Timed Automata Rajeev Alur University of Pennsylvania www. cis. - - PowerPoint PPT Presentation

Timed Automata Rajeev Alur

University of Pennsylvania

• www. cis. upenn. edu/ ~alur/

SFM- RT, Bertinoro, Sept 2004

Model Checker

Advant ages

Aut omat ed f or mal verif icat ion, Ef f ect ive debugging t ool

Moderat e indust rial success

I n-house groups: I nt el, Microsof t , Lucent , Mot orola… Commercial model checkers: For malCheck by Cadence

Obst acles

Scalabilit y is st ill a problem (about 500 st at e vars) Ef f ect ive use requires great exper t ise

model temporal property yes error- trace

Still, a great success story for CS theory impacting practice, and a vibrant area of research

Automata in Model Checking

! Aut omat a Theory provides f oundat ions f or model checking

" Aut omat a / st at e machines t o model component s " I nt ersect ion, proj ect ion model operat ions " Verif icat ion is inclusion: is Syst em cont ained in Spec?

!Classical: Finit e-st at e aut omat a (regular languages)

" Pushdown aut omat a " Count er aut omat a " Probabilist ic aut omat a … .

!Timed aut omat a as a f oundat ion f or real-t ime syst ems (aut omat a + t iming const r aint s

Course Overview

! Timed Aut omat a Model ! Reachabilit y

Preliminaries: Transit ion Syst ems and Equivalences Region Graph Const ruct ion Decidabilit y Boundar y

! Timed Regular Languages

Closure Propert ies and Complement at ion Det erminist ic and Two-way Aut omat a Robust ness I nclusion

Off Light Bright

Press Press Press Press

WANT: if press is issued twice quickly

then the light will get brighter; otherwise the light is turned off.

Simple Light Control

Simple Light Control

Off Light Bright

Solution: Add a real-valued clock x

x:= 0 x< = 3 x> 3 Press Press Press Press

Adding continuous variables to state machines

Timed Automata

n m a

Clocks: x, y

x< = 5 & y> 3 x := 0

Guard

Boolean combination of comparisons with I nteger/ rational bounds

Reset

Action performed on clocks

( n , x= 2.4 , y= 3.1415 ) ( n , x= 3.5 , y= 4.2415 )

wait(1.1)

Transitions

( n , x= 2.4 , y= 3.1415 ) ( m , x= 0 , y= 3.1415 )

a

State

( location , x= v , y= u )

where v,u are in R

Action used for synchronization

n m a

Clocks: x, y

x< = 5 & y> 3 x := 0

Transitions

( n , x= 2.4 , y= 3.1415 ) ( n , x= 3.5 , y= 4.2415 )

wait(1.1)

( n , x= 2.4 , y= 3.1415 )

wait(3.2)

x< = 5 y< = 10

Location Invariants

g1 g2 g3 g4

I nvariants ensure progress!!

Adding I nvariants

Timed Automata: Syntax

! A f inite set V of locations ! A subset V0

• f initial locations

! A f inite set Σ Σ Σ Σ of labels (alphabet) ! A f inite set X of clocks ! I nvariant I nv(l) f or each location: (clock constraint over X) ! A f inite set E of edges. Each edge has

" source location l, target location l’ " label a in Σ Σ Σ Σ (ε ε ε ε labels also allowed) " guard g (a clock constraint over X) " a subset λ λ λ λ of clocks to be reset

Timed Automata: Semantics

! For a timed automaton A, def ine an inf inite- state transition system S(A) ! States Q: a state q is a pair (l, v), where l is a location, and v is a clock vector, mapping clocks in X to R, satisf ying I nv(l) ! (l, v) is initial state if l is in V0 and v(x)=0 ! Elapse of time transitions: f or each nonnegative real number d, (l, v)- d- >(l, v+d) if both v and v+d satisf y I nv(l) ! Location switch transitions: (l, v)- a- >(l’, v’) if there is an edge (l, a, g, λ λ λ λ, l’) such that v satisf ies g and v’=v[λ λ λ λ:=0]

