Timed Automata and Logics for Real-time Systems Luca Aceto ICE-TCS, - - PowerPoint PPT Presentation

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems

Timed Automata and Logics for Real-time Systems

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 1 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems

Goals of the course

Learning outcomes At the end of the course, you will be familiar with the basic theory of timed automata, be able to model and verify real-time systems using UPPAAL, be familiar with

some of the behavioural equivalences over time automata and some of the logics for real-time systems and their connections with behavioural equivalences.

The course will be evaluated via a small-group project.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 2 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems

Content of the first part of the course

labelled transition systems with time timed automata timed and untimed bisimilarity timed and untimed language equivalence region graph and the reachability problem networks of timed automata model checking of basic properties of timed automata

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 3 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

Need for Introducing Time-related Features

Timeouts in protocols:

In CCS, say, timeouts can be modelled using nondeterminism. Enough to prove that the protocol is safe. Maybe too abstract for certain questions. (What is the average time to deliver the message?)

Many real-life systems depend on timing:

Real-time controllers (production lines, computers in cars, railway crossings). Embedded systems (mobile phones, remote controllers, digital watch). ...

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 4 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

Labelled Transition Systems with Time

Timed (labelled) transition system (TLTS) TLTS is a triple (Proc, Act, {

a

− →| a ∈ Act}) where Proc is a set of states (or processes), Act = N ∪ R≥0 is a set of actions (consisting of labels and time-elapsing steps), and for every a ∈ Act,

a

− → ⊆ Proc × Proc is a binary relation on states called the transition relation. We write s

a

− → s′ if a ∈ N and (s, s′) ∈

a

− →, and s

d

− → s′ if d ∈ R≥0 and (s, s′) ∈ d − →.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 5 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

Healthiness conditions on delay transitions

Typical requirements on the delay transitions (Determinism) If s

d

− → s′ and s

d

− → s′′ (d ∈ R≥0) then s′ = s′′. (Zero delay) s − → s′ if, and only if, s = s′. (Additivity 1) If s

d

− → s′

d′

− → s′′ then s d+d′ − → s′′. (Additivity 2) If s

d

− → s′′ and e ≤ d then s

e

− → s′ d−e − → s′′ for some s′. Why are these reasonable requirements?

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 6 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

How to Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 7 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

How to Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 7 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

How to Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 7 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Definition of TLTS How to Describe Timed Transition Systems

How to Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 7 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: Light switch

Off

press x:=0

Light

press x≤1.4

• press

x>1.4

• Bright

press

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 8 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Definition of TA: Clock Constraints

Let C = {x, y, . . .} be a finite set of clocks. Set B(C) of clock constraints over C B(C) is defined by the following abstract syntax g, g1, g2 ::= x ∼ n | x − y ∼ n | g1 ∧ g2 where x, y ∈ C are clocks, n ∈ N and ∼∈ {≤, <, =, >, ≥}. Example: x ≤ 3 ∧ y > 0 ∧ y − x = 2

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 9 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Clock Valuation

Clock valuation Clock valuation v is a function v : C → R≥0. Let v be a clock valuation. Then v + d is a clock valuation for any d ∈ R≥0 and it is defined by (v + d)(x) = v(x) + d for all x ∈ C v[r] is a clock valuation for any r ⊆ C and it is defined by v[r](x) if x ∈ r v(x)

• therwise.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 10 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Clock Valuation

Clock valuation Clock valuation v is a function v : C → R≥0. Let v be a clock valuation. Then v + d is a clock valuation for any d ∈ R≥0 and it is defined by (v + d)(x) = v(x) + d for all x ∈ C v[r] is a clock valuation for any r ⊆ C and it is defined by v[r](x) if x ∈ r v(x)

• therwise.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 10 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Evaluation of Clock Constraints

Evaluation of clock constraints (v | = g) v | = x < n iff v(x) < n v | = x ≤ n iff v(x) ≤ n v | = x = n iff v(x) = n . . . v | = x − y < n iff v(x) − v(y) < n v | = x − y ≤ n iff v(x) − v(y) ≤ n . . . v | = g1 ∧ g2 iff v | = g1 and v | = g2

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 11 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Syntax of Timed Automata

