Integration Graphs: A Class of Decidable Hybrid ... - Semantic Scholar

Integration Graphs: A Class of Decidable Hybrid Systems  Y. Kesten , A. Pnueli , J. Sifakis , S. Yovine April 15, 1993 y

y

z

z

Abstract.

Integration Graphs are a computational model developed in the attempt to identify simple Hybrid Systems with decidable analysis problems. We start with the class of constant slope hybrid systems (cshs), in which the right hand side of all dierential equations is an integer constant. We refer to continuous variables whose right hand side constants are always 1 as timers . All other continuous variables are called integrators . The rst result shown in the paper is that simple questions such as reachability of a given state are undecidable for even this simple class of systems. To restrict the model even further, we impose the requirement that no test that refers to integrators may appear within a loop in the graph. This restricted class of cshs is called integration graphs . The main results of the paper are that the reachability problem of integration graphs is decidable for two special cases: The case of a single timer and the case of a single test involving integrators. The expressive power of the integration graphs formalism is demonstrated by showing that some typical problems studied within the context of the Calculus of Durations and Timed Statecharts can be formulated as reachability problems for restricted integration graphs, and a high fraction of these fall into the subclasses of a single timer or a single dangerous test.

Contents

1 Introduction 2 Constant Slope Hybrid Systems

2 3

2.1 Reachability is Undecidable for cshs's : : : : : : : : : : : : : : : : : : : : 8

This research was supported in part by the France-Israel project for cooperation in Computer Science and by the European Community ESPRIT Basic Research Action Project 6021 (REACT). y Department of Computer Science, The Weizmann Institute of Science, Rehovot 76100, Israel. E-mail: [email protected] z Laboratoire de G enie Informatique, Institut IMAG B.P. 53X, 38041 Grenoble cedex, France. E-mail:[email protected] 

1

3 Integration Graphs

9

3.1 De nition of Integration Graphs : : : : : : : : : : : : : : : : : : : : : : : : 9 3.2 Duration Properties of Finitary Timed Automata : : : : : : : : : : : : : : 11 3.3 Reduction of Reachability to Satis ability : : : : : : : : : : : : : : : : : : 13

4 Duration Properties over Integer Computations

16

5 Real Computations: Single Timer

19

6 Real Computations: Disjunctive Durations

24

7 Discussion

26

4.1 The Integer Computations of an fta : : : : : : : : : : : : : : : : : : : : : 17 4.2 The Veri cation Algorithm : : : : : : : : : : : : : : : : : : : : : : : : : : : 18

5.1 Characterization of Complete Trails : : : : : : : : : : : : : : : : : : : : : : 20

6.1 Digitization of fta Computations : : : : : : : : : : : : : : : : : : : : : : : 24 6.2 Disjunctive Durations over Digitizable Computations : : : : : : : : : : : : 24

1 Introduction Hybrid systems are systems that consist of a mixture of discrete and continuous components. Typically, the continuous components may represent a physical environment which obeys continuous rules of change, while the discrete components may represent a digital controller that senses and manipulates the environment. Characteristic examples are a computer system controlling a robot, a manufacturing plant, or a transport system. Approaches to the speci cation, description, and analysis of hybrid systems were proposed in [MMP92], [NSY91], and [NOS+93]. An important question for the analysis and design of hybrid systems is identi cation of subclasses of such systems and corresponding restricted classes of analysis problems that can be settled algorithmically. In view of the success of model checking of nitestate systems and similar algorithmic approaches to the algorithmic analysis of reactive systems ([CES86], [BCM+90]) and timed systems ([Dil89], [ACD90]), it is only natural to search for similar decidable analysis problems for hybrid systems. This is the general aim of this paper. The main results of this search is the identi cation of integration graphs , a class of hybrid systems that seem to avoid the main obstacles to decidability. Within this class, we give algorithmic solutions to the reachability problem of three important cases:  Integer computations of an arbitrary integration graph.  Integration graph with a single timer, and  Integration graph with a single dangerous test along each computation. Section 2 introduces the notion of constant slope hybrid systems (cshs), which are hybrid systems all of whose dierential equations have the form x_ = c; 2

for some integer constant c. Another restriction is that all guard (enabling) conditions of transitions are boolean combinations of linear inequalities with integer coecients. We give an example of a cshs representing the Gas Burner Problem [CHR92], and explain the need for restrictions on tests applied to integrators. In subsection 2.1 we prove that, without these restrictions, the reachability problem becomes undecidable. Section 3 introduces integration graphs which are cshs's in which integrators (variables that have dierent slopes in dierent states) are not tested within loops. The section also introduces nitary timed automata (fta), which is a slightly restricted class of timed automata [Dil89], [ACD90], and duration formulas . It shows that the reachability problem for integration graphs can be reduced to checking whether a duration formula is satis ed by a computation of an fta. Section 4 shows how to solve the duration satis ability problem for integer computations of an fta. The solution is based on constructing a set of equations that characterizes the length of time a computation spends in each automaton state. Section 5 considers satis ability of a duration formula by real computations of an fta with a single timer. It provides an algorithm for solving this problem based on a similar set of characterizing equations. Section 6 considers satis ability of a disjunctive duration formula by real computations of an unrestricted fta.