Product Construction

A B x< 4

x:= 0 x> 3 a b a | a,x:= 0 a b c

C D y< 4

y:= 0 y> 3 b b| b,y:= 0 b c

AC BC x< 4

x:= 0 x> 3 a b, y:= 0 a| a,x:= 0

AD y< 4

y> 3 c BD x< 4 y< 4 x> 3, b| x> 3, b,y:= 0 a| a, x:= 0 y> 3 c a, x:= 0

Verif ication

! System modeled as a product of timed automata ! Verif ication problem reduced to reachability or to temporal logic model checking ! Applications

" Real- time controllers " Asynchronous timed circuits " Scheduling " Distributed timing- based algorithms

Course Overview

# Timed Aut omat a Model ! Reachabilit y

Preliminaries: Transit ion Syst ems and Equivalences Region Graph Const ruct ion Decidabilit y Boundar y

! Timed Regular Languages

Closure Propert ies and Complement at ion Det erminist ic and t wo-way Aut omat a Robust ness I nclusion

Reachability f or Timed Automata

I s f inite state analysis possible? I s reachability problem decidable?

Finite Partitioning

Goal: To partition state- space into f initely many equivalence classes so that equivalent states exhibit similar behaviors

Labeled Transition System T

! Set Q of states ! Set I of initial states ! Set Σ Σ Σ Σ of labels ! Set $ $ $ $ of labeled transitions of the f orm q –a- > q’

Partitions and Quotients

! Let T=(Q, I , Σ Σ Σ Σ, $ $ $ $) be a transition system and ≅ ≅ ≅ ≅ be a partitioning of Q (i. e. an equivalence relation on Q) ! Quotient T/ ≅ ≅ ≅ ≅ is transition system:

• 1. States are equivalence classes of ≅

≅ ≅ ≅

• 2. A state P is initial if it contains a state in I
• 3. Set of labels is Σ

Σ Σ Σ

• 4. Transitions: P –a- > P’ if q- a- >q’ f or some q

in P and some q’ in P’

Language Equivalence

! Language of T: Set of possible f inite strings over Σ Σ Σ Σ that can be generated starting f rom initial states ! T and T’ are language- equivalent if f they generate the same language ! Roughly speaking, language equivalent systems satisf y the same set of “saf ety” properties

Bisimulation

! Relation ≅ ≅ ≅ ≅ on QXQ’ is a bisimulation if f whenever q ≅ ≅ ≅ ≅ q’ then

if q- a- >u then f or some u’, u ≅ ≅ ≅ ≅ u’ and q’- a- >u’, and if q’- a- >u’ then f or some u, u ≅ ≅ ≅ ≅ u’ and q- a- >u.

! Transition systems T and T’ are bisimilar if there exists

bisimulation ≅ ≅ ≅ ≅ on QXQ’ such that For every q in I , there is q’ in I ’, q ≅ ≅ ≅ ≅ q’ and vice versa ! Many equivalent characterizations (e. g. game- theoretic) ! Roughly speaking, bisimilar systems satisf y the same set

• f branching- time properties (including saf ety)

Bisimulation Vs Language equivalence

Language equivalent but not bisimilar Bisimilarit y -> Language equivalence

a a b c a b c

Timed Vs Time- Abstract Relations

! Transit ion syst em associat ed wit h a t imed aut omat on:

• Labels on cont inuous st eps are delays in R:

Timed

• Act ual delays are suppressed (all cont inuous

st eps have same label): Time- abstract

! Two versions of language equivalence and t wo versions of bisimulat ion ! Time-abst ract relat ions enough t o capt ure unt imed propert ies (e.g. reachabilit y, saf et y)

Time- abstract Vs Timed

Time-abst ract equivalent but not t imed equivalent Timed equivalence -> Time-abst ract equivalence

a b a x:=0 x>10 b

Regions

Finit e part it ioning of st at e space

x y

Definition An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

1 2 3 1 2

w ≅ w’ if f t hey sat isf y t he same set

• f const raint s of t he f orm

xi < c, xi = c, xi – xj < c, xi –xj =c f or c < = largest const relevant t o xi

Alur, Dill, 90

Region Operations

x y

An equivalence class (i.e. a region) Successor regions, Succ(r)

r 1 2 3 1 2

Reset regions

r[y:= 0] r[x:= 0]

