBA over a timed word (ρ, τ ) is an accepting run iff F ∩ inf (r) = .
Let L(α) be the language of timed words accepted by the TBA α. Then L(α) is the set {(ρ, τ ) | α has an accepting run over (ρ, τ )}.
L(α) belongs to a class of languages called timed regular languages.
Timed Regular Language: A timed language L is a timed regular language iff for some TBA α, L = L(α).
We are getting close to developing a strategy for verification using timed automata. In the case of an untimed deterministic finite automaton, there is a single initial state, and the state in which the automaton is in together with the next input symbol read determine the unique next state. Here, we can define a deterministic timed automaton in a similar way. The current state together with the next input symbol and its occurrence time uniquely determine the next state. Unlike untimed DFA, a timed DFA may have more than one outgoing transition with the same input symbol from a given state. This is allowed if the time constraints along these transitions are mutually exclusive, that is, these time constraints cannot be true at the same time.
Deterministic Timed Automaton: A deterministic timed automaton (DTA or DTFA) is a timed automaton with a deterministic timed transition table. A timed transition table , S, S0, E, C is deterministic iff
1.it has a single initial state, and
2.the clock constraints δ1 and δ2 are mutually exclusive (cannot be true at the same time) for all s S, for all a , and for every pair of edges
s, −, a, −, δ1 and s, −, a, −, δ2 .