Definition A timed automaton over a set of clocks C and a set of labels N is a tuple (L, ℓ0, E, I) where L is a finite set of locations ℓ0 ∈ L is the initial location E ⊆ L × B(C) × N × 2C × L is the set of edges I : L → B(C) assigns invariants to locations. We usually write ℓ

g,a,r

− → ℓ′ whenever (ℓ, g, a, r, ℓ′) ∈ E.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 12 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: Hammer

free

start x:=0, y:=0

• busy

done y≥5

• hit

x≥1 x:=0

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 13 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Semantics of Timed Automata

Let A = (L, ℓ0, E, I) be a timed automaton. Timed transition system generated by A T(A) = (Proc, Act, {

a

− →| a ∈ Act}) where Proc = L × (C → R≥0), i.e. states are of the form (ℓ, v) where ℓ is a location and v a valuation Act = N ∪ R≥0 − → is defined as follows: (ℓ, v)

a

− → (ℓ′, v′) if there is (ℓ

g,a,r

− → ℓ′) ∈ E s.t. v | = g and v′ = v[r] (ℓ, v)

d

− → (ℓ, v + d) for all d ∈ R≥0 s.t. v | = I(ℓ) and v + d | = I(ℓ)

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 14 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

A timed automaton and a fragment of its associated TLTS

x ≤ 2 ℓ0

a x≤1 x:=0

• (ℓ0, [x = 0])

0.6 a

• (ℓ0, [x = 0.6])

0.4 a

• (ℓ0, [x = 1])

0.3 a

• (ℓ0, [x = 1.3])

0.7 (ℓ0, [x = 2])

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 15 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: A small jobshop

Can you give a fragment of its associated TLTS?

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 16 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Networks of Timed Automata

Timed Automata in Parallel

a!

• a?
• Intuition in CCS

(a.Nil | a.Nil) {a} Let C be a set of clocks and Chan a set of channels. We let Act = N ∪ R≥0 where N = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪ {τ}. Let Ai = (Li, ℓi

0, Ei, Ii) be timed automata for 1 ≤ i ≤ n.

Networks of Timed Automata We call A = A1|A2| · · · |An a network of timed automata.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 17 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Networks of Timed Automata

Timed Automata in Parallel

a!

• a?
• Intuition in CCS

(a.Nil | a.Nil) {a} Let C be a set of clocks and Chan a set of channels. We let Act = N ∪ R≥0 where N = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪ {τ}. Let Ai = (Li, ℓi

0, Ei, Ii) be timed automata for 1 ≤ i ≤ n.

Networks of Timed Automata We call A = A1|A2| · · · |An a network of timed automata.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 17 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Example: Hammer, Worker, Nail

H: free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:

rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N: up

hit?

• half

hit?

• down

τ

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 18 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Example: Hammer, Worker, Nail

H: free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:

rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N: up

hit?

• half

hit?

• down

τ

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 18 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Example: Hammer, Worker, Nail

H: free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:

rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N: up

hit?

• half

hit?

• down

τ

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 18 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Timed Transition System Generated by A = A1| · · · |An

T(A) = (Proc, Act, {

a

− →| a ∈ Act}) where Proc = (L1 × L2 × · · · × Ln) × (C → R≥0), i.e. states are of the form ((ℓ1, ℓ2, . . . , ℓn), v) where ℓi is a location in Ai Act = {τ} ∪ R≥0 − → is defined as follows: ((ℓ1, . . . , ℓi, . . . , ℓn), v)

τ

− → ((ℓ1, . . . , ℓ′

i, . . . , ℓn), v′) if there is

(ℓi

g,τ,r

− → ℓ′

i) ∈ Ei s.t. v |

= g and v′ = v[r] and v′ | = Ii(ℓ′

i) ∧ k=i

Ik(ℓk) ((ℓ1, . . . , ℓn), v)

d

− → ((ℓ1, . . . , ℓn), v + d) for all d ∈ R≥0 s.t. v | =

k

Ik(ℓk) and v + d | =

k

Ik(ℓk)

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 19 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Continuation

((ℓ1, . . . , ℓi, . . . , ℓj, . . . , ℓn), v)

τ

− → ((ℓ1, . . . , ℓ′

i, . . . , ℓ′ j, . . . , ℓn), v′)

if i = j and there are (ℓi

gi,a!,ri

− → ℓ′

i) ∈ Ei and (ℓj gj,a?,rj

− → ℓ′

j) ∈ Ej s.t.

v | = gi ∧ gj and v′ = v[ri ∪ rj] and v′ | = Ii(ℓ′

i) ∧ Ij(ℓ′ j) ∧ k=i,j

Ik(ℓk)

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 20 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

The light switch and a fast user

Off

press? x:=0

Light

press? x≤14

• press?

x>14

• Bright

press?

