ALUR–DILL REGION AUTOMATON AND VERIFICATION |
201 |
The motivation for using a DTA is that it can be easily complemented since at most one run exists over a given timed word. Complementation is needed when we verify that the implementation AI meets the specification AS by checking for the emptiness of L(AI ) ∩ L(AS )C , that is, the intersection of the languages accepted by the implementation and the languages accepted by the complement of the specification (negation of the specification) is empty.
7.3 ALUR–DILL REGION AUTOMATON AND VERIFICATION
To prove that the language accepted by an automaton is nonempty, we need to show that there is an infinite accepting path in the automaton’s transition table. For a timed automaton, the timing constraints disallow certain paths in the transition table. Alur and Dill [Alur, 1991; Alur and Dill, 1994] show that given a timed automaton, a Buchi automaton can be constructed such that the set of untimed words accepted by the Buchi automaton is the same as the one obtained by the Untime operation on the timed words accepted by the timed automaton. They provide an algorithm for checking emptiness for timed automata with clock constraints containing only integer constants.
Clock constraints containing rational numbers can be converted into integers by multiplying each constant by the least common multiple (LCM) of the denominators of all the constants in the clock constraints of an automaton. Note that this does not change the untimed language.
7.3.1 Clock Regions
Since the number of clock interpretations is infinite, the number of extended states is infinite and uncountable. This makes it impossible to construct an automaton with extended states given an automaton with no clock interpretations. However, to verify that two automata are equivalent, for example, that an implementation of a system (represented by an automaton) satisfies the specification of the system (represented by another automaton), we have to find a way to build the corresponding finite automata.
One approach used in other analysis and verification techniques is to aggregate an infinite set of extended states into one state or a finite set of states. Here, this is achieved by grouping infinite sets of states into a finite number of clock regions, and then by showing that runs (or execution paths) from the same states in both automata are similar if their clock values agree.
Suppose the non-clock components of two extended states from these two automata are the same. If these states agree on the integral parts of their clock values as well as on the ordering of the fractional parts of their clock values, then the runs beginning from these extended states are similar. Note that the values of the integral parts of clocks can be unbounded. However, we are only interested in those values that are less than or equal to the largest integer c appearing in clock constraints since these bounded values satisfy these clock constraints and determine allowed execution paths. We now formalize these ideas.
202 VERIFICATION USING TIMED AUTOMATA
A positive real number t can be expressed as t + fract(t) and hence has two parts: the integral part t and the fractional part fract(t). Suppose for each i C, ci is the largest integer that i is compared to in some clock constraint. We first define an equivalence relation called time-abstract bisimulation.
Time-Abstract Bisimulation: The equivalence relation “ ,” also known as the time-abstract bisimulation, over the set of clock interpretations for C is defined as follows. v v iff all three of these conditions hold:
1.For all i C, either v(i) = v (i) or v(i) > ci and v (i) > ci .
2.For all i, j C where v(i) ≤ ci and v( j) ≤ c j , fract(v(i)) ≤ fract(v( j)) iff fract(v (i)) ≤ fract(v ( j)).
3.For all i C where v(i) ≤ ci , fract(v(i)) = 0 iff fract(v (i)) = 0.
Clock Region: A clock region for automaton α is an equivalence class of clock interpretations induced by .
We can define each clock region by specifying:
1. |
a clock constraint from the set for every clock i: {i = c|c = 0, . . . , ci } |
|
{c − 1 < i < c|c = 1, . . . , ci } {i > ci }, and |
2. |
whether fract(i) is <, =, or > fract( j) for every pair of clocks i and j where |
|
c − 1 < i < c and d − 1 < j < d appear in the clock constraint in (1) for |
|
some c and d. |
The number of these clock regions as specified above is bounded but is exponential in the encoding of the clock constraints. A clock region R is said to satisfy a clock constraint δ iff every clock interpretation v in R satisfies δ.
Recall that v is a clock interpretation for a finite set C of clocks. The notation [v] indicates the clock region containing v; that is, v belongs to the clock region [v]. Furthermore, we uniquely characterize each clock region by specifying a finite set of clock constraints that the region satisfies.
Example. A clock region: Suppose there are two clocks (i and j) in a timed transition table, ci = 1 and c j = 2. There are 8 clock regions, as shown in Figure 7.3.
The notion of region equivalence is very important in grouping related clock interpretations together into a single clock region, thus making analysis manageable, as we will see later. The following time-abstract transition relation over the (time) extended states helps illustrate the usefulness of the concept of region equivalence.