2 Constant Slope Hybrid Systems In this section we introduce the class of constant slope hybrid systems. Many hybrid systems analyzed in the literature fall into this class. One of the advantages of this class is that the dierential equations appearing in states can be trivially solved in closed form and yield solutions that are linear functions of time. Let P be a nite set of propositions. Let N denote the natural numbers, R+ { the non negative reals, and Z { the integers. a constant slope hybrid system (cshs) consists of the following components:  S { A nite set of locations. In a graphical representation of the system, these are drawn as nodes of the graph.   { A proposition labeling function  : S 7! 2P , mapping each location s 2 S to the set of propositions that are true in s. For a state s and a boolean formula p over , we write s j= p to denote that p evaluates to true over (s).  V { A nite set of (data) variables. These are the variables that change continuously within states and discretely via transitions.  R { A rate labeling function R : S  V 7! Z, identifying for each location s 2 S and each variable x 2 V an integer c = R[s][x] 2 Z which speci es the (constant) rate at which x changes continuously while being in location s. Thus, the dierential equation for x within s is x_ = c; 3

   

where c = R[s][x]. sI 2 S { An initial location. Sf  S { A set of nal locations. V0 { Initial values. This is a tuple of values, representing the values of the variables V at the beginning of a computation. By default, a variable that is not assigned an explicit initial value has 0 as an initial value. E { A set of edges . Each edge e 2 E is associated with the following components: { A source location. This is the location from which the edge departs. { A target location. This is the location to which the edge connects. { An edge guard ?. This is the condition under which the edge may be traversed. An edge guard is a linear equality/inequality of the form n X

ai
xi  i=1 where ai; c 2 Z, xi

c;

2 V and  is one of the comparison relations f; =; 6= ; ; g. { A multiple assignment of the form (y1; : : :; ym) := (c1; : : : ; cm); where yi 2 V and ci 2 Z. When edge e is taken, the variables y1; : : : ; ym are assigned the values c1; : : :; cm. We often write Y := C as a schematic representation of the multiple assignment associated with the edge. In the graphical representation of cshs, we represent edge e by drawing an edge from the source location to the target location and label it by the edge label ? = (y1; : : :; ym) := (c1; : : :; cm): In the case that Y , the set of assigned variables is empty, we use the simpler labeling ?? It is required that no edge departs from a nal location. In Fig. 1 we present a cshs for the Cat and Mouse system [MMP92], representing the situation of a cat chasing a mouse, where the cat and the mouse run at constant velocities, vc and vm respectively, and the cat starts running
time units later than the mouse. Variables xc and xm measure the respective distances of the cat and the mouse from the wall. Variable y is a timer, used to measure the delay
in the start time of the cat. There are several dierences between this presentation of the system and the one given in [MMP92]. A rst dierence is that [MMP92] uses Statechart notations to present control in a structured way. The Statechart presentation allocates concurrent superstates to the cat and the mouse. The cshs presentation given here allows only at unstructured control graph. Consequently, we have an individual node for every pair of concurrent states in the Statechart representation. 4

Initially xc = xm = X0; y = 0 CwMr y_ = 1 x_ m = ?vm

y =
?

xm = 0? CwMs

CrMr x_ c = ?vc x_ m = ?vm

y_ = 1 y =
?

CrMs

xm = 0?

x_ c = ?vc

xc = xm > 0?

xc = 0? C-wins

M-wins

Figure 1: Cat and Mouse System. Another dierence is that transitions in the hybrid systems model of [MMP92] are associated with lower and upper time-bounds, restricting the length of time the transition can be continuously enabled before it is taken. There is no such association in the cshs model. Consequently, to represent the delay
of the cat before it starts running, we use an explicit timer y, initially preset to 0, and causing a transition as soon as it reaches the value
. In that, we follow the model of timed automata [AD90].

Behaviors and Computations

A behavior of a cshs starts at the initial location sI with all variables initialized to their initial values. As time progresses, the values of all variables increase according to the rates associated with the current location. At any point in time, the system can change location through an edge connecting location s to s0 and labeled by ?=Y := C , provided the current values of the variables satisfy the guard ?. With the change of location, all variables in Y are assigned their respective right-hand sides C . A valuation  for V assigns a real value to each variable in V . Let R be a V -vector of rates (slopes), assigning to each x 2 V a real value R[x] 2 Z, denoting the rate of growth of x. For a valuation  , a rate vector R, and t 2 R+ ,  + R
t denotes a new valuation 5

 0 such that, for every variable x 2 X ,  0[x] =  [x] + R[x]
t. For Y  X , we denote by  [Y C ] the valuation which assigns C [y] to every y 2 Y , and agrees with  over the rest of the variables. A triple of the form hs; ; ti, where s is a location,  is a valuation, and t 2 R+ is called a situation . A computation segment of a cshs is a sequence of situations hs0; 0; t0i; hs1; 1; t1i; : : : ; hsn; n ; tni satisfying:  [Consecution] For every i, 0  i < n, there is an edge e 2 E connecting si to si+1 and labeled with ?=Y := C such that i + R[si](ti+1 ? ti) satis es ? and i+1 = (i + R[si](ti+1 ? ti))[Y C ].  [Time progress] For all i, 0  i < n, 0  ti  ti+1. A computation of a cshs is a computation segment satisfying:  [Initiation] s0 = sI and t0 = 0.  [Termination] sn 2 Sf A computation hs0; 0; t0i; : : : ; hsn ; n; tni is called an integer computation if, for every i  0, ti 2 Z (in fact ti 2 N).

