Verification of Timed Automata Based on Similarity 1 ... - CiteSeerX

Comment

Report 5 Downloads 49 Views

Fundamenta Informaticae 50 (2002) 1–31

1

IOS Press

Verification of Timed Automata Based on Similarity ´ Piotr Dembinski and Wojciech Penczeky Institute of Computer Science, PAS Ordona 21, 01-237 Warsaw, Poland

fpiotrd, [email protected]

Agata P´ołrolaz Faculty of Mathematics, University of Lodz Banacha 22, 90-238 Lodz, Poland [email protected]

Abstract. The paper presents a modification of the standard partitioning technique to generate abstract state spaces preserving similarity for Timed Automata. Since this relation is weaker than bisimilarity, most of the obtained models (state spaces) are smaller than bisimilar ones, but still preserve the universal fragments of branching time temporal logics. The theoretical results are exemplified for strong, delay, and observational simulation relations.

1. Introduction The problem of automated verification for timed concurrent programs is usually understood as the problem of checking that a finite state graph (model) corresponding to the program satisfies a given property (formula) [6, 15]. Since the complexity of checking a formula in the model is usually linear in the size of the model, the main obstacle in model generation is connected with its size, which can be prohibitive. Knowing in advance the properties, we can influence the process of generating a model in such a way that the model we obtain is a minimal one preserving these properties. Unfortunately, it is not always known how to build minimal models for arbitrary properties (usually expressed by formulas of CTL , the modal -calculus, or TCTL). Therefore, rather than generating minimal models for specific formulas, minimal Partly supported by the State Committee for Scientific Research under the grant No. 8T11C 01419. y Address for correspondence: Institute of Computer Science, PAS, Ordona 21, 01-237 Warsaw, Poland z Address for correspondence: Faculty of Mathematics, University of Lodz, Banacha 22, 90-238 Lodz, Poland

2

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

models preserving whole sublanguages (subclasses of formulas) are generated. This is done by identifying the equivalence preserved by a selected sublanguage of the logic and then generating a minimal model preserving this equivalence. Again, this approach is only partially successful. The reason is that although it is known how to generate minimal models preserving bisimulation (so CTL and TCTL) [1, 2, 3], but it is not known how to generate minimal models preserving maximal-trace equivalence (so LTL) [10]. The aim of our paper is to show that minimal model generation methods can be used not only for preserving bisimulation, but also for preserving a weaker relation like similarity. We know that similarity is induced by the universal fragment of CTL (i.e., ACTL [11]), so preserves LTL [9], but it is still stronger than the trace equivalence. Since preserving the weaker relation results in generating smaller models, our approach constitutes another step towards reducing the unnecessary complexity of automated program verification. Our method is applied to improving the partitioning algorithm used for generating finite abstract models of Timed Automata [1, 2] for both the dense and discrete semantics. Simulating abstract (dense) models can be used for verifying the universal subsets of CTL and TCTL, whereas simulating abstract (discrete) models can be used for checking reachability. This means that the improvement obtained by our algorithm is not at the price of reducing the expressiveness of the tested temporal languages. The rest of the paper is organized as follows: In Section 3, we define general notions of models, bisimulation and simulation, and introduce temporal logics. Then, in Section 4, a standard minimization algorithm generating bisimulating models is recalled (Sec. 4.2), followed by the details of our original modification to this algorithm, allowing for generating abstract simulating models. Section 5 is devoted to the application and implementation of the minimization algorithms for Timed Automata. Basic notions related to them are introduced (Sec. 5.1) and then implementations are presented, both for the standard case of the dense semantics (Sec. 5.2) and for the discrete one (Sec. 5.5). Also, other simulation relations considered in the literature are briefly treated and it is shown that the same approach (and the same implementation scheme) can be easily extended to them (Sec. 5.4). All the cases are illustrated by simple examples, some of them elaborated in details in the Appendix. Preliminary experimental results, indicating the state reduction possibilities of the proposed method, are presented (Sec. 5.6). Section 5 ends in introducing the logic TCTL and its subsets, usually used to express the properties of Timed Automata (Sec. 5.7). It is also briefly indicated in this subsection which of the logics are preserved by the generated models. Summarizing, final remarks end the presentation.

2. Related work The original splitting algorithm for generating minimal models preserving bisimulation has been introduced in [3] and then extended to timed systems in [1, 2, 14]. Algorithms for computing similarity relations of the states of labelled graphs have been considered in [5, 12]. These algorithms could be (potentially) also exploited for generating finite models preserving simulations by splitting, but would give unnecessarily large state spaces in comparison to ours. This follows from the fact that we do not require that all the states forming an equivalence class have to simulate each other. Instead, we exploit the notion of similarity between models as defined in [10, 11]. Our first theoretical results on modifications of the partitioning algorithm have been presented in [7]. Moreover, a preliminary version of this paper appeared in [8].

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

3

3. Preliminaries In this section, we briefly recall basic, well-known notions and results. In what follows, set of reals, and IN - the set of natural numbers.

IR denotes the

3.1. Models and (bi)simulations We start with standard definitions of Kripke structures and models. Definition 3.1. A (Kripke) structure is a triple K = (S; s0 ; !), where S is a set of states, s0 2 S is an initial state, and ! S L S is a labelled transition relation for a fixed set of labels L. A model is a pair M = (K; V ), where V is a valuation function V : S ! 2P V for a fixed set of propositional variables P V . The problem is to decide whether a state s 2 S satisfying a given property is reachable from s0 (i.e., there a0 1 k s1 a! : : : sk a! s), or whether a more exist k 2 IN, s1 ; : : : ; sk 2 S and a0 ; a1 ; : : : ak 2 L s.t. s0 ! complicated property holds for M . In case S and L are finite, there are many well-known algorithms for constructing the reachable subgraph of K and then applying reachability or model checking procedures. However, in many cases, as for timed systems, S becomes infinite. As it has been mentioned before, one of the solutions to this problem is to construct finite structures, corresponding to the infinite ones and preserving the required properties. In the further part of the paper, we are going to show a method of constructing such finite Kripke structures where the simulation relation is the required, properties preserving correspondence. Definition 3.2. (simulation [11]) Let K = (S; s0 ; !) and K 0 = (S 0 ; s00 ; !0 ) be Kripke structures. A relation from K 0 to K if the following conditions hold: 1. s00 2. if s0

s

s

S 0 S is a simulation

s0 , s

a 0 0 a s1 and s01 s, then for every s1 such that s ! s1 , there is s01 such that s0 !

s

s1 .