Time-Abstract Transition Relation over Extended States: Given |
an alphabet |
||||
|
|
a |
iff there is |
||
symbol a, for two extended states s, v and s , v , s, v → s , v |
|||||
|
|
and a time increment t (a positive real number) such that v |
+ |
t |
|
an edge s, s , a, λ, δ |
|
|
|||
satisfies δ and v = [λ → 0](v + t).
ALUR–DILL REGION AUTOMATON AND VERIFICATION |
203 |
j |
|
|
|
|
R1 |
R2 |
|
2 |
R3 |
|
|
|
R5 |
|
|
1 |
R4 |
|
|
R6 |
|
|
|
|
R8 |
|
|
|
R7 |
|
|
|
|
|
|
0 |
1 |
2 |
i |
|
Figure 7.3 Clock regions for two clocks, ci = 1 and c j = 2.
Property |
of Time-Abstract Bisimulation (Equivalence Relation |
|
): If |
v |
i |
|
v |
j |
|||||||
a |
|
|
|
|
|
|
|
|
|||||||
|
a |
→ |
, vi |
|
exists such that |
vi |
v j |
and |
|||||||
and |
s, vi |
|
s |
, then a clock interpretation v j |
|
|
|||||||||
s, v j →s , v j .
Given an automaton with a clock constraint δ, if two clock interpretations are equivalent (v v ), then v satisfies δ iff v satisfies δ.
7.3.2 Region Automaton
Having defined a clock region as an equivalence class of potentially infinite clock interpretations, we now aggregate every group of equivalent (time) extended states into a single region-state. This leads to the definition of a region automaton R(A) where A is the original timed automaton. Each state s, p in the region automaton consists of the state s S of the corresponding timed automaton and the clock region p, which is the equivalence class of the current clock values.
The region automaton simulates the corresponding timed automaton by following these rules. If the extended state of A is s, v , then the corresponding state of R(A) is s, [v]. A transition exists in R(A) from state s, p to state s , p labeled with a iff in A a transition exists from state s, v with v p to state s , v labeled with a for some v p .
Projection: The projection [r] = (s, [v]) of a run r = (s, v) of automaton A of the form
ρ1,τ1 |
ρ2,τ2 |
|
ρ3,τ3 |
r : s0, v0 → s1 |
, v1 → s2 |
, v2 → · · · |
|
is the sequence |
|
|
|
ρ1 |
ρ2 |
|
ρ3 |
[r] : s0, [v0] →s1, [v1] →s2 |
, [v2] → · · · . |
||
Progressive Run: Given a region automaton R(A), a run r = (s, p) is progressive iff there is an infinite number of is (i ≥ 0) for each clock j C such that pi satisfies
[( j = 0) ( j > c j )].
204 VERIFICATION USING TIMED AUTOMATA
S0 |
alarm, i := 0 |
S1 |
|
false alarm, (i < 1)? |
|
||||||
|
|
< |
1)? |
|
i:= |
0 |
|
|
(j |
|
|
|
|
||
check, |
|
|
|
< 1)?, |
|
||
|
|
|
(i |
|
|
||
|
alarm, |
|
|
|
|||
|
|
|
|
|
|||
evacuate
(i = 1)?
S3 
S2 return, (j < 1)?
Figure 7.4 Automaton α3.
Example. Figure 7.4 shows a timed automaton α3 with the alphabet
{alarm, false alarm, check, evacuate, return}.
The construction of the corresponding region automaton R(α3) is left as an exercise.
7.3.3 Verification Algorithm
Now we are ready to describe the Alur–Dill verification approach. A great deal of theory and definitions have been presented so far, but the main idea is as follows. Untimed automata are extended with clock variables and timing constraints on transitions to yield timed Buchi automata (TBAs), which can represent timed regular processes. Then to allow the analysis of TBAs with an infinite number of extended states, corresponding region automata are introduced.
The verification algorithm to be described can verify the correctness of finitestate real-time systems. TBAs model finite-state real-time systems. The objective is to check that the implementation of a real-time system meets the specification of this system. Both the implementation and the specification are first represented by TBAs. Then we prove that the desired inclusion, that the language accepted by the implementation automaton, is a subset of the language accepted by the specification automaton.
Given a timed process (A, L) where L is a language over the alphabet P(A), if L is a timed regular language, then this is a timed regular process representable by a timed automaton. Usually, an implementation is represented by a TBA AI that is a composition of n components with each component described by a timed regular process Pi = (Ai , L(Ai )). The system specification is represented by a timed regular language S over the alphabet P(A), where A = A1 · · · An . The system is said to be correct iff the following inclusion is satisfied: L(AI ) S. The verification algorithm is shown in Figure 7.5.