Reachability Problems

In this paper, we are mainly interested in reachability problems for constant slope hybrid systems. A typical reachability problem is: Problem 1 (Reachability) Given a nal location s 2 Sf , is there a computation terminating at location s. A concrete example of a reachability problem is one that can be asked about the Cat and Mouse system of Fig. 1. Problem 2 (Security for Mouse) Under the assumption X0 <
+ X0 ; vm vc show that there is no computation that reaches location C-wins As another reachability problem, we consider the Gas Burner system [CHR92]. Consider the cshs presented in Fig. 2. Locations s0, s1, and s2 represent a Gas Burner system that has these three control states. There is a proposition Leak which is true only at location s1, representing a situation at which the system is leaking. The veri cation problem posed in [CHR92] can be formulated as follows. Assuming 6

Initially x = y = z = 0

x  1=x := 0 s0 :

:Leak

x := 0

x_ = 1 y_ = 0 z_ = 1

s1 : Leak

:Leak

s2 :

x_ = 1 y_ = 1 z_ = 1

x_ = 1 y_ = 0 z_ = 1

x  30=x := 0

z  60?



20
y > z?

Bad

Figure 2:

Check

20
y  z?

Good

-

: The gas burner as a hybrid system.

h-gas

1. A continuous leaking period cannot extend beyond 1 time unit. 2. Two disjoint leaking periods are separated by a non-leaking period extending for at least 30 time units. Prove:  Safety-Critical Requirement: In any interval longer than 60, the accumulated leaking time is at most 5% of the interval length. The cshs of Fig 2 employs three variables as follows:  Variable x measures the duration of time in each of the locations s0, s1, and s2. It is reset to 0 on entry to each of these locations.  Variable y measures the accumulated leaking time. It grows linearly in location s1, and stays constant in any of the other locations.  Variable z measures the total elapsed time. Obviously, system h-gas ensures assumptions 1 and 2. The only leaking location is s1 and it is clear that no computation of the system can stay continuously in s1 for more than 1 time unit and that, between two consecutive (but disjoint) visits to s1, the system stays at the non-leaking location s2 for at least 30 time units. 7

We can view locations s0, s1, and s2, as the operational part of the representation. The other locations serve for testing the required property. The system can exit the operational part any time after an interval whose length is at least 60 time units has elapsed. On exit, the system performs a test at location check . If 20
y > z, then the accumulated leaking time exceeds 5% of the overall period spent in the operational part. In that case, the system proceeds to location Bad , implying a violation of the safety-critical requirement. Otherwise it proceeds to Good , implying that the current run was not found to violate the requirement. For simplicity, we consider the safety-critical requirement only for initial intervals , i.e., intervals starting at t = 0. The extension of the method to arbitrary intervals is straightforward. Having the edge from s2 to check as the only exit from the operational part into the testing part of the system is not a real restriction. Since it is always possible to proceed from s0 to s1 and from s1 to s2 in zero time, we can actually apply the acceptance test (60  z ^ 20
y  z) to any computation segment reaching s0 or s1 as well as to segments reaching s2. Obviously the safety-critical requirement is valid for this system if and only if location Bad is unreachable. This provides another example of an interesting reachability problem: namely, show that no computation of the system of Fig. 2 ever reaches location Bad .

2.1 Reachability is Undecidable for cshs's

In this subsection we show that the reachability problem for cshs's is undecidable. The result is based on a reduction of an n-counter machine to a cshs. The system emulating the n-counter machine only uses guards of the form: u = c or u 6= c where c is an integer constant .

The Construction

An n-counter machine can be described as a linear labeled program allowing the following basic commands:  go to `,  if xi = 0 then go to `i else go to `j .  xi := xi + 1,  xi := xi ? 1, (this operation is unde ned if xi=0)

 stop

Let P be a program for an n-counter machine with counters x1; : : : ; xn. Without loss of generality, assume that the rst label of P is `0 and the last command (with label `t) is a stop command . We construct a cshs SP which emulates P , i.e., terminates precisely when P does. System SP uses variables x1; : : : ; xn and an additional variable y. 8

We represent SP as a graph which has a location (node) for each label of program P . It may have additional locations. It is not dicult to see how the go{to and conditional go{to commands can be implemented by edges connecting the corresponding nodes that may be labeled by xi = 0 and xi 6= 0 for the conditional transfer. The commands for incrementing and decrementing a counter xi can be implemented by the following two subgraphs:

y := 0 y_ = 1 y = 1? x_ i = 1

and

y := 0 y_ = 1 y = 1? x_ i = ?1

We claim that program P reaches the stop command at `t i location `t is reachable in the cshs SP .

Conclusion

Since the halting problem for an n-counter machine is undecidable for n  2, we conclude that the reachability problem is undecidable for cshs's of the form considered here. In fact, since our construction uses an additional variable y, it is undecidable for systems having at least 3 variables. Note that reachability is undecidable even if we restrict ourselves to integer computations.

3 Integration Graphs Having realized that reachability is undecidable for cshs's, we attempt to narrow the class of considered systems in the hope that reachability will be decidable for a more restricted class.

