From Timed Automata to Logic | and Back - Semantic Scholar

http://www.lsv.ens−cachan.fr/Publis/ In Proc. 20th Int. Symp. Math. Found. Comp. Sci. (MFCS’95), Prague, Czech Republic, Aug.−Sep. 1995, volume 969 of Lecture Notes in Computer Science, pages 529−539. Springer−Verlag, 1995.

From Timed Automata to Logic | and Back ? Francois Laroussinie1 , Kim G. Larsen1 , Carsten Weise2 1

BRICS??? , Aalborg Univ., Denmark 2

Aachen Univ., Germany

Abstract. In this paper, we de ne a timed logic L which is suciently

expressive that we for any timed automaton may construct a single characteristic L formula uniquely characterizing the automaton up to timed bisimilarity. Also, we prove decidability of the satis ability problem for L with respect to given bounds on the number of clocks and constants of the timed automata to be constructed.

1 Introduction One of the most successful techniques for automatic veri cation is that of model{ checking; i.e. a property is given as a formula of a propositional temporal logic

and automatically compared with an automaton representing the actual behaviour of the system. Extremely ecient model{checking algorithms have been obtained for nite automata with respect to the branching{time temporal logics CTL [7, 22, 8] and the modal {calculus [17, 4, 10, 9, 3, 24]. In the last few years, model{checking has been extended to real{time systems, with time considered to be a dense linear order. A timed extension of nite automata through addition of a nite set of real{valued clocks has been put forward [2], and the corresponding model{checking problem has been proven decidable for a number of timed logics including timed extensions of CTL (TCTL) [1] and a timed {calculus (T ) [13]. In this paper we continue this transfer of existing techniques from the setting of nite (untimed) automata to that of timed automata. In particular a timed logic L is put forward, which is suciently expressive that we for any timed automaton may (eectively) construct a single characteristic L formula uniquely characterizing the automaton up to timed bisimilarity. The construction is a timed extension of those in [5, 12, 16], and reduces timed bisimilarity between automata to a model{checking problem, which | when combined with the model{checking algorithm for L | yields an alternative algorithm for timed bisimulation compared with [6]. In addition, characteristic formula constructions may be given for other behavioural preorders [19, 11], immediately yielding decision procedures for these relationships as well. Secondly, we prove decidability of ? This work has been supported by the European Communities under CONCUR2,

BRA 7166 Research in Foundation.

??? Basic

Computer Science, Centre of the Danish National Research

A



0

a y

b

1



2

0

< x
x

x

Fig. 2. RCk with C = fx; yg and k = 1

where v1 u1 and v2 u2 are in the same region, satisfy the same L formulas. In fact the regions are de ned as equivalence classes of a relation =: over time :assignments [13]. Formally, given C a set of clocks and k an integer, we say u = v if and only if u and v satisfy the same conditions of Bk (C). [u] denotes the region which contains the time assignment u. RCk denotes the set of all regions for a set C of clocks and the maximal constant k. From a decision point of view it is important to note that RCk is nite. For a region 2 RCk , we can de ne b( ) as the truth value of b(u) for any u in . Conversely given a region , we can easily build a formula of B(C), called ( ), such that ( )(u) = i u 2 . Thus, given a region , ( )( ) is mapped to the value precisely when = . Finally, note that ( ) itself can be viewed as a L formula. Given a region [u] in RCk and C  C we de ne the following reset operator: [C ! 0][u] = [[C ! 0]u]. Moreover given a region , we can de ne the successor region of (denoted by succ( )): Informally the change from to succ( ) correspond to the minimal elapse of time which can modify the enabled actions of the current state( a formal de nition is given in [18]). We denote by l the lth successor region of (i.e. l = succl ( )). From each region , it is possible to reach a region s.t. succ( ) = , and we denote by l the required number of step s.t. l = succ( l ). 0

tt

0

0

tt

0

0

0

0

0

0

Example 3. The Figure 2 gives an overview of the set of regions de ned by two clocks x and y, and the maximal constant 1. In this case there are 32 dierent regions. In general successor regions are determined by following 45o lines upwards to the right.