Properties of Regions

! The region equivalence relat ion ≅ is a time- abstract bisimulation:

– Act ion t ransit ions: I f w ≅ v and (l,w) -a-> (l’,w’) f or some w’, t hen ∃ v’ ≅ w’ s.t . (l,v) -a-> (l’,v’) – Delay t ransit ions: I f w ≅ v t hen f or all real numbers d, t here exist s d’ s.t . w+d ≅ v+d’

! I f w ≅ v t hen (l,w) and (l,v) sat isf y t he same t emporal logic f ormulas

Region graph of a simple timed automata

Region Graphs (Summary)

! Finit e quot ient of t imed aut omat on t hat is t ime-abst ract bisimilar ! Number of regions: (# of locat ions) t imes (product of all const ant s) t imes (f act orial of number of clocks) ! Precise complexit y class of reachabilit y problem: PSPACE (basically, exponent ial dependence of clocks/ const ant s unavoidable)

" PSPACE-hard even f or bounded const ant s or f or bounded number of clocks

Multi- rate Automata

! Modest extension of timed automata

• Dynamics of the f orm dx = const (rate of a clock is

same in all locations)

• Guards and invariants: x < const, x > const
• Resets: x := const

! Simple translation to timed automata that gives time- abstract bisimilar system by scaling

dx = 2 dy = 3 x>5 and y <1 du = 1 dv = 1 u>5/ 2 and v <1/ 3

Rectangular Automata

! I nteresting extension of timed automata

• Dynamics of the f orm dx in const interval

(rate- bounds of a clock same in all locations)

• Guards/ invariants/ resets as bef ore

! Translation to multi- rate automata that gives time- abstract language- equiv system

dx in [2, 3] x>5 x<2 du = 2 dv = 3 v>5, u:=5 u<2, v:=2

HKPV 95

Rectangular Automata may not have f inite bismilar quotients!

dx =1 dy in [1, 2] x<=1 y<=1 x=1, a, x:=0 y=1, b, y:=0

Decidable Problems

! Model checking branching- time properties (TCTL) of timed automata ! Reachability in rectangular automata ! Timed bisimilarity: are given two timed automata bisimilar? ! Optimization: Compute shortest paths (e. g. minimum time reachability) in timed automata with costs on locations and edges ! Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions

Limit Reachability

! Given A and error ε ε ε ε, def ine Aε

ε ε ε to be the

rectangular automaton in which every clock x has rate in the interval [1- ε ε ε ε, 1+ε ε ε ε] !A location l is limit reachable if l is reachable in Aε

ε ε ε f or every ε

ε ε ε > 0 !Limit reachability is decidable

Puri 98

A B

x< 1 and y> 1

Undecidable Reachability Problems

! Linear expressions as guards ! Guards that compare clocks with irrational constants ! Updates of the f orm x := x- 1 ! Multi- rate automata with comparisons among clocks as guards ! Timed automata + stop- watches (i. e. clocks that can have rates 0 or 1)

Many such results Proof s by encoding Turing machines/ 2- counter machines Sharp boundary f or decidability understood

Course Overview

# Timed Aut omat a Model # Reachabilit y

Preliminaries: Transit ion Syst ems and Equivalences Region Graph Const ruct ion Decidabilit y Boundar y

! Timed Regular Languages

Closure Propert ies and Complement at ion Det erminist ic and Two-way Aut omat a Robust ness I nclusion

Timed Languages

! A timed word over Σ Σ Σ Σ is a sequence (a0, t 0), (a1, t 1)… (ak, t k) with ai in Σ Σ Σ Σ, t i in R, and t 0<=t 1<=… <=t k (monotonicity of time) ! A timed language is a set of timed words ! Timed automata with f inal locations can be viewed as generators/ acceptors of timed languages: A accepts (a0, t 0), (a1, t 1)… (ak, t k) if f or some initial state q, f inal state q’, there is a run q- t 0- >- a0- >- (t 1- t 0)- >- a1- >…

• ak- >q’

!A timed language L is timed regular if there is a timed automaton whose timed language is L

Example

Words of t he f orm (abcd)* such t hat c

• ccurs af t er a delay of at least 2 wrt last

b, and d occurs wit hin 3 of last a

a, x:=0 b, y:=0 x<3, d y>2, c

This t imed language cannot be capt ured by any t imed aut omat on wit h j ust 1 clock. I n f act , expressiveness st r ict ly incr eases wit h t he number of clocks.