• y ≤ 0

U

press! y:=0

• U’

press! y=3 y:=0

• y ≤ 3

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 21 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

A fragment of the TLTS for the previous network

(Off, U)

τ

(Light, U′)

3

(Light, U′)

τ

(Bright, U′)

3

• (Off, U′)

τ

• (Off, U′)

3

• (Bright, U′)

τ

• Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com

Timed Automata and Logics for Real-time Systems 22 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

The lazy Worker and his demanding Employer

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 23 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Definition Example Logical Properties in UPPAAL

Logic for Timed Automata in UPPAAL

Let φ and ψ be local properties (checkable locally in a given state). Example: (H.busy ∧ W.rest ∧ 20 ≤ z ≤ 30) UPPAAL can check the following formulae (subset of TCTL) A[]φ — invariantly φ Eφ — possibly φ Aφ — always eventually φ E[]φ — potentially always φ φ –> ψ — φ always leads to ψ

• same as A[](φ =

⇒ Aψ)

• Legend:

A and E are so called path quantifiers, and [] and quantify over states of a selected path.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 24 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be categorized into finitely many equivalence classes.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 25 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be categorized into finitely many equivalence classes.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 25 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be categorized into finitely many equivalence classes.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 25 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Preliminaries

Let d ∈ R≥0. Then let ⌊d⌋ be the integer part of d, and let frac(d) be the fractional part of d. Any d ∈ R≥0 can be now written as d = ⌊d⌋ + frac(d). Example: ⌊2.345⌋ = 2 and frac(2.345) = 0.345. Let A be a timed automaton and x ∈ C be a clock. We define cx ∈ N as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 26 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Preliminaries

Let d ∈ R≥0. Then let ⌊d⌋ be the integer part of d, and let frac(d) be the fractional part of d. Any d ∈ R≥0 can be now written as d = ⌊d⌋ + frac(d). Example: ⌊2.345⌋ = 2 and frac(2.345) = 0.345. Let A be a timed automaton and x ∈ C be a clock. We define cx ∈ N as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 26 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Intuition

Let v, v′ : C → R≥0 be clock valuations. Let ∼ denote untimed bisimilarity of timed transition systems. Our Aim Define an equivalence relation ≡ over clock valuations such that

1 v ≡ v′ implies (ℓ, v) ∼ (ℓ, v′) for any location ℓ 2 ≡ has only finitely many equivalence classes. Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 27 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 28 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 28 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

2 for all x ∈ C such that v(x) ≤ cx we have

frac(v(x)) = 0 iff frac(v′(x)) = 0

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 28 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

2 for all x ∈ C such that v(x) ≤ cx we have

frac(v(x)) = 0 iff frac(v′(x)) = 0

3 for all x, y ∈ C such that v(x) ≤ cx and v(y) ≤ cy we have

frac(v(x)) ≤ frac(v(y)) iff frac(v′(x)) ≤ frac(v′(y))

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 28 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Regions

Let v be a clock valuation. The ≡-equivalence class represented by v is denoted by [v] and defined by [v] = {v′ | v′ ≡ v}. Definition of a Region An ≡-equivalence class [v] represented by some clock valuation v is called a region. Theorem For every location ℓ and any two valuations v and v′ from the same region (v ≡ v′) it holds that (ℓ, v) ∼ (ℓ, v′) where ∼ stands for untimed bisimilarity.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 29 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Regions

Let v be a clock valuation. The ≡-equivalence class represented by v is denoted by [v] and defined by [v] = {v′ | v′ ≡ v}. Definition of a Region An ≡-equivalence class [v] represented by some clock valuation v is called a region. Theorem For every location ℓ and any two valuations v and v′ from the same region (v ≡ v′) it holds that (ℓ, v) ∼ (ℓ, v′) where ∼ stands for untimed bisimilarity.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 29 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic States and Region Graph

state (ℓ, v)