Given a timed automata A = hA; N; 0; C; E i, let kA be the maximal constant occurring in the enabling condition of the edges E. Then for any k  kA we can de ne a symbolic semantics of A over symbolic states [; ]A where a [ ; ] i  2 N and 2 RCk as follows: for any [; ] we have [; ]A ?! A a 9 u 2 ; h; uiA ?! h ; u iA and u 2 . Consider now L with respect to formula clock set K and maximal constant kL. Also consider a given timed automaton A = hA; N; 0; C; E i (s.t. K and C are disjoint). Then an extended symbolic state is a pair [; ]A where  2 N and 2 RCk with C + = C [ K and k = max(kA ; kL). We can de ne the 0

0

0

0

0

+

+

0

A

a1

A1

^n

^ _

i=1

a

(A) = haii (Ai) ^

an

a

[ ]

i:ai =a

(Ai)



An

Fig. 3. Characteristic formula for nite automata. symbolic semantics for L , i.e. the truth value of L formulas over the extended symbolic state. Due to space limitation we only give the two main implications de ning the symbolic satis ability relation ` 5 : [; ]A ` 9 ' ) 9l 2 N: [; succl ( )]A ` ' a [ ; ] s.t. = ^ [ ; ] ` ' [; ]A ` hai ' ) 9 [; C ]A ?! K A CA K We have the following important result: Let ' be a formula of L , and let h; v uiA be an extended state over some timed automaton A, then we have 6 : h; v uiA j= ' if and only if [; [v
u]]A ` ' It follows that the model checking problem for L is decidable since, given ' 2 L , it suces to check the truth value of any given L formula ' with respect to a nite transition system corresponding to the extended symbolic semantics of A. D

+

+

+

D

D

j

0

0 j

D

0 j

0

j

0

+

D

+

+

D

+

D

5 Characteristic Properties

First let us recall the characteristic formula construction for nite automata [16, 12, 5] (see Figure 3). The construction de nes the characteristic formula (A) of a node A in terms of similar characteristic formulas of the derivates A1 : : :An of A: whenever A has an ai {transition to Ai this is re ected in (A) by addition of a conjunct hai i(Ai ). To characterize A up to strong bisimilarity (A) contains in addition a conjunct [a] a for each action a, where a is a disjunction over all a{transitions out of A. In general the de nitions of characteristic formulas (A) constitutes a simultaneous recursive de nition (as the automaton may have cycles), and to obtain the desired characterization the solution sought is the maximum one. For timed automata the characteristic formula construction must necessarily take account of the time assignment in addition to the actual node. Thus, for a timed automaton A = hA; N; 0; C; E i, we shall de ne characteristic formulas of the form (; ), where  is a node of A 5

C (resp. K ) denotes the set of time-assignments in restricted to the automata j

j

(resp. formula) clocks. 6 where v
u is the time assignment over C [ K such that (v
u)(x) = v(x) if x 2 C and (v
u)(x) = u(x) if x 2 K .

and is a region over the clocks of A. The construction of (; ) follows closely the pattern from the nite automa case. However, we rst need to be able to determine the (a{) edges out of  which are enabled in the region . Given an edge e = h;  ; a; r; bi in E, e (resp. e, ae , re, be ) denotes  (resp.  , a, r, b). Given  2 N and 2 RCkA , we de ne E(; ) = fe j e =  and be ( ) = g and E(; ; a) = fe 2 E(; ) j ae = ag. Thus, E(; ) (resp. E(; ; a)) is the set of all enabled transitions (resp. a-transitions) from [; ]A. We may now present the characteristic formula construction for timed automata: De nition4. Let A be a timed automaton hA; N; 0; C; E i. For any region in RCkA , and node  in N, we introduce an identi er (; ) (the characteristic formula) associated with the symbolic state [; ]A . The de nition (declaration) for (; ) is: 0