Untiming

! Given a timed language L over Σ Σ Σ Σ the language Untime(L) consists of words a0, a1, … ak such that there exists a timed word (a0, t 0), (a1, t 1)… (ak, t k) in L ! Thm: I f L is timed regular, then Untime(L) is regular.

" proof by region construction

Not timed regular

! Delay bet ween f irst and second event is t he same as t he delay bet ween second and t hird.

" Can compare delays only wit h const ant bounds

! Every a symbol is f ollowed by some b symbol af t er a delay of 1

" Due t o denseness, t here can be unbounded number of a symbols in a unit int er val " Complement of t his language is t imed regular

! Unt imed language is {anbn | n is an int eger}

Properties of Timed Regular languages

! Set of t imed regular languages is closed under union, int ersect ion, but not under complement at ion ! For every k, t here is a t imed regular language t hat cannot be expressed using only k clocks (st rict hierarchy) ! Epsilon-labeled swit ches cont ribut e t o expressive power

" t he language “symbols occur only at int eger t imes” crucially uses epsilon-labeled edges

Non- closure under complementation

! L cont ains t imed words w s.t . t here is a at some t ime t , and no event at t ime t +1 !Claim: ~L is not t imed regular !Let L’ cont ain t imed words w s.t . unt imed word is in a*b*, all a symbols are bef ore t ime 1, and no t wo a event s happen simult aneously !A wor d anbm is in Unt ime(~L & L’) if f m> =n !~L & L’ is not t imed regular, but L’ is. So ~L cannot be t imed regular

a, x:= 0 a, b a, b, ~ (x= 1)

Undecidability

! Universalit y problem (given a t imed aut omat on A, does it accept all t imed words) is undecidable

" Proof by reduct ion f rom halt ing problem f or 2-count er machines " Symbols in t ime int erval [k, k+1) encode t he k-t h conf igurat ion of a run of t he machine " Denseness of t ime ensures conf igurat ions can be of unbounded lengt hs " Crux: how t o relat e successive conf igurat ions " Copying of a symbols: every a at t ime t in one int erval has a mat ching a in t he next int erval at t ime t +1 " Absence of such copying can be guessed by a t imed aut omat on

Do we have the “right” class?

! Corollary: I nclusion and Equivalence problems are undecidable f or t imed aut omat a

" Hierarchical verif icat ion using aut omat a-t heoret ic set t ing not possible

!Closed under union, int ersect ion, proj ect ion, concat enat ion, but not complement at ion !Maybe t he source of undecidabilit y and non-closure under complement at ion is abilit y t o model precise t ime const raint s

" some t wo a symbols are t ime 1 apart

Search f or a “better” class

! Complement able subclasses

" (Bounded t wo-way) Det erminist ic aut omat a " (Recursive) Event -clock aut omat a

!Semant ics

" (I nverse) Digit izat ion, Open/ closed aut omat a " Robust t imed aut omat a

!Alt ernat ive charact erizat ions

" Timed regular expressions " Monadic second order t heory + dist ance " Linear t emporal logics wit h real-t ime

Deterministic Timed Automata

! A timed automaton is deterministic if

" Only one initial location " No edges labeled with ε ε ε ε (some relaxation possible) " Two edges with same source and same label have disjoint guards

! Key property: At most one run on a given timed word

" To complement, complete & complement f inal locations

a, x< 1 a, x> = 1 b

Properties of DTA Languages

! Closed under union, int ersect ion, complement , but not proj ect ion ! Empt iness, universalit y, inclusion, equivalence all decidable in PSPACE ! St rict ly less expressive t han nondet erminist ic

" There exist s i and j s.t . t j=t i+1

! Open problem: Given a t imed aut omat on A, is L(A) a DTA-language? (see Tripakis00)