• symbolic state (ℓ, [v])

Note: v ≡ v′ implies that (ℓ, [v]) = (ℓ, [v′]). Region Graph Region graph of a timed automaton A is an unlabelled (and untimed) transition system where states are symbolic states = ⇒ on symbolic states is defined as follows: (ℓ, [v]) = ⇒ (ℓ′, [v′]) iff (ℓ, v)

a

− → (ℓ′, v′) for some label a (ℓ, [v]) = ⇒ (ℓ, [v′]) iff (ℓ, v)

d

− → (ℓ, v′) for some d ∈ R≥0 Fact A region graph of any timed automaton is finite.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 30 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic States and Region Graph

state (ℓ, v)

• symbolic state (ℓ, [v])

Note: v ≡ v′ implies that (ℓ, [v]) = (ℓ, [v′]). Region Graph Region graph of a timed automaton A is an unlabelled (and untimed) transition system where states are symbolic states = ⇒ on symbolic states is defined as follows: (ℓ, [v]) = ⇒ (ℓ′, [v′]) iff (ℓ, v)

a

− → (ℓ′, v′) for some label a (ℓ, [v]) = ⇒ (ℓ, [v′]) iff (ℓ, v)

d

− → (ℓ, v′) for some d ∈ R≥0 Fact A region graph of any timed automaton is finite.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 30 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Partitioning of the valuations for a simple timed automaton

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 31 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic exploration of the simple timed automaton

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 32 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Application of Region Graphs to Reachability

We write (ℓ, v) − → (ℓ′, v′) whenever (ℓ, v)

a

− → (ℓ′, v′) for some label a, or (ℓ, v)

d

− → (ℓ′, v′) for some d ∈ R≥0. Reachability Problem for Timed Automata Instance (input): Automaton A = (L, ℓ0, E, I) and a state (ℓ, v). Question: Is it true that (ℓ0, v0) − →∗ (ℓ, v) (where v0(x) = 0 for all x ∈ C)? Reduction of Timed Automata Reachability to Region Graphs Reachability for timed automata is decidable because (ℓ0, v0) − →∗ (ℓ, v) in a timed automaton if and only if (ℓ0, [v0]) = ⇒∗ (ℓ, [v]) in its (finite) region graph.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 33 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Application of Region Graphs to Reachability

We write (ℓ, v) − → (ℓ′, v′) whenever (ℓ, v)

a

− → (ℓ′, v′) for some label a, or (ℓ, v)

d

− → (ℓ′, v′) for some d ∈ R≥0. Reachability Problem for Timed Automata Instance (input): Automaton A = (L, ℓ0, E, I) and a state (ℓ, v). Question: Is it true that (ℓ0, v0) − →∗ (ℓ, v) (where v0(x) = 0 for all x ∈ C)? Reduction of Timed Automata Reachability to Region Graphs Reachability for timed automata is decidable because (ℓ0, v0) − →∗ (ℓ, v) in a timed automaton if and only if (ℓ0, [v0]) = ⇒∗ (ℓ, [v]) in its (finite) region graph.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 33 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Applicability of Region Graphs

Pros Region graphs provide a natural abstraction which enables to prove decidability of e.g. reachability timed and untimed bisimilarity untimed language equivalence and language emptiness. Cons Region graphs have too large state spaces. State explosion is exponential in the number of clocks the maximal constants appearing in the guards.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 34 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Applicability of Region Graphs

Pros Region graphs provide a natural abstraction which enables to prove decidability of e.g. reachability timed and untimed bisimilarity untimed language equivalence and language emptiness. Cons Region graphs have too large state spaces. State explosion is exponential in the number of clocks the maximal constants appearing in the guards.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 34 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 35 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 35 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 35 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Timed Bisimilarity

Let A1 and A2 be timed automata. Timed Bisimilarity We say that A1 and A2 are timed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 are strongly bisimilar. Remark: both

a

− → for a ∈ N and

d

− → for d ∈ R≥0 are considered as normal (visible) transitions.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 36 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Example of Timed Bisimilar Automata