3.1 De nition of Integration Graphs

A variable of a cshs that has the slope +1 at all locations, except perhaps at the nal locations, is called a timer . All other variables are called integrators . A lower bound of how much we have to restrict the class before reachability becomes decidable is provided by timed automata [AD90]. The dierences between a timed automaton and a cshs can be summarized as: 1. Timed automata do not allow integrators but only timers. 2. The guards allowed by timed automata are conditions of the forms

x ' c and x ? y ' c where ' 2 f=; ; g, x; y are variables (called clocks in [AD90]), and c is an integer constant. 9

Motivated by this comparison, consider a test a1
x1 +


+ an
xn  b; (1) where x1; : : :; xn are variables, a1; : : :; an and b are integer constants, and  is one of f=; 6=; ; ; g. Such a test is called dangerous if it refers to an integrator or does not have one of the forms listed in item 2 above. The implication is that unbridled use of dangerous tests may lead to undecidability. The fact that tests that refer to more than two variables, or contain multiplicative factors with absolute value dierent from 1, lead to undecidability is proven in [AH90]. The fact that tests that refer to integrators are dangerous has been established in the undecidability result proven in Section 2. The construction used for the undecidability proof employs integrators to represent the registers xi and tests them for being zero on edges representing conditional go-to commands. Eliminating dangerous tests altogether is too harsh, since this will exclude systems such as the Cat and Mouse or the Gas Burner from the class we intend to study. For example, the test 20
y > z is dangerous for two reasons. It is not of one of the allowed forms, and it refers to the integrator y. Instead, we strongly restrict the places where dangerous tests can appear in the graph of a cshs. An edge in the graph representing a cshs is called cyclic if it is part of a cycle in the graph. A cshs is called an integration graph if  Dangerous tests do not appear on cyclic edges. This restriction ensures that there exists a bound K such that the number of times any computation encounters a dangerous test is bounded by K . In all proofs of undecidability, the constructed counter-examples rely on checking dangerous tests an unbounded number of times. Consequently, there is hope that reachability will be decidable for integration graphs. It is not dicult to ascertain that both the Cat and Mouse system (that has no cycles at all) and the Gas Burner system are integration graphs. It is straightforward to show that any integration graph is equivalent to a system, whose graph can be decomposed into a cyclic (the looping ) part L with exits into an acyclic (the testing ) graph T . This decomposition is such that L contains no dangerous tests, while T may contain some dangerous tests and all the nal locations.

L

T

We can relax the de nition of a timer, only requiring that it has a uniform slope at all states of L, the looping part of the integration graph. This allows us to assume that all slopes of all variables within T are 0. Variables that appear in dangerous test are called terminal variables since, according to the integration graph restrictions, we are only interested in their values at the end of the computation. 10

For simplicity, we will consider only integration graphs in which terminal variables are not assigned values by any edge. It is not dicult to extend the results obtained to the more general case.

Single Integrator Tests

In the study of cshs's, it is possible to restrict our attention to dangerous tests of the form ub where u is an integrator and b is an integer constant. Observe that, for any dangerous test of the more general form a1
x1 +


+ am
xm  b; we can de ne a new integrator u whose slope at each location s 2 S is given by R[s][u] = a1
R[s][x1] +


+ an
R[s][xm] For example, for the gas burner system, we can de ne a new integrator n whose value is intended to be 20
y ? z. The slopes of u at locations s0, s1 and s2 are given by ?1, 19 and ?1, respectively. Then, instead of testing whether 20
y ? z is positive, it is sucient to check for u > 0.

3.2 Duration Properties of Finitary Timed Automata

In this subsection we consider the simpler model of timed automata, but ask more complicated questions than just reachability of some nal location.

Finitary Timed Automata

We use a simpli ed version of timed automata ([Dil89], [AD90]), to which we refer as nitary timed automata (fta). The simpli cation is that we are interested only in nite computations that reach some nal location. In our framework, an fta can be presented as a cshs with the following restrictions.  All variables have the slope 1 in all states. Consequently, they are all timers, and we can eliminate the rate labeling function R from the description of a timed automaton.  The set of nal locations Sf consists of a single location sf .  The initial values of all variables are 0. Consequently, we need not specify the component V0 in the description of an fta.  All guards are of the forms l  x  u and l  x ? y  u, where x; y are variables (timers) and l; u 2 Z.  All assignments have the form Y := 0, i.e., 0 is the only assigned value. We refer to Y as the variables reset when the edge is taken. 11

Following these simpli cations, an fta can be described by a tuple M : hS; ; V; sI ; sf ; E i. We often refer to edges as a tuple (s; s0; ?; Y ), where s and s0 are the source and destination locations, ? is the guard, and Y is the set of variables reset by the edge. Let e = hs; s0; ?; Y i 2 E . We say that e is a resetting edge if Y = V . Without loss of generality, we require that all edges arriving at sf be resetting edges. For convenience we assume a virtual resetting edge e? that enters sI . An fta may be nondeterministic. It may contain two edges e1 = hs; s1; ?1; Y1i and e2 = hs; s2; ?2; Y2i, s1 6= s2, such that ?1 and ?2 are not mutually exclusive (?1 ^ ?2 is satis able). On the other hand, we require that every two locations, s1 and s2, have at most one edge connecting them. A trail is a nite sequence (s0; t0); : : :; (sn; tn); such that, for every i, 0  i < n, 0  ti  ti+1: If

= hs0; 0; t0i; hs1 ; 1; t1i; : : :; hsn ; n; tni is a computation (segment), then  = (s0; t0); (s1; t1); : : :; (sn; tn) is called the trail corresponding to . A trail that corresponds to some computation segment is called realizable. A trail that corresponds to a computation is called complete. Obviously, a complete trail is realizable. A trail is called an integer trail , if it corresponds to an integer computation. We denote by T the set of all complete trails of M , and by Z (T )  T , the set of integer trails of M . We use the shorthand notation  = (; T ), where  = s0; s1; : : : ; sn and T = t0; t1; : : :; tn are the location and time sequence, respectively, associated with the trail  .