0

0

tt

(; ) def =

0 ^  BB e E ; haei re B@ 2

(

)

in

 ^  _ re (e ; re ( )) ^ [a]  ^ la e E ; ;a  l 0

^8

2

(

( ) ) (; )

l=0::l

)

in

 1 (e; re ( )) C CC A 0

We denote by A the set of identi ers (; ) and by DA the corresponding declaration. Note that the declaration for (; ) is not quite a L formula due to the presence of implication. However, it is easy to transform it into an equivalent L formula because the negation of ( ) can be expressed in L . Moreover (r ') is an abbreviation for (c1 (c2 : : :(cn '))) whenever r is fc1 ; : : :; cng. Finally r( ) denotes [r ! 0] . Note that DA uses no more than jC j formula clocks. The declaration for (; ) contains three groups of conjunctions the two rst of which are closely related to the characteristic formula construction for nite automata. The rst group contains a hae i{formula for any edge e, which is enabled at  in the region . Following this edge clearly takes the automaton to the extended state [e; re( )]. The second group of conjuncts contains for each action a a formula of the type [a] a , where is a disjunction over all a{ labelled edges being enabled at  in the region . Whereas the two rst groups exhaustively characterizes the action behaviour of the extended state [; ], the third conjunct is a 88{formula dealing with all delay transitions by requiring that any delay leading to a particular successor region l should satisfy the corresponding characteristic formula. Id

in

in

in

in

0

Example 4. Reconsider the timed automaton A described in Example 1 and the corresponding regions from Example 3. Below we give the declaration of some of the V characteristic formulas. We de ne 'nil def = a [a] ff and we denote ( i) by i . We have:

h

(0 ; 0 ) def = 'nil ^ 8 ( 0 ) (0 ; 0 )) ^ ( 6 ) (0 ; 6 )) ^ ( 14 ) (0 ; 14 )) i ^( 24 ) (0 ; 24 )) (0 ; 6 ) def = haihx in (1 ; 1 ) ^ [a] x in (1 ; 1 ) ^ [b] ff ^ [c] ff i ^88 ( 6 ) (0 ; 6 )) ^ ( 14 ) (0 ; 14 )) ^ ( 24 ) (0 ; 24 ))

We have the following Main Theorem the proof of which is given in [18].

Theorem 5. Let A = hA; N;  ; C; E i and BK= hA; M;  C; K; F i be two timed automata. Then for any  2 M ,  2 N , v 2 R and u 2 R : h; viB  h; uiA i h; v uiB j= A (; [u]) where DA corresponds to the previous de nition of (; ) for each  2 N and 2 RCkA . 0

+

0

D

As model{checking of L is decidable we may use the above characteristic formula construction to decide timed bisimilarity between timed automata: to decide if two timed automata are timed bisimilar simply compare one automaton to the characteristic formula of the other.

6 Model Construction In this section we address the satis ability problem for L . That is we want to decide whether there exists a timed automaton A satisfying a given L {formula '. The hardness of this problem is illustrated by the following 1-clock formula:

 ^   ^  9 ]0; 1[ hai i ^ [aj ] l = |9 ]0; 1[ hai
{z

9 ]0; 1[ hai} i ::l j i def

tt

l

=1

ff

6=

where l 2 N. Indeed l is satis able by some p-clock automata if and only if l  2p + 1. As a consequence of this remark (see [18]) we cannot deduce the number of clocks in the automaton from the number of clocks in '. In fact, similar to the results for TCTL and T , we conjecture that the satis ability problem for L is undecidable. Instead, we address the following more restricted bounded satis ability problem in which bounds have been placed on both the number of automaton clocks as well as the size of the constants these clocks are compared to: given a formula ' (over a declaration D), a set of clocks C and an integer M, we want to decide (and synthesize) whether there exists a (C; M){automaton s.t. A j= '. We have the following main result: D

Theorem 6. The bounded satis ability problem for L is decidable. The remainder of this section is devoted to the proof of this theorem and to an example of bounded satis ability checking. The decision procedure is closely related to the canonical model construction for modal logic [15]. Let ' be a given L formula with k' as maximal constant. Let K be the set of formula clocks occurring in '. Given C a set of clocks (with C \ K = ;) and M an integer, we want to decide if there exists a (C; M){automaton satisfying '. Let C + = C [ K. Let L' be the set of all subformulae of '. Obviously L' is nite. A problem  is a subset of RCk  L' where k = max(M; k' ). A problem  is said to be satis able if there exists a (C; M)-automaton A and a node  of A such that for any ( ; ) 2  we have [; ]A j= . We call A a solution to . A +