A

a x=1

• A’

a x=1 x:=0

• B

a x≤2 x:=0

• B’

a x≤1

• C

C’

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 37 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Example of Timed Non-Bisimilar Automata

A

a x≤1 x:=0

• A’

a x≤2 x:=0

• B

a x≤3

• B’

a x≤3

• C

C’

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 38 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Untimed Bisimilarity

Let A1 and A2 be timed automata. Let ǫ be a new (fresh) action. Untimed Bisimilarity We say that A1 and A2 are untimed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 where every transition of the form

d

− → for d ∈ R≥0 is replaced with

ǫ

− → are strongly bisimilar. Remark:

a

− → for a ∈ N is treated as a visible transition, while

d

− → for d ∈ R≥0 are all labelled by a single visible action

ǫ

− →. Corollary Any two timed bisimilar automata are also untimed bisimilar.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 39 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Untimed Bisimilarity

Let A1 and A2 be timed automata. Let ǫ be a new (fresh) action. Untimed Bisimilarity We say that A1 and A2 are untimed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 where every transition of the form

d

− → for d ∈ R≥0 is replaced with

ǫ

− → are strongly bisimilar. Remark:

a

− → for a ∈ N is treated as a visible transition, while

d

− → for d ∈ R≥0 are all labelled by a single visible action

ǫ

− →. Corollary Any two timed bisimilar automata are also untimed bisimilar.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 39 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Timed Non-Bisimilar but Untimed Bisimilar Automata

A

a x≤1 x:=0

• A’

a x≤2 x:=0

• B

a x≤3

• B’

a x≤3

• C

C’

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 40 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Decidability of Timed and Untimed Bisimilarity

Theorem [Cerans’92] Timed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time). Theorem [Larsen, Wang’93] Untimed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 41 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Decidability of Timed and Untimed Bisimilarity

Theorem [Cerans’92] Timed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time). Theorem [Larsen, Wang’93] Untimed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 41 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Timed Traces

Let A = (L, ℓ0, E, I) be a timed automaton over a set of clocks C and a set of labels N. Timed Traces A sequence (t1, a1)(t2, a2)(t3, a3) . . . where ti ∈ R≥0 and ai ∈ N is called a timed trace of A iff there is a transition sequence (ℓ0, v0)

d1

− → .

a1

− → .

d2

− → .

a2

− → .

d3

− → .

a3

− → . . . in A such that v0(x) = 0 for all x ∈ C and ti = ti−1 + di where t0 = 0. Intuition: ti is the absolute time (time-stamp) when ai happened since the start of the automaton A.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 42 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Timed and Untimed Language Equivalence

The set of all timed traces of an automaton A is denoted by L(A) and called the timed language of A. Theorem [Alur, Courcoubetis, Dill, Henzinger’94] Timed language equivalence (the problem whether L(A1) = L(A2) for given timed automata A1 and A2) is undecidable. We say that a1a2a3 . . . is an untimed trace of A iff there exist t1, t2, t3, . . . ∈ R≥0 such that (t1, a1)(t2, a2)(t3, a3) . . . is a timed trace of A. Theorem [Alur, Dill’94] Untimed language equivalence for timed automata is decidable.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 43 / 43

Timed Transition Systems Timed Automata Networks of Timed Automata Regions and Region Graph Equivalence Checking Problems Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence

Timed and Untimed Language Equivalence

The set of all timed traces of an automaton A is denoted by L(A) and called the timed language of A. Theorem [Alur, Courcoubetis, Dill, Henzinger’94] Timed language equivalence (the problem whether L(A1) = L(A2) for given timed automata A1 and A2) is undecidable. We say that a1a2a3 . . . is an untimed trace of A iff there exist t1, t2, t3, . . . ∈ R≥0 such that (t1, a1)(t2, a2)(t3, a3) . . . is a timed trace of A. Theorem [Alur, Dill’94] Untimed language equivalence for timed automata is decidable.

Luca Aceto ICE-TCS, School of Computer Science Reykjavik University, Iceland luca@ru.is and luca.aceto@gmail.com Timed Automata and Logics for Real-time Systems 43 / 43