Duration Properties

The questions we intend to pose for nitary timed automata are expressed inRa language that includes the propositional calculus augmented with the duration function and linear inequalities. The version of duration function considered here was inspired by the use of a similar operator in duration calculus [CHR92]. However, the semantics given here to this operator diers from its semantic in [CHR92]. State formulas are de ned in the usual way over the propositions in P and the boolean operators, and can be evaluated over single locations, using the interpretation assigned to them by the propositionRlabeling function . The duration function is a temporal function interpreted over trails. Let ' be a state formula and  = (s0; t0); : : : ; (sn; tn) be a trail. The value of the duration expression R ' at position j , 0  j  n of  is de ned as X (ti+1 ? ti) val(; j; R ') = 0i<j si j='

12

Duration constraints are inequalities of the form: m X i=1

R

a i
'i  c

where  2 f; =; 6=; ; g, ai; c 2 Z and 'i are state formulas. Duration formulas are boolean combinations of duration constraints. Let  = (s0; t0); : : :; (sn; tn) be a trail, and be a duration formula. We say that  satis es , denoted  j= , if evaluates to true when all the duration expressions are evaluated at position n of  . Let  be a set of trails. We say that is valid over , if for all  2 ,  j= . We say that is satis able over , if there exists a trail  2  satisfying . Let M be an fta. We say that is satis able (valid) over M if is satis able (valid) over T , the set of complete trails of M . Obviously, is valid over M i : is not satis able over M . A duration property is called conjunctive if it is a conjunction of duration constraints. Similarly, a duration property is disjunctive if it is a disjunction of duration constraints. We use the notations m _ ^X i=1

R



ai
'i  c ;

m ^X i=1

R

ai
'i  c) ; and

m _X

R

( ai
'i  c



i=1

to denote a (general) duration property, a conjunctive duration property, and a disjunctive duration property, respectively.

Decision Problems

Given an fta M and a duration property , we may ask the following questions: Problem 3 (Validity) Is valid over M ? and

Problem 4 (Satis ability) Is satis ed by some computation of M ? As indicated above, an algorithm for solving one of these problems can be used to solve the other. We will therefore concentrate on nding solutions to a satis ability problem.

3.3 Reduction of Reachability to Satis ability

The reachability problem for integration graphs can be reduced to the satis ability problem for fta's. Let S be a given integration graph and s^ 2 Sf one of its nal locations. We are interested in the question whether s^ is reachable by some computation of S . According to the de nition of integration graphs, S can be decomposed into the looping part L and the acyclic testing part T . Without loss of generality, we can assume that s^ 2 T . As a rst step, we construct an fta M that represents the behavior of S ignoring all integrators and dangerous tests. Automaton M is obtained from S by the following transformation: 13

1. Delete from the integration graph S all locations and edges that cannot participate in a path from sI to s^. 2. Replace all dangerous guards on the remaining edges by the trivial guard t (true). 3. Retain s^ as the only nal location. It is not dicult to see that M is an fta with nal location s^. Next, we construct a duration formula that expresses the condition for system S to be able to reach location s^. Our rst task is to express the values of terminal variables at the end of a computation in terms of duration expressions. Let x 2 V be a terminal variable of S . Let x0 be the initial value speci ed for x in V0 and s1; : : :; sm be all the locations of S in which the rate of growth of x, R[s][x] 6= 0. Let R1; : : :; Rm be the rates of growth of x in s1; : : : ; sm, respectively. We assume that each sj has a proposition (as part of P ) that uniquely characterize it, i.e., is true at sj and at no other location. We denote this proposition by at ?sj . The value of x at the end of a computation can be expressed by the duration expression R R xf = x0 + R1
at ?s1 +


+ Rm
at ? sm This is based on the observation that any unit of time spent at location si contributes Ri to the nal value of x. Since T is acyclic, there are only nitely many paths 1; : : : ; k that a computation can follow within T until it reaches location s^. For each i = 1; : : : ; k, let the formula i be the conjunction of all the dangerous guards that appear in S on edges of , replacing any occurrence of a terminal variable x by the expression xf as de ned above. Finally, we let be the disjunction 1 _


_ k .

Claim 1 (Reduction) Location s^ is reachable by a computation of S i there exists a computation of M satisfying .

Examples of Reduction: Cat and Mouse

Consider applying the described reduction to the Cat and Mouse system. The decomposition of this system into L and T identi es the entire system (being acyclic) as T . First, consider reachability of location C-wins . There is only one path leading to this location. In Fig. 3, we present the fta obtained by the reduction. The duration formula whose satis ability should be checked is     R R R R : X ? v
CrMr = X ? v
( CwMr + CrMr ) ^ X ? v
CrMr > 0 ; 0 c 0 m 0 c C where we use CwMr and CrMr as the propositions characterizing these states. Next, we consider reachability of location M-wins . In Fig. 4, we present the automaton obtained by reduction of the Cat and Mouse system according to this location. There are two paths leading to location M-wins . However, the conjunction of dangerous tests along these paths yields the same formula xc = 0 ^ xm = 0. Consequently, we take     R R R R : X ? v
( CrMr + CrMs ) = 0 ^ X ? v
( CwMr + CrMr ) = 0 0 c 0 m M 14

CwMr

y =
? CrMr

C-wins

Figure 3: Reduction of Cat and Mouse: Reachability of C-wins . CwMr

y =
? CwMs

CrMr

y =
? CrMs M-wins

Figure 4: Reduction of Cat and Mouse: Reachability of M-wins .