A structure K 0 simulates a structure K (K 0 s K ) if there is a simulation from K 0 to K . Two structures K and K 0 are called similar if K 1s K 0 and K 0 2s K . The relation s is called bisimulation if the inverse relation ( s ) 1 is a simulation from K to K 0 . K and K 0 are called bisimilar if K 0 s K and K ( s) 1 K 0 . The relations defined above can be extended to models by requiring that the related states agree on the valuations. Properties to be preserved are usually expressed as temporal logic formulas. Below, we introduce these logics and present some known results relating them to various kinds of models.

3.2. Temporal logics: CTL and its subsets

Let P V be a finite set of propositional variables. The set of formulas of CTL can be defined inductively as follows:

'; := p j :' j ' ^

j ' _ j X' j A' j Until('; ) j Until('; )

4

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

The language of CTL consists of all the state formulas, i.e., the formulas of the form A' for each ', and :', ' ^ and ' _ for state formulas ', .

p for p 2 P V ,

The following sublogics of CTL are usually considered:

ACTL. Negation can be applied only to subformulas that do not contain modalities. ACTL. The sublogic of ACTL in which the modality A and modalities X; Until; Until may only appear paired in the combinations AX; AUntil, AUntil. CTL. The sublogic of CTL in which the modality A and modalities X; Until; Until may only appear paired in the combinations AX; AUntil, AUntil. LTL. Restriction to formulas of the form A', where ' does not contain A. a Consider models M = (K; V ), where the edge relation ! is assumed to be total; i.e. 8u 9v; a u ! v . The labels on the edges in the definition of the model are only used in the sequel for the benefit of the description of the suggested algorithms, but are ignored by the interpretation of the temporal logics. Totality is ensured by adding cycles at the end nodes. Let M = (K; V ) be a model and let = s0 a0 s1 be an infinite path of K . Let i denote the suffix si ai si+1 of . Satisfaction of a formula ' in a state s of M , written M; s j= ' or just s j= ', is defined inductively as follows: S1. S2. S3. P1. P2. P3.

M1.

s j= p iff p 2 V (s), for p 2 P V ,

s j= :' iff not s j= ', s j= ' ^

iff s j= ' and s j= , s j= ' _

s j= A' iff j= ' for every path starting at s, j= ' iff s0 j= ' for any state formula ', j= :' iff not j= ', j= ' ^

iff

j= ' and j=

,

iff s j= ' or s j= ,

j= ' _

iff

j= ' or j=

,

j= X' iff 1 j= ' j= Until('; ) iff there is an i 0 such that i j= and j j= ' for all 0 j < i. j= Until('; ) iff for all i 0 (i j= or there is j < i such that j j= '). M j= ' iff s0 j= '.

The following theorem relates temporal logics and models: Let M

= ((S; !; s0 ); V ) and M 0 = ((S 0 ; !0 ; s00); V 0 ) be two models.

Theorem 3.1. ([4, 11]) Let M and M 0 be two (bi-)similar models , where the range of the labelling function V and V 0 is 2P V . Then, M; s0 j= ' iff M 0 ; s00 j= ', for any ACTL (CTL , resp.) formula ' over P V . The reverse of this theorem, essentially stating that no coarser (bi-)simulation preserves the truth value of ACTL (CTL , resp.) formulas, also holds and can be proved by an easy induction, when M and M 0 are finitely branching [10]. Formulated for finite models, but easily extends to infinite ones.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

5

4. Set-graphs and minimization algorithms In this section, we present two methods of generating finite structures corresponding to infinite ones, based on a minimization algorithm. The first, well-known method allows to obtain models which are bisimilar to the original ones, while models we get by applying the second technique (modification of the first one) are related to them by a simulation relation.

4.1. Set-graphs As it has been mentioned previously, in many cases the set of states S of the Kripke structure becomes infinite. Therefore, rather than constructing structures with individual states as nodes, we construct appropriate finite graphs with nodes being subsets of S . More precisely: Definition 4.1. A structure

G = (W; w0 ; !) is a set-graph over K and L if:

each node w 2 W is a set of states of S and s0 2 w0 2 W , (8w1; w2 2 W )(8a 2 L) w1 !a w2 iff (9s 2 w1 ) (9s0 2 w2) s.t. s !a s0. A set-graph is complete iff (8s 2 S )(9w 2 W ) s 2 w. We are interested in set-graphs preserving the (bi)simulation relation defined in Section 3.1. Usually, in the literature bisimulating set-graphs are considered. These graphs preserve branching time properties of Kripke structures. Moreover, there exists a constructive definition (algorithm) of finite and minimal bisimulating set-graphs [1, 2, 14]. The algorithm is presented in Sec. 4.2. Definition 4.2. (bisimulating set-graph) A set-graph G = (W; w0 ; !) over K = (S; s0 ; !) and L is bisimulating iff (8w1; w2 2 W )(8a 2 L) if w1 !a w2 then (8s 2 w1 ) (9s0 2 w2) s.t. s !a s0. Lemma 4.1. For each Kripke structure

K , K and its bisimulating set-graph G are bisimilar.

Proof: It is easy to check that the relation R S W defined as R = f(s; w) j s 2 wg is a bisimulation. Definition 4.3. (cor-simulating set-graph) A set-graph G = (W; w0 ; !) over a Kripke structure K = (S; s0 ; !) and a set of labels simulating iff for each w 2 W there is a non-empty w or w s.t. s0 2 w0 or and (8w1; w2 2 W )(8a 2 L) if w1 !a w2 then (8s 2 w1 or ) (9s0 2 w2 or ) s.t. s !a s0. Lemma 4.2. For each Kripke structure

ut

L is cor-

K , K and its cor-simulating set-graph G are similar.