+

D

problem  is said to be maximal if it satis es the classical closure conditions for the boolean operators and the following ones: ( ; 9 ) 2  ) 9l: ( l ; ) 2 ; ( ; 8 ) 2  ) 8l: ( l ; ) 2 ; ( ; x ) 2  ) ([fxg ! 0] ; ) 2 ; We have the two following remarks, the proofs of which are trivial: (1) If    and  is satis able then also  is satis able, and (2) If  is satis able then there exists a maximal problem  containing  and being satis able. Thus it suces to consider satis ability of maximal problems. Given a problem , a region and an action a we de ne the problem a ;r as the set f(r( ); ) j ( ; [a] ) 2  g. Now we introduce a new notion about problems. Let C be a set of maximal problems. Then C is a consistency relation if whenever  2 C then: 1? ( ; x + m ./ y + n) 2  ) (x) + m ./ (y) + n 2? 8 ; ( ; ) 62  3? ( ; hai ) 2  ) 9 r  C; b 2 BM (C) and  2 C s.t. : b( ) = ^ ( (r( ); ) [ a ;r   ) ^ (8 ; b( ) = ) a ;r   ) in

0

0

0

ff

0

0

0

0

tt

0

tt

0

We say that a maximal problem is consistent if it belongs to some consistency relation. We have the following key lemma: Lemma 7. Let  be a maximal problem. Then  is consistent if and only if  is satis able.

Proof. ) Let C be a consistency relation (containing ). Now construct the

canonical automaton A = hA; N; 0; C; E i s.t. : N = f j  2 Cg, 0 is some  2 N, and h ;  ; a; r; bi 2 E i whenever ( ; [a] ) 2  and b( ) = then (r( ); ) 2  . C

tt

0

0

Now it can be shown that A solves all problems of C . In particular whenever ( ; ) 2  for some  2 C , then [ ; ]A j= . Finally we have: C

+ C

D

Lemma 8. It is decidable whether a maximal problem is consistent. Proof. Let Sm be the set of maximal problems over RCk  L' . Clearly Sm is nite (since L' and RCk are too). Thus the set of relations C over maximal problems is nite. Now given a relation C it is easy to check whether C is consistent since the choices for possible reset set r over C and the set BM (C) are +

+

both nite.

Thus given a formula ' and bounds C and M, we can consider the ( nitely many) maximal problems  over C and M containing ( 0 ; '). It follows that ' is (C; M){satis able precisely if one of these maximal problems is consistent, which is decidable due to Lemma 8. Note that the proof of Lemma 7 is constructive: given a consistency relation it gives a (C; M)-timed automata satisfying '. Example 5. Consider the formula ' in Example 2: We can use the model construction algorithm presented above to show that no (1; 1)-automaton satis es '.

Thus the formula in the above example is satis able by a 2{clock automaton but by no (1; 1){automata. Using the easily established fact that timed bisimilar automata satisfy the same L {formulas it follows that the automaton of Example 2 is inequivalent to all (1; 1){automata with respect to timed bisimilarity. Now combining the above bounded model{construction algorithm with the characteristic property construction of the previous section we obtain an algorithm for deciding whether a timed automaton can be simpli ed in either its number clocks or the size of the constants these clocks are compared to: given a timed automaton A, a clock set C and a natural number M, it is decidable whether there exists a (C; M){automaton being timed bisimilar to A.

Conclusion This paper has presented two main results relating timed automata and the real{timed logic L : a characteristic formula construction, and, a bounded model construction algorithm. The results presented may be pursued and improved in a number of directions: The notion of a characteristic formula construction may be applied to other behavioural preorders. In related work, we have already shown that characteristic formula constructs also exists for the \faster{than"{relation in [11] and the time{abstracted equivalence in [19]; The results of this paper only settles decidability of a bounded satis ability problem for L . However, it follows from this result that the unconstrained satis ability problem is at least r.e. Decidability of the satis ability problem with only bounds on the number of clocks remains an open problem. Finally, future work includes study of the decidability of the satis ability problems for extensions of L .