Examples of Reduction: Gas Burner

There are two ways to reduce the Gas Burner system to an fta. The dierence between these two reductions is whether we consider variable z to be an integrator or a timer. In both cases, we are interested in reachability of location Bad . Note that any timer that is not tested or reset within the looping part L, can be promoted to be an integrator. Promoting a timer to an integrator may give rise to more duration constraints and less timer tests. The rst reduction presented in Fig. 5 considers z to be a timer. The corresponding accessibility formula is given by: R R R R 1 : 20
at ? s1 > at ? s0 + at ? s1 + at ? s2 : In Fig. 6 we present a second reduction in which z is considered an integrator. The 15

s0 :

:Leak

x := 0

s1 : Leak

x  1=x := 0 x  30=x := 0

s2 :

:Leak z  60?

Bad

Check

Figure 5: Reduction of the Gas Burner: z Considered as a Timer.

s0 :

:Leak

x := 0

s1 : Leak

x  1=x := 0 x  30=x := 0

Bad

s2 :

:Leak

Check

Figure 6: Reduction of the Gas Burner: z Considered as an Integrator. corresponding accessibility formula is given by: R R R R 2 : 20
at ? s1 > at ? s0 + at ? s1 + at ? s2 ^ R at ? s0 + R at ?s1 + R at ?s2  60

Conclusions

According to Claim 1, in order to nd whether location s^ is reachable in the integration graph S , it is sucient to check that the accessibility formula is satis able over the fta MS . Consequently, we will concentrate on methods for solving the satis ability problem of duration formulas over fta's.

4 Duration Properties over Integer Computations In the following, we present an algorithm for checking the satis ability of duration properties over the integer computations of an fta. Given an fta M^ , we rst discuss the construction of a 0/1-unwinding fta M , whose set of computations is exactly the set of integer computations of M^ . Next, we present an algorithm for the satis ability of a (general) duration property over M . 16

Note that this solves the problem of reachability of integration graphs by integer computations.

4.1 The Integer Computations of an fta

^ ^ ; V^ ; s^I ; s^f ; E^ i be fta's and  : S ! S^ be a Let M = hS; ; V; sI ; sf ; E i and M^ = hS; function mapping locations of M to locations of M^ . We say that  is a homomorphism, if  8s 2 S; (s) = ^ ((s))

 (sI ) = s^I (sf ) = s^f  V  V^  For every e = hs1; s2; ?; Y i 2 E , { Either, there exists an edge e^ = h(s1); (s2); ?^ ; Y^ i 2 E^ such that Y^ = Y \ V^ ? ! ?^ ; i.e., ? implies ?^

In that case we write e^ = (e). { Or, (s1) = (s2) and Y \ V^ = ;. We can view this case as though e is mapped by  to a self-edge connecting (s1) to itself. For a valuation  : V ! R, we denote by  jV^ its restriction to V^  V . The following is an immediate result of the above de nition: Claim 2 Let M = hS; ; V; sI ; sf ; E i and M^ = hS;^ ^ ; V^ ; s^I ; s^f ; E^ i be fta's, and  : S ! S^ be a homomorphism. Then if

= hs0; 0; t0i; hs1 ; 1; t1i; : : :; hsn ; n; tni is a computation of M , then ( ) = reduce(h(s0); 0jV^ ; t0i; h(s1); 1jV^ ; t1i; : : : ; h(sn ); njV^ ; tni) is a computation of M^ , where, for ^ : hs^0 ; ^0 ; t^0i; : : : ; hs^n; ^n ; t^n i, reduce(^) is obtained by removing from ^ any situation hs^i+1 ; ^i+1 ; t^i+1 i such that s^i+1 = s^i . Let  = e0; s0; : : :; en; sn be a path in M . We say that  is a complete path if e0 = e? and sn = sf . ^ ^ ; V^ ; s^I ; s^f ; E^ i, we say that an fta M = hS; ; V; sI ; sf ; E i is a Given an fta M^ = hS; 0/1-unwinding of M^ if  There exists a surjective homomorphism  : S ! S^.

 Every complete path  in M has a realizable trail tracing . 17

 Every state s 2 S is associated with a xed visit length vs 2 f0; 1g, such that each visit to s in a realizable trail lasts precisely vs time units. That is, if

: : :; (s; ts); (s0; ts0 ); : : : 2 T then ts0 = ts + vs:  reduce((T )) = Z (T^ )

Claim 3 For every fta, there exists a 0/1-unwinding. The construction of the 0/1-unwinding of an fta M^ is based on the region graph construction ([Dil89], [AD90]), where only a subset of the regions associated with M^ are used.

4.2 The Veri cation Algorithm

Let M = hS; ; V; sI ; sf ; E i be an fta. For e : hs; s0; ?; Y i 2 E , we say that e departs from s and arrives at s0. For s 2 S and e 2 E departing from s, we de ne  succ (s) | the set of edges departing from s.  pred (s) | the set of edges arriving at s.  pred (e) = pred (s) Let  = (s0; t0); : : :; (sn; tn) be a trail. For every s 2 S and e 2 E , we de ne

 ns { the number of occurrences of location s in  .  me { the number of times e was taken in  .  re { the sequence number of e in the list of edges visited by  , sorted according to

the order of their rst visit. That is, re = k if e is the k0th edge visited by  . ^ ^ ; V^ ; s^I ; s^f ; E^ i be an fta and M = hS; ; V; sI ; sf ; E i be a 0/1-unwinding Let M^ = hS; of M^ . Let =

m _ ^X i=1

R

a i
'i  c



be a duration formula. The following set of constraints C (M; ) is used to check the satis ability of over M .