Proof: It is easy to check that the relation R W S defined as R = f(w; s) j s 2 wg is a simulation from G to K . Moreover, the relation R0 S W defined as R0 = f(s; w) j s 2 w or g is a simulation from K to G. ut

6

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

The following lemma relates bisimulating and cor-simulating set-graphs: Lemma 4.3. Let K be a Kripke structure and G be its finite and complete set-graph. If G is bisimulating, then G is cor-simulating. Proof: Follows directly from the definitions.

ut

If it does not lead to confusion we often omit the prefix ’cor’, writing simply ’simulating’ instead ’corsimulating’.

4.2. Standard minimization algorithm for bisimulating set-graphs The standard minimization algorithm for bisimulating set-graphs [3] starts from an initial partition 0 of S , i.e., a set of disjoint classes X S , the union of which equals S . The set-graph G = (; [s0 ℄; !), where [s0 ℄ is a node containing the initial state, is called the reduction of S according to . For a given partition of S and X; Y S , define the following auxiliary functions:

prea (X; Y ) = fx 2 X j 9y 2 Y : x !a yg, P rea(X ) = fY 2 j prea(Y; X ) 6= ;g, S P re (X ) = a2L P rea (X ), posta(X; Y ) = fy 2 Y j 9x 2 X : x !a yg, P osta(X ) = fY 2 j posta(X; Y ) 6= ;g, S P ost (X ) = a2L P osta(X ), Definition 4.4. Let be a given partition. is bi-stable iff the reduction set-graph G according to is bisimulating. For X; Y 2 , X is bi-unstable w.r.t. Y iff for some a 2 L, prea (X; Y ) 62 fX; ;g. a Notice that if a partition is bi-stable, then X ! Y iff X = prea (X; Y ) (in G = (; [s0 ℄; !)). The standard minimization algorithm, starting from an initial partition 0 of S , constructs a minimal setgraph Gmin = (; [s0 ℄; !), where the reachable part of (i.e., the set of all the classes of which contain at least one reachable concrete state) is bi-stable and compatibile with 0 , i.e., each class of 0 is a union of nodes of Gmin . The algorithm terminates whenever there is a bisimulation compatibile with 0 of the finite index. The (standard) generic minimization algorithm is parametrised by a non-deterministic function that refines the partition by choosing a class Y 2 w.r.t. which X is bi-unstable, and then effectively splitting X into subclasses which are bi-stable w.r.t. Y . More precisely:

Split(X; )

Split(X; ) = fX g if X is bi-stable w.r.t. all Y in .

Otherwise,

Split(X; ) = fprea (X; Y ); X n prea(X; Y )g, prea (X; Y ) 6= X (i.e., X is bi-unstable w.r.t. Y ).

for some

Y

2 and a 2 L,

such that

In Fig. 1, the pseudo-code of the generic algorithm for building bisimulating set-graphs is presented. The set of reachable classes is denoted by , and the set of stable classes - by . Notice that in the algorithm, YX = fY 2 j Y has been split g = fX g.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

7

1. := 0 ; := f[s0 ℄g; := ;; 2. while (9X 2 n ) do 3. begin 4. CX := Split(X; ); 5. if (CX = fX g) then 6. begin := [ fX g; := [ P ost (X ); 7. 8. end; 9. else 10. begin YX := fY 2 j Y has been split g; 11. 12. := n YX [ fY 2 CX j s0 2 Y g; := n P re (YX ); 13. := ( n YX ) [ CX ; 14. 15. end; 16. end; Figure 1. A generic minimization algorithm for bisimulating set-graphs

4.3. Minimization algorithm for simulating set-graphs The contribution of our paper relies on suggesting a new type of set-graphs by weakening the bisimulation conditions and then showing how to exploit this definition in the minimization construction. To deal with a similar minimization algorithm (as the one considered in Section 4.2) for cor-simulating set-graphs we start with a modification which consists in replacing classes (nodes) by pairs (X; X or ), X or X S . We call 2S 2S a cor-partition of S if j1 is a partition of S and (X; X or ) 2 implies X or X . Moreover, we require to be such that ([s0 ℄; [s0 ℄) = (fs0 g; fs0 g), which ensures the a a condition s0 2 w0 or to be satisfied. We define (X; X or ) ! (Y; Y or ) for X ! Y . We deliberately use the same notation for the transition relation on and on j1 as the meaning is usually easily understood from the context. Definition 4.5. Let be a given cor-partition.

is si-stable iff G j1= ( j1 ; [s0 ℄; !) is cor-simulating with X or satisfying Def. 4.3 w.r.t. X for each (X; X or ) in . For any (X; X or ); (Y; Y or ) 2 , (X; X or ) is si-unstable w.r.t. (Y; Y or ) iff for some a 2 L, prea (X; Y ) 6= ; and prea (X or ; Y or ) 6= X or . a Notice that if is si-stable, then X ! Y iff X or = prea (X or ; Y or ) (in G = (; w0 ; !), where w0 = ([s0 ℄; [s0 ℄)). Now, the minimization algorithm starts from an initial cor-partition 0 of S , where X or = X , for all (X; X or ) 2 0 and w0 = ([s0 ℄; [s0 ℄). It then constructs a set-graph (minimal up to the non-deterministic function Split) Gmin = (; w0 ; !) such that:

ji

denotes the projection to the i-th component

8

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

X

cor

X

X

a

cor

X

a

a

X

cor

cor

X

X

X

a

a

a possible

Y

cor

Y

si−stable no action

Y

cor

Y

pseudo a−stable cor

modify X

Y

cor

Y

pseudo a−unstable cor split (X, X )

Y

cor

Y

a−unstable cor

split (X, X

cor

) and (Y, Y

)