Two- way Deterministic Timed Automata

! Languages of det erminist ic t imed aut omat a not closed under “reverse”

" Det erminist ically ident if ied b is f ollowed by a af t er 1 unit is a DTA-language " Det erminist ically ident if ied b is preceded by a bef ore 1 unit is not a DTA language

!More t ricky example: Every a is f ollowed by some b wit hin a delay of [1,2] (see AFH96)

b 1 a a 1

Alur, Henzinger, 92

Properties of two- way automata

! Bounded reversal t wo-way t imed aut omat a: k- bounded aut omat on visit s any symbol at most k t imes !Ever y k-bounded aut omat on can be simulat ed by a f orward non-det erminist ic one !DTAk: Languages of k-bounded det erminist ic t imed aut omat a !DTAk is closed under union, int ersect ion, complement at ion, and has decidable inclusion/ equivalence problems !DTAk f or ms a st rict hierar chy wit h increasing k

Robust Timed Automata

! I nt uit ion: Rule out t he abilit y t o relat e event s “accurat ely” by f orcing f uzziness in semant ics !Accept / rej ect a word only if a dense subset around it is accept ed/ rej ect ed !For t wo t imed words w and w’ wit h same unt imed word, d(w,w’)= maxi | t i-t ’i| !Use t his met ric t o def ine open/ closed set s !Robust language of A is int erior of t he smallest closed set cont aining L(A)

GHJ 97

Robust acceptance

! Robust language of t his aut omat on is all t imed words !I solat ed words cannot be accept ed/ rej ect ed !Open t imed aut omat a: Timed aut omat a where all guards are st rict (x< c, x> c) !Given a t imed aut omat on A, one can const ruct an

• pen t imed aut omat on B wit h t he same robust

language, which is empt y if f L(B) is empt y !Empt iness of robust language is decidable

a, x:= 0 a, b a, b, ~ (x= 1)

Robust timed automata

! Robust ness unf ort unat ely does not solve non-complement abilit y and undecidabilit y of inclusion [HR00] !L cont ains t imed words w s.t . unt imed word is a*b*, and t here exist consecut ive a symbols at t imes t and t ’ wit h no b in [t +1,t ’+1] !L is a robust t imed language, but it s complement is not !Universalit y of robust t imed aut omat a is undecidable

Back to Language I nclusion

! Given t imed aut omat a A and B, checking if L(A) is cont ained in L(B) is decidable if

" B has only 1 clock or " All const raint s in B use t he const ant 0

!B cannot be det erminized, and one has t o consider pot ent ially unbounded copies of t he clock of B, but t erminat ion uses well-f ounded

• rdering on t he conf igurat ions

!Any relaxat ion on resources of B leads t o undecidabilit y

Ouaknine Lics’04

Resource- bounded I nclusion

! Cr it ical resources of a t imed aut omat on

" Granularit y 1/ m (all const ant s are mult iples of t his granularit y) " Number of clocks k

!An obser ver C dist inguishes aut omat a A and B if L(A)&L(C) is non-empt y but L(B)&L(C) is empt y !Resource bounded inclusion: Given A, B, and resource bound (k,1/ m) check if t here is an

• bserver C wit h k clocks, granularit y 1/ m, and

dist inguishes A and B !Resource bounded inclusion is decidable

Topics Not Covered

! Timed ω-languages !Linear/ Branching-t ime real-t ime logics !Connect ions t o monadic logics, regular expressions, circuit s !Timed branching-t ime equivalences !Ef f icient implement at ions, t ools, applicat ions !Adding probabilit ies !Concurrency: Process algebras, Pet ri net s !Timed aut omat a + Paramet ers !Games and cont roller synt hesis

Open Problems

! There is no “f inal” answer t o “what is t he right class of t imed languages”

" Pert urbat ion by adding drif t s t o clocks?

!Are t here subclasses of t imed aut omat a f or which reachabilit y is less t han PSPACE

" Aut omat a wit h “small” st rongly-connect ed component s

!Games on weight ed t imed graphs

" See a recent paper ABM04 [I CALP]