18

C (M; ) :

8 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > :

 Flow: For every s 2 S ? fsf g ns =

X

ej 2pred(s)

mj =

X

ei 2succ(s)

mi:

 Initiation and Termination: nsf =

X

ej 2pred(sf )

mj = me? = 1

 Accessibility: me? = re? = 1 For every edge e 2 E ? fe?g 



me = re = 0 _



_

e0 2pred(e)

(0 < re0 < re)



 Visit Durations: For every s 2 S
(s) = ns
vs

 The Duration Property: m _ ^X i=1

ai


X

s2S sj='i


(s)  c



Proposition 4 The set of constraints C (M; ) has a solution i

is satis able over ^ M i is satis able by an integer computation of M . The problem of nding an integer solution to C (M; ) for the unknowns ns  0; me  0; re  0 is a classical integer linear programming problem. It is shown in [GJ79] to be NP complete, but algorithms that are ecient for frequently occuring cases are known [Sal75].

5 Real Computations: Single Timer In the previous section, we presented an algorithm for satis ability of duration properties over the integer computations of an fta. In this and the following section, we deal with 19

satis ability of duration properties over the entire set of an fta's computations, including real computations. First, we restrict the fta to a single timer, checking satis ability of general duration formulas. Note that this solves the problem of reachability of integration graphs with a single timer (and any number of integrators). Next, in section 6 we give an algorithm for satis ability over an unrestricted fta, restricting the veri ed property to disjunctive durations.

5.1 Characterization of Complete Trails

Let M = hS; ; V; sI ; sf ; E i be an fta satisfying:  V = fxg.  Every loop in M contains at least one resetting edge. We refer to M as a single timer fta. Let  = e0; s0; : : :; en; sn be a path in M . We call  an rr-path if e0 and en are resetting edges. An rr-path is called simple if for every i = 1; 2; : : : n ? 1, ei is not a resetting edge. We denote by  the ( nite) set of all simple rr-paths in M . Since there is only one timer, the guard of each edge ei has the form li  x  ui. Let  = e0; s0; : : : ; en; sn be a path in M . We say that  = (s0; t0); : : :; (sn; tn) is a trail tracing . Let s be a location appearing one or more times in  . We de ne the visit duration of the trail  at location s to be X (ti+1 ? ti)
(s;  ) = 0ig, then there exists an  2 [0; 1), such that m X i=1

[ai] 

n X

j =1

[bj ]:

The proof of this lemma is presented in the appendix.

Proposition 11 Let M be an fta and be a disjunctive duration property. The formula is satis able over M i is satis able over Z (TM ). 24

Proof outline: Let  = (s0; t0); : : : ; (sn; tn) 2 TM , and property. Let

m 0 = Xa
R '  c i i i=1

be a single disjunct of . Interpreting

0

be a disjunctive duration

over  , we get

n?1   m 0 = Xa
X t ?t j +1 j c i i=1 j =0 sj j='i

which can be rewritten as n X j =0

cj
t j 

n X j =0

dj
tj + c

(5)

where cj ; dj 2 N. For every expression (xj
tj ) in equation 5, where x 2 fc; dg and tj = btj c + j ; 0  j < 1 we rewrite the expression as follows xj ?times }| { 1 + : : : + 1 + j + : : : + j xj
btj c?times z }| {

z

turning equation 5 into the form used in Lemma 10. Thus, if 0 is satis able over  , there exists an  2 [0; 1) such that 0 is satis able over [ ], for every disjunct 0 of . Claim 9 completes the proof. The terms closure under digitization and closure under inverse digitization are introduced in [HMP92]. Note that a direct result of Lemma 10 is that conjunctive duration properties are closed under inverse digitization. Proposition 11 is another example of a more general observation proven in [HMP92].

Conclusion

Let M be an fta and =

m _X i=1

a i
R 'i  c



be a disjunctive duration formula. The satis ability of the algorithm described in section 4.

25

over M can be checked using

7 Discussion This paper explores a subset of constant slope hybrid systems, searching for a decidable subset. The subset studied is that of Integration Graphs, which allow integrators but queries them only in a restricted way at the end of a computation. For this class of systems, we have established decidability for integer computations, and two restricted cases of real computations: the case of a single timer, and that of a single dangerous query. A question that remains open for further research is what can be said about the other cases; those involving several timers and a conjunction of dangerous queries.

References [ACD90] R. Alur, C. Courcoubetis, and D.L. Dill. Model-checking for real-time systems. In Proc. 5th IEEE Symp. Logic in Comp. Sci., 1990. [AD90] R. Alur and D.Dill. Automata for modelling real time systems. In Proc. 17th Int. Colloq. Aut. Lang. Prog., 1990. [AH90] R. Alur and T.A. Henzinger. Real-time logics: Complexity and expressiveness. In Proc. 5th IEEE Symp. Logic in Comp. Sci., 1990. [BCM+90] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and J. Hwang. Symbolic model checking: 1020 states and beyond. Technical report, Carnegie Mellon University, 1990. [CES86] E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic veri cation of nite state concurrent systems using temporal logic speci cations. ACM Trans. Prog. Lang. Sys., 8:244{263, 1986. [CHR92] Z. Chaochen, C.A.R Hoare, and A.P. Ravn. A calculus of durations. Information Processing Letters, 40(5):269{276, 1992. [Dil89] D. L. Dill. Timing assumptions and veri cation of nite-state concurrent systems. In Automatic Veri cation Methods for Finite State Systems, LNCS. Springer Verlag, New York, 1989. [GJ79] M. R. Garey and D. S. Johnson. Computers and Intractability, a Guide to the theory of NP-Completeness. W. H. Freeman and Company, 1979. [HMP92] T. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? In W. Kuich, editor, Proc. 19th Int. Colloq. Aut. Lang. Prog., volume 623 of Lect. Notes in Comp. Sci., pages 545{558. Springer-Verlag, 1992. [MMP92] O. Maler, Z. Manna, and A. Pnueli. A formal approach to hybrid systems. In Proceedings of the REX workshop "Real-Time: Theory in Practice\, LNCS. Springer Verlag, New York, 1992. 26