Figure 2. The four cases for splitting for simulating set-graphs

j1 is compatibile with 0 j1 , the reachable part of is si-stable w.r.t. the constructed subsets X or , i.e., Gmin is cor-simulating w.r.t. those subsets. Now, P re (X; X or ) (and, similarly, P ost (X; X or )) are defined by:

P rea((X; X or )) = f(Y; Y or ) 2 j Y 2 P rea(X )g, P re((X; X or )) = Sa2L P rea((X; X or )), The (non-deterministic) function Split((X; X or ); ) becomes more complicated because it refines both sets (classes) X in j1 and their subsets X or for a chosen pair (Y; Y or ) w.r.t. which (X; X or ) is siunstable. Sometimes (see Fig. 2), not only (X; X or ), but also (Y; Y or ) 2 must be split (and Y or refined). The function Split is defined as follows:

Split((X; X or ); ) = f(X; X or )g if (X; X or ) is si-stable w.r.t. all (Y; Y or ) in . Otherwise, a class (pair) (Y; Y or ) and a label a is chosen, for which prea (X; Y ) 6= ; and prea (X or ; Y or ) 6= X or , and then: 1. Split((X; X or ); ) = f(X; prea (X or ; Y or ))g if (X; X or ) is pseudo a-stable w.r.t. (Y; Y or ), i.e., prea (X or ; Y or ) 6= ;, 2. Split((X; X or ); ) = f(X or ; X or ); (X n X or ; prea (X; Y or )g if (X; X or ) is pseudo a-unstable w.r.t. (Y; Y or ), i.e., prea (X or ; Y or ) = ; and prea (X; Y or ) 6= ;, 3. Split((X; X or ); ) = f(prea (X; Y ); prea (X; Y )); (X n prea (X; Y ); X n prea (X; Y )), (Y or ; Y or ); (Y n Y or ; Y n Y or ))g if (X; X or ) is a-unstable w.r.t. (Y; Y or ), i.e., prea (X or ; Y or ) = prea (X; Y or ) = ;. Now, to obtain the analogous algorithm to that of Fig. 1, for simulating set-graphs we need to:

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

9

substitute ([s0 ℄; [s0 ℄) for [s0 ℄ (line 1),

replace “ := n P re (YX )” by “ := n P re (YX ) n YX ” (line 13), since a stable class can be split if another class is unstable w.r.t. it.

substitute (X; X or ) for X and (Y; Y or ) for Y everywhere in the algorithm, replace the condition “Y has been split” (line 11) with “Y has been split or course, both the cases are possible),

Y or

changed” (of

The pseudo-code of of this algorithm is presented in Fig.3. 1. := 0 ; := f([s0 ℄; [s0 ℄)g; := ;; 2. while (9 (X; X or ) 2 n ) do 3. begin 4. C(X;X or ) := Split((X; X or ); ); 5. if (C(X;X or ) = f(X; X or )g) then 6. begin 7. := [ f(X; X or )g; := [ P ost((X; X or )); 8. end; 9. else 10. begin 11. YX := f(Y; Y or ) 2 j Y has been split or Y or changed g; 12. := ( n YX ) [ f(Y; Y or ) 2 C(X;X or ) j s0 2 Y g; := n P re (YX ) n YX ; 13. := ( n YX ) [ C(X;X or ) 14. 15. end; 16. end; Figure 3.

A minimization algorithm for simulating set-graphs

Lemma 4.4. For a given Kripke structure K = (S; s0 ; !) and a cor-partition of S , our algorithm generates a simulating set-graph, which is never bigger than the minimal bisimulating set-graph obtained starting with the partition j1 . Proof: (sketch) Denote by SplitS (SplitB ) the function Split used for generating simulating (bisimulating, resp.) set-graphs. It is easy to notice, by inspecting the function SplitS , that if a class (X; X or ) with X 6= X or is generated, then the function SplitB generates at least two classes X or and X n X or . (In fact, X could be split by SplitB into much more classes.) Therefore, the number of classes of a simulating set-graph is never bigger than the number of classes of the corresponding bisimulating setgraph. ut

10

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

It follows from the above lemma that the algorithm generating simulating set-graphs terminates if the algorithm generating bisimulating set-graphs terminates. Notice that we are able to compare the sizes of set-graphs if the minimization algorithm for bisimulating set-graph starts from the partition j1 , where is a cor-partition the algorithm for simulating graph has started from. Therefore, in what follows we require the initial partition for bisimulating graphs to be such that [s0 ℄ = fs0 g.

5. Applying minimization algorithm to Timed Automata As we mentioned in the introduction, our main goal is to apply the proposed method of improving the partitioning algorithm to Timed Automata. So far, however, the method has been introduced in general time-abstracting terms, and related to logics that do not contain explicit time parameters. From now on concrete Kripke structures and models related to Timed Automata are going to be of our interest. The whole section is devoted to the task of implementing the minimization algorithms for these automata. This is done by applying directly the notions and results described earlier as well as extending them to some cases specific to Timed Automata and known in the literature, e.g., when the simulation relations are slightly different from that defined in Sec. 3.1 or the basic, concrete semantic model changes from dense to discrete. In each case simple examples illustrate the size of reduction obtained when the algorithms generate cor-simulating set-graphs instead of bisimulating ones.

5.1. Timed Automata and dense models

N = f1; : : : ; ng and X = fx1 ; : : : ; xn g be a set of variables, called clocks. A vector v = (v1 ; : : : ; vn ) 2 IRn is called a valuation (of clocks). Let v be a valuation, Æ 2 IR, and Y X . We define v + Æ = (v1 + Æ; : : : ; vn + Æ ), and v [Y := 0℄ to be the valuation v 0 such that vi0 = vi for xi 2 X n Y and vi0 = 0 for xi 2 Y . By an atomic constraint we mean an expression of the form: xi or xi xj , where 2 f; g, i; j 2 N and 2 IN. A (time) zone is a convex polyhedron in

Let

IRn defined by a finite set of atomic constraints, i.e., the set of all valuations satisfying the constraints. Denote by Z (n) the set of all (time) zones. Definition 5.1. A timed automaton A is a tuple (; S; X; s0 ; E; I ), where

is a finite set of actions, S is a finite set of locations, X = fx1 ; : : : ; xn g is a set of clocks, s0 2 S is an initial location, E S Z (n) 2X S is a transition relation,

I : S ! Z (n) is a location invariant (I (s), for s 2 S , is in fact represented by a set of atomic constraints).