References 1. R. Alur, C. Courcoubetis, and D. Dill. Model{checking for Real{Time Systems. In Proceedings of Logic in Computer Science, pages 414{425. IEEE Computer Society Press, 1990. 2. R. Alur and D. Dill. Automata for Modelling Real{Time Systems. Theoretical Computer Science, 126(2):183{236, April 1994. 3. H.R. Andersen. Model checking and boolean graphs. In Proceedings of ESOP'92, volume 582 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1992. Springer. 4. A. Arnold and P. Crubille. A linear algorithm to solve xed{point equations on transition systems. Information Processing Letters, 29, 1988. 5. M. C. Browne, E. M. Clarke, and O. Grumberg. Characterizing nite Kripke structures in propositional temporal logic. Theoretical Computer Science, 59:115{131, 1988. 6. Karlis Cerans. Decidability of bisimulation equivalences for parallel timer processes. In Proc. of CAV'92, volume 663 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1992. Springer Verlag. 7. E. M. Clarke and E. A. Emerson. Design and synthesis of synchronization skeletons using Branching Time Temporal Logic. In Proc. Workshop on Logics of

8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24.

Programs, volume 131 of Lecture Notes in Computer Science, pages 52{71, Berlin, 1981. Springer Verlag. E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic veri cation of nite state concurrent system using temporal logic. ACM Trans. on Programming Languages and Systems, 8(2):244{263, 1986. R. Cleaveland and B. Steen. Computing behavioural relations, logically. In Proceedings of 18th International Colloquium on Automata, Languages and Programming, volume 510 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1991. Springer. E.A. Emerson and C.L Lei. Ecient model checking in fragments of the propositional mu{calculus. In Proceedings of Logic in Computer Science, pages 267{278. IEEE Computer Society Press, 1986. F.Moller and C. Tofts. Relating Processes with Respect to Speed. Technical Report ECS{LFCS{91{143, Department of Computer Science, University of Edinburgh, 1991. S. Graf and J. Sifakis. A Modal Characterization of Observational Congruence on Finite Terms of CCS. Information and Control, 68:125{145, 1986. T. A. Henzinger, Z. Nicollin, J. Sifakis, and S. Yovine. Symbolic model checking for real-time systems. In Logic in Computer Science, 1992. U. Holmer, K.G. Larsen, and W. Yi. Decidability of bisimulation equivalence between regular timed processes. In Proceedings of CAV'91, volume 575 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1992. G.E. Hughes and M.J. Cresswell. An Introduction to Modal Logic. Methuen and Co., 1968. A. Ingolfsdottir and B. Steen. Characteristic formulae. Information and Computation, 110(1), 1994. To appear. D. Kozen. Results on the propositional mu{calculus. In Proc. of International Colloquium on Algorithms, Languages and Programming 1982, volume 140 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1982. F. Laroussinie, K. G. Larsen, and C. Weise. From Timed Automata to Logic | and Back. Technical Report RS{95{2, BRICS, 1995. Accessible through WWW: http://www.brics.aau.dk/BRICS. K.G. Larsen and Y. Wang. Time Abstracted Bisimulation: Implicit Speci cations and Decidability. In Proceedings of MFPS'93, 1993. R. Milner. Communication and Concurrency. prentice, Englewood Clis, 1989. D. Park. Concurrency and automata on in nite sequences. In Proceedings of 5th GI Conference, volume 104 of Lecture Notes in Computer Science, Springer Verlag, Berlin, 1981. Springer. J. P. Queille and J. Sifakis. Speci cation and veri cation of concurrent programs in CESAR. In Proc. 5th Internat. Symp. on Programming, volume 137 of Lecture Notes in Computer Science, pages 195{220, Berlin, 1982. Springer Verlag. A. Tarski. A lattice{theoretical xpoint theorem and its applications. Paci c Journal of Math., 5, 1955. Liu Xinxin. Speci cation and Decomposition in Concurrency. PhD thesis, Aalborg University, 1992. R 92{2005.

This article was processed using the LaTEX macro package with LLNCS style