[NOS+93] X. Nicollin, A. Olivero, J. Sifakis, , and S. Yovine. An approach to the description and analysis of hybrid systems. In A. Ravn and H. Rischel, editors, Workshop on Hybrid Systems, Lect. Notes in Comp. Sci. Springer-Verlag, 1993. [NSY91] X. Nicollin, J. Sifakis, and S. Yovine. From ATP to timed graphs and hybrid systems. In Real-Time: Theory in Practice. Lec. Notes in Comp. Sci., SpringerVerlag, 1991. [Sal75] H.M. Salkin. Integer Programming. Addison-Wesley, 1975.

Appendix In the following we present the proof of Lemma 10 (subsection 6.2).

Lemma 10 Let 0 < a1  a2  : : :  am  1 and 0 < b1  b2  : : :  bn  1 be two increasing sequences. If m X

ai 

i=1

n X

j =1

bj ;

where  2 f; >g, then there exists an  2 [0; 1), such that m X i=1

n X

[ai] 

j =1

[bj ]:

Proof: The proof is by induction on n  0 for all m. For n = 0, it is enough to take  = 0. Observing that, for every positive real c, [c]0  c, this is based on m X i=1

[ai]0 

m X i=1

ai  0 =

0 X

j =1

[bj ]0

Assume the lemma is true for n and show for n + 1. We assume that m X i=1

ai 

n X

j =1

bj + bn+1

(6)

Since bn+1 > 0, m must be positive. We consider several cases:

Case: am > bn+1 In this case, we take any  satisfying bn+1 <  < am. This yields m X i=1

[ai]  1  0 =

nX +1 j =1

[bj ]:

Consequently, we assume from now on that am  bn+1. 27

Case: am = bn+1 Subtracting am = bn+1 from both sides of inequality (6), we obtain mX ?1 i=1

ai 

n X j =1

bj :

Applying the induction hypothesis to this inequality, we obtain an  such that mX ?1 i=1

[ai] 

n X j =1

[bj ]:

Adding [am] = [bn+1] = 1 to both sides yields m X i=1

nX +1

[ai] 

j =1

[bj ]:

Case: am < bn+1 ,  is > Subtracting am from the left-hand side and the bigger bn+1 from the right-hand side of inequality (6), we obtain mX ?1 i=1

ai >

n X j =1

bj :

Applying the induction hypothesis to this equation, we obtain an  such that mX ?1 i=1

[ai] >

n X j =1

[bj ]:

(7)

This  must be smaller than am?1 because, otherwise, the left hand side of (7) evaluates to 0, and we get the contradictory inequality 0 >

n X

j =1

[bj ]  0:

Consequently,  < am?1  am < bn+1 and we may add [am] = [bn+1] = 1 to both sides of (7), obtaining m X i=1

[ai] 

nX +1 j =1

[bj ]:

The remaining cases will deal with .

Case: am < bn+1 < 1

Taking  that satis es bn+1 <  < 1, we obtain m X i=1

[ai] = 0  0 =

nX +1 j =1

[bj ]: 28

From now on, we assume that bn+1 = 1.

Case: bn < am < bn+1 = 1

Taking  that satis es bn <  < am, we obtain m X i=1

[ai]  1 =

nX +1 j =1

[bj ]:

Case: am  bn  bn+1 = 1 Subtracting am from the left-hand side of (6) and the not smaller bn from its right-hand side, we obtain (substituting 1 for bn+1) mX ?1 i=1

ai 

nX ?1 j =1

bj + 1:

Applying the induction hypothesis to this case (that has n elements on its right-hand side), we obtain an  such that mX ?1 i=1

[ai] 

nX ?1 j =1

[bj ] + 1:

(8)

This  must be smaller than am?1 because, otherwise, the left hand side of (8) evaluates to 0, and we get the contradictory inequality 0 

nX ?1 j =1

[bj ] + 1  1:

Consequently,  < am?1  am  bn and we may add [am] = [bn] to both sides of (8), obtaining m X i=1

[ai] 

nX +1 j =1

[bj ]:

This concludes the proof.

29

(C ) :

8 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > :

 Flow: For every reset edge e 2 E such that e 6= e? and e does not arrive at sf , X

2pred(e)

n() =

X

2succ(e)

n()

 Initiation and Termination: X

first()=e?

n() =

X

last()=sf

n() = 1

 Accessibility:

For every path  = e0; : : :; sn 2  such that e0 = e? (r() = n() = 0) _ (r() = n() = 1) For every other path  2  



r() = n() = 0 _



_

0 2pred()

(0 < r(0) < r())

 Time Constraints: For every  2 , jj  ^

 i?1 X  n()
li 
(sj )  n()
ui j =0 i=1

For every s 62 ,


 (s) = 0

Figure 7: The Attributes of Complete Trails

30