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

11

Each element e of E can be denoted by s ! s0 , which represents a transition from location s to location s0 , performing the action l, with the set Y X of clocks to be reset, and with the zone z defining the enabling condition for e (the zone z is represented by a set of atomic constraints). A (concrete) state of A is a pair q = (s; v ), where s 2 S and v 2 IRn . The set of all the concrete states of A is denoted by Q. The initial state of A is defined as q 0 = (s0 ; v 0 ), where vi0 = 0 for all i 2 N . l;z;Y

Definition 5.2. The structure Fde where the dense transition relation

= (Q; q0 ; !de ) is called the concrete dense Kripke structure of A, !de Q ( [ IR+) Q is defined as follows:

l;z;Y l 0 0 (s; v) ! ! s0 2 E such that v 2 z and de (s ; v ) with l 2 iff there is a transition s 0 0 v = v[Y := 0℄ 2 I (s ) (the action-successor relation), Æ + 0 0 0 0 (s; v) ! de (s ; v ) with Æ 2 IR iff s = s and v = v + Æ 2 I (s); 0 0 ((s ; v ) is denoted by (s; v + Æ )) (the time-successor relation).

Let P V be a set of propositional variables. Definition 5.3. A structure Mde = (Fde ; V ); where V : Q ! holds V (s; v ) = V (s; v 0 ), is called a concrete dense model of A.

2P V

and for all

(s; v); (s; v0 ) 2 Q it

Since concrete dense Kripke structures for Timed Automata are usually infinite, we need to construct their finite set-graphs. In order to use directly our definition of set-graphs of Section 4.1, we simplify (without loosing the generality) the definition of a concrete dense Kripke structure such that all the Æ labels Æ 2 IR+ of !de are replaced by one new symbol 62 . In what follows, by a concrete dense Kripke structure of a timed automaton A we mean the structure Fde = (Q; q 0 ; !de ), where !de Q ( [ f g) Q. In the literature ([13, 14]), the simulation (bisimulation) relation (in the sense introduced in Sec. 3.1) defined for concrete dense structures Fde above is called the strong time-abstracting simulation (bisimulation, respectively).

5.2. Implementation of the standard minimization algorithms for Timed Automata and dense models The key notion in any state space reduction for Timed Automata is that of a region. Finite abstract models (set-graphs) built for Timed Automata use regions as states. Then, in order to effectively implement the minimization algorithms, we have to define the functions P re, P ost and Split in terms of certain operations on regions. Therefore we start with necessary definitions. Definition 5.4. Let s be a location and Z - a zone in Z (n). The set (s; Z ) = f(s; v ) a region. The region (s; ;) is identified with the empty region.

j v 2 Z g is called

Let us introduce the following operations, definitions and notations concerning valuations (v; v 0 ; : : :), zones (Z; Z 0 ; : : :) and regions (R; R0 ; : : :):

v v0 iff 9Æ 2 IR such that v0 = v + Æ.

12

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

Z n Z 0 is a set of disjoint zones such that fZ 0 g [ (Z n Z 0 ) is a partition of Z , R n R0 = f(s; Z 00 ) j Z 00 2 Z n Z 0g for regions R = (s; Z ) and R0 = (s; Z 0 ), Z [Y := 0℄ = fv[Y := 0℄ j v 2 Z g,

[Y := 0℄Z = fv j v[Y := 0℄ 2 Z g, Z * Z 0 = fv 2 Z j (9v0 2 Z 0 ) v v0 and (8v v00 v0 ) v00 2 Z [ Z 0 g,

! s and a zone Z , t 1((s; Z )) = (s0; [Y := 0℄Z \ z), for a transition t : s0 l;z;Y Z %:= fv0 2 IRn j (9v 2 Z ) v v0g, Z .:= fv0 2 IRn j (9v 2 Z ) v0 vg. Notice that the operations *, \, %, ., as well as clock reset (w.r.t. a zone) and its inverse ([Y := 0℄Z , Z [Y := 0℄) preserve zones. These results and the implementation of Z n Z 0 can be found in [1, 15]. Now, to define the function Split we need first to implement the operation cor-simulating set-graphs, we define for regions R; R0

prea . Moreover, to deal with

(R n R0; R n R0) = f(R00 ; R00) j R00 2 R n R0g. In all the cases when an implementation of the minimization algorithm is presented, we assume that a partition (cor-partition) satisfies the (location) invariants. For a given partition of Q and (s; Z ); (s0 ; Z 0 ) 2 , the auxiliary functions of Section 4.2 can be defined as follows:

for an action-successor t 1 ((s0 ; Z 0 )),

t : s

! s0, pret ((s; Z ); (s0 ; Z 0)) = (s; Z \ Z 00), where (s; Z 00 ) =

l;z;Y

for a time-successor , pre ((s; Z ); (s; Z 0 )) = (s; Z * Z 0), P re((s; Z )) = f(s; Z 0 ) 2 j Z 0 * Z 6= ;g [ Ss0 ! sf(s0 ; Z 0) j (Z 0 \ z)[Y := 0℄ \ Z 6= ;g, P ost((s; Z )) = f(s; Z 0 ) 2 j Z * Z 0 6= ;g [ Ss ! s0 f(s0 ; Z 0) j (Z \ z)[Y := 0℄ \ Z 0 6= ;g. It is easy to see how to implement P re and P ost when is a cor-partition (Sec. 4.3). l;z;Y

l;z;Y

5.2.1.

An example of generating a (bi)simulating set-graph

Consider the timed automaton with two clocks x and y given in Fig. 4. In all the examples, we require x and y to be non-negative. Let us denote by i = 1; : : : ; 5 the time zones defined by the following constraints, respectively:

Z : fx = 0 ^ y = 0g Z00 : fx = 0 ^ 0 < y 6g

Z , Z0 , Z00

Z0 : fx > 0 ^ 0 y 6g Zi : fx 0 ^ y 0g.

and

Zi , for

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

13

1<x4

x>4 s2 b

y 3i−1 ei

s0

bi

s3i

s1i

s5 i

s2 i fi

3i−1 < y < 3i+1

s6i

3i < y < 3i+2

...

Figure 15. A scalable automaton

bisimulating

simulating

i

classes

edges

total

classes

edges

total

reduction

1

18

42

60

8

14

22

65%

2

34

82

116

19

39

58

50%

3

50

122

172

32

74

106

39%

4

66

162

228

43

99

142

41%

5

82

202

284

56

131

187

35%

6

98

242

340

54

126

180

47%

7

114

282

396

73

166

239

40%

8

130

322

452

93

224

317

30%

9

146

362

508

104

250

354

40%

10

162

402

564

109

255

364

35%

Figure 16. The sizes of strong time-abstracting (bi)simulating set-graphs

5.7. Timed temporal logics for Timed Automata As it has been mentioned before, it is known (see [4, 11]) that models based on simulating (bisimulating) set-graphs preserve ACTL (CTL , resp.). Therefore, discrete simulating (bisimulating) models for Timed Automata preserve ACTL (CTL , respectively) defined in Section 3.2. However, timed properties of Timed Automata are often expressed in the logic TCTL defined below: Let P V be a finite set of propositional variables. The formulas of follows:

'; := p j :' j ' ^

TCTL are defined inductively as

j ' _ j AUntil ('; ) j AUntil('; )

22

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

where p 2 P V , 2 f; ; g, and 2 IN. Intuitively, AUntil ('; ) means that for every (progressive) run there exists an initial prefix of time length (i.e., less than , greater etc.) such that holds at the last state of the prefix, and ' holds at all its intermediate states. The following sublogic of TCTL is of our interest:

TACTL.

Negation can be applied only to subformulas that do not contain modalities.

In order to give the semantics of TCTL we introduce the notion of timed runs of Timed Automata. For q = (s; v ) 2 Q let (s; v ) + Æ denote (s; v + Æ ). A timed q -run of A is an infinite sequence of

0 0 1 1 2 q0 + Æ0 ! q1 ! q1 + Æ1 ! q2 ! , where q0 = q, li 2 and Æi 2 IR+ concrete states: q0 ! for each i 0. The run is said to be progressive iff i2IN Æi is unbounded. Let Mde be a concrete dense model of a timed automaton A, and f be a function returning a set of all the (progressive) timed q -runs for every concrete state q 2 Q. Æ0 0 1 1 2 Let := q ! q + Æ0 l! q1 Æ! q1 + Æ1 l! q2 Æ! be a timed q-run in a model Mde. The validity (j=) of TCTL formulas is defined as follows:

Æ

S1. S2. S3. S4. M1.

l

Æ

l

Æ

q j= p iff p 2 V (q), for p 2 P V , q j= :' iff not q j= ', q j= ' ^ iff q j= ' and q j= , q j= ' _ q j= AUntil ('; ) iff for every 2 f (q) (9i 0)[j i Æj i)(8Æ Æj ) qj + Æ j= ' _ ℄; q j= AUntil ('; ) iff for every 2 f (q) (8i _ (9j i)(9Æ0 Æj ) s.t. qj + Æ0 j= ' ^ ℄; Mde j= ' iff q0 j= '

j= ' or q j= , ^ (qi + Æi) j= ^ (8j iff q

0 s.t. jiÆj ) (8Æ Æi)[(qi + Æ) j=

As it has been mentioned before, discrete bisimulating (simulating) models for Timed Automata preserve CTL (ACTL , respectively) defined in Section 3.2. Models based on time-abstracting bisimulating set-graphs (built for dense semantics) preserve TCTL [15]. Therefore, it is straightforward to see that models based on time-abstracting simulating set-graphs preserve TACTL. In [2], it is shown how time-abstracting delay bisimulation can be applied for generating models which can be used for verification of the TCTL properties. A similar approach can be used for time-abstracting delay simulation and TACTL.

6. Final remarks We have shown in this paper that a weaker relation (similarity) than bisimilarity can be effectively used to reduce the size of a state graph (model) in general, and the size of a model of a Timed Automaton in particular, still allowing for automated verification of quite large classes of properties (like ACTL , LTL, or TACTL). Our new approach has been introduced in the way which constitutes, together with well-known results, a unified theory. Moreover, we have shown that our algorithm can be implemented for various kinds of equivalence relations and semantics for Timed Automata. Since similar relations have been already studied in this context, our definitions enable a very natural reformulation of known algorithms and lead to better results.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

23

References [1] Alur, R., Courcoubetis, C., Dill, D., Halbwachs, N., Wong-Toi, H.: An Implementation of Three Algorithms for Timing Verification Based on Automata Emptiness, Proc. of the 13th IEEE Real-Time Systems Symposium (RTSS’92), IEEE Comp. Soc. Press, 1992, 157–166. [2] Alur, R., Courcoubetis, C., Dill, D., Halbwachs, N., Wong-Toi, H.: Minimization of Timed Transition Systems, Proc. of CONCUR’92, 630, Springer-Verlag, 1992, 340–354. [3] Bouajjani, A., Fernandez, J.-C., Halbwachs, N., Raymond, P., Ratel, C.: Minimal State Graph Generation, Science of Computer Programming, 18, 1992, 247–269. [4] Browne, M. C., Clarke, E. M., Grumberg, O.: Characterizing Finite Kripke Structures in Propositional Temporal Logic, Theoretical Computer Science, 59(1/2), 1988, 115–131. [5] Bustan, D., Grumberg, O.: Simulation Based Minimization, Proc. of the 17th Int. Conf. on Automated Deduction (ICAD’2000), Pittsburgh, 2000, 255–270. [6] Clarke, E. M., Grumberg, O., Peled, D.: Model Checking, MIT Press, 1999. [7] Dembi´nski, P., Penczek, W., P´ołrola, A.: Automated Verification of Infinite State Concurrent Systems: an Improvement in Model Generation, Proc. of the 4th Int. Conf. on Parallel Processing and Applied Mathematics (PPAM’01), LNCS, 2001. To appear [8] Dembi´nski, P., Penczek, W., P´ołrola, A.: Verification of Timed Automata Based on Similarity, Proc. of the Int. Workshop on Concurrency Specification and Programming (CS&P’01), 2001, 76–86. [9] Dill, D.: Timing Assumptions and Verification of Finite State Concurrent Systems, in: Automatic Verification Methods for Finite-State Systems, vol. 407 of LNCS, Springer-Verlag, 1989, 197 – 212. [10] Goltz, U., Kuiper, R., Penczek, W.: Propositional Temporal Logics and Equivalences, Proc. of CONCUR’92, 630, Springer-Verlag, 1992, 222–236. [11] Grumberg, O., Long, D. E.: Model Checking and Modular Verification, Proc. of CONCUR’91, 527, SpringerVerlag, 1991, 250–265. [12] Henzinger, M., Henzinger, T., Kopke, P.: Computing Simulations on Finite and Infinite Graphs, Proc. of the 36th Annual IEEE Symposium on Foundations of Computer Science (FOCS’95), 1995, 453–462. [13] Tripakis, S.: Minimization of Timed Systems, http://verimag.imag.fr/tripakis/dea.ps.gz, 1998. [14] Tripakis, S., Yovine, S.: Analysis of Timed Systems Based on Time-Abstracting Bisimulations, Proc. of CAV’96, 1102, Springer-Verlag, 1996, 232–243. [15] Tripakis, S., Yovine, S.: Analysis of Timed Systems Using Time-Abstracting Bisimulations, Formal Methods in System Design, 18(1), 2001, 25–68.

7. Appendix 7.1. The process of generating a simulating set-graph In all our examples, we require x and y to be non-negative real numbers. The classes are given in the form (s; (Z; Z or )) for short (by which we mean ((s; Z )(s; Z or )), where s 2 S and Z , Z or are zones (Z or Z ). The process of generating a simulating set-graph is as follows:

24

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

We start from the initial cor-partition

0 consisting of the classes

C = (s0 ; (fx = 0 ^ y = 0g; fx = 0 ^ y = 0g)), C0 = (s0 ; (fx > 0 ^ 0 y 6g; fx > 0 ^ 0 y 6g)), C00 = (s0; (fx = 0 ^ 0 < y 6g; fx = 0 ^ 0 < y 6g)) and Ci = (si; (fx 0 ^ y 0g; fx 0 ^ y 0g)) for i = 1; 2; 3; 4; 5, where the initial class is C ( = ;, = fC g). 1. The class C has the (stable) time-successor C0 ( 2.

= fC g, = fC; C0 g).

C0 is its own (stable) time-successor, and has the action-successors C1 w.r.t. the action a. Due to this, C0 is pseudo-stable, and its or has to be modified, resulting in C0 = (s0 ; (fx > 0 ^ 0 y 6g; f1 x 3 ^ 0 y 6g)). Now, = ; and = fC g.

3. Considering C again, C0 is its unstable time-successor, and is split into C00 = (s0 ; (f0 < x < 1 ^ 0 y 6g; f0 < x < 1 ^ 0 y 6g)), C01 = (s0 ; (f1 x 3 ^ y 6g; f1 x 3 ^ y 6g)), and C02 = (s0 ; (fx > 3 ^ y 6g; fx > 3 ^ y 6g)). ( = ;, = fC g). 4. Considering = fC g.

C

again, there is no unstability w.r.t. its time-successor

5. Taking C00 into account, it has an action-successor Then, we have

C3 w.r.t.

C00 ,

and

= fC; C00 g,

the action , and is pseudo-stable.

C00 = (s0 ; (f0 < x < 1 ^ 0 y 6g; f0 < x < 1 ^ 2 y 4g)), = ;, = fC g.

6. When we consider C again, C00 is its time-successor, and because of its unstability is split into

C000 = (s0 ; (f0 < x < 1 ^ 0 y < 2g; f0 < x < 1 ^ 0 y < 2g)) C001 = (s0 ; (f0 < x < 1 ^ 2 y 4g; f0 < x < 1 ^ 2 y 4g)) C002 = (s0 ; (f0 < x < 1 ^ 4 < y 6g; f0 < x < 1 ^ 4 < y 6g)) ( = fC g, = ;).

7. Now, C000 is the stable time-successor of C , and we have = fC; C000 g,

= fC g.

8. Then, C000 has a time-successor C01 , w.r.t. which it is pseudo-stable, and,

C000 = (s0 ; (f0 < x < 1 ^ 0 y < 2g; f0 < x < 1 ^ 0 y < 2 ^ y x + 1g)), and again = ;, = fC g.

9. In the next step, we have successor of C .

= fC g and = fC; C000 g again, as C000

is still the stable time-

10. Considering C000 , besides the stable time-successor C01 , there is also the time-successor w.r.t. which C000 is pseudo-unstable. Then, C000 is split into

C001 ,

C0000 = (s0 ; (f0 < x < 1 ^ 0 y < 2 ^ y x + 1g; f0 < x < 1 ^ 0 y < 2 ^ y x + 1g)) and

C0001 = (s0 ; (f0 < x < 1 ^ 1 < y < 2 ^ y > x + 1g; f0 < x < 1 ^ 1 < y < 2 < y > x + 1g)), and again = ; and = fC g.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

11.

25

C is stable w.r.t. its time-successor C0000 ; = fC g, = fC; C0000 ; C01 g;

12. from C01 , the action can be taken, and C01 is pseudo-stable w.r.t. its successor C3 . Then, C01 = (s0 ; (f1 x 3 ^ y 6g; f1 x 3 ^ 2 y 4g)), = fC g, = fC; C0000 g; 13.

14.

C0000 is pseudo-stable w.r.t. C01 , and C0000 = (s0 ; (f0 < x < 1 ^ 0 y < 2 ^ y x + 1g; f0 < x < 1 ^ y = x + 1g)); = ;, = fC g; C is unstable w.r.t. C0000 , and C0000 is split into C00000 = (s0 ; (f0 < x < 1 ^ 0 y < 2 ^ y < x + 1g; f0 < x < 1 ^ 0 y < 2 ^ y < x + 1g)), C00001 = (s0 ; (f0 < x 1 ^ y = x + 1g; f0 < x 1 ^ y = x + 1g)), = ;, = fC g;

15. again, C is stable, and 16.

17.

= fC g, = fC; C00000 g;

C01 is a time-successor of C00000 causing unstability, and has to be split into C010 = (s0 ; (f1 x 3 ^ 0 y < 2g; f1 x 3 ^ 0 y < 2g)), C011 = (s0 ; (f1 x 3 ^ 2 y 4g; f1 x 3 ^ 2 y 4g)), C012 = (s0 ; (f1 x 3 ^ 4 < y 6g; f1 x 3 ^ 4 < y 6g)); and = ;, = fC g; C00000 is the stable time-successor of C ; = fC g, = fC; C00000 g again;

18. similarly, C00000 is stable,

= fC; C00000 g, = fC; C00000 ; C010 g

19. from C010 , the action a can be taken, leading to C1 (there is no unstability in this case). Moreover, the class C010 has a time-successor C011 , and due to pseudo-stability, or of C010 has to be modified: C010 = (s0 ; (f1 x 3 ^ 0 y < 2g; f1 x 3 ^ 0 y < 2 ^ y x 1g)), = fC; g, = fC; C00000 g; 20. in the next step, we consider C00000 as stable, and again 21.

22.

C010 is pseudo-unstable w.r.t. its time-successor C02 , and has to be split into C0100 = (s0 ; (f1 x 3 ^ 0 y < 2 ^ y < x 1g; f1 x 3 ^ 0 y < 2 ^ y < x 1g)), C0101 = (s0 ; (f1 x 3 ^ 0 y < 2 ^ y x 1g; f1 x 3 ^ 0 y < 2 ^ y x 1g)); = fC g, = fC; C00000 g; C00000 occurs to be stable, and = fC; C00000 g, = fC; C00000 ; C0101 g;

23. similarly, C0101 is stable, and 24. 25.

= fC; C00000 g, = fC; C00000 ; C010 g;

= fC; C00000 ; C0101 g, = fC; C00000 ; C0101 ; C1; C011 g;

C1 is stable (it is its own stable time-successor), = fC; C00000 ; C0101 ; C1 g, = fC; C00000 ; C0101 ; C1 ; C011 g; C011 is pseudo-stable w.r.t. its time-successor C012 , and C011 = (s0 ; (f1 x 3 ^ 2 y 4g; f1 x 3 ^ 2 y 4 ^ y > x + 1g)), = fC; C00000 ; C1 g, = fC; C00000 ; C0101 ; C1 g;

26

26.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

C0101 is unstable w.r.t. its time-successor C011 ; C011 is split into C0110 = (s0 ; (f1 x 3 ^ 2 y 4 ^ y x + 1g; f1 x 3 ^ 2 y 4 ^ y x + 1g)), C0111 = (s0 ; (f1 x 3 ^ 2 y 4 ^ y > x + 1g; f1 x 3 ^ 2 y 4 ^ y > x + 1g)), = fC; C1 g, = fC; C1 ; C00000 g;

27. the next step adds C00000 to the stable classes: = fC; C1 ; C00000 g, = fC; C1 ; C00000 ; C0101 g; 28. the class C0101 is considered as stable; = fC; C1 ; C00000 ; C0101 g, = fC; C1 ; C00000 ; C0101 ; C0110 g; 29. the same occurs in the case of C0110 , = fC; C1 ; C00000 ; C0101 ; C0110 g, = fC; C1 ; C00000 ; C0101 ; C0110 ; C3 ; C02 g; 30.

C3 is stable (as its own stable time-successor only), = fC; C1 ; C00000 ; C0101 ; C0110 ; C3 g, = fC; C1 ; C00000 ; C0101 ; C0110 ; C3 ; C02 g;

31. from C02 , the action can be taken, and

C02 = (s0 ; (fx > 3 ^ y 6g; fx 4 ^ y 6g)), = fC; C1 ; C00000 ; C0101 ; C3 g, = fC; C1 ; C00000 ; C0101 ; C3 ; C0110 g;

32.

33.

C0110 is unstable w.r.t. its successor C02 , and C02 is split into C020 = (s0 ; (f3 < x < 4 ^ y 6g; f3 < x < 4 ^ y 6g)), C021 = (s0 ; (fx 4 ^ y 6g; fx 4 ^ y 6g)), = fC; C1 ; C00000 ; C3 g, = fC; C1 ; C00000 ; C3 ; C0101 g; C0101 occurs to be stable, = fC; C1 ; C00000 ; C3 ; C0101 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g;

34. the same occurs for C0110 ,

= fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 ; C020 g;

35. from C020 , the action can be taken (the class is pseudo-stable), and C020 = (s0 ; (f3 < x < 4g; f3 < x < 4 ^ 2 y 4g)), = fC; C1 ; C00000 ; C3 ; C0101 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g; 36.

37.

C0110 is pseudo-time-stable w.r.t. C020 , C0110 = (s0 ; (f1 x 3 ^ 2 y 4 ^ y x + 1g; f1 x 3 ^ 2 y 4 ^ y < x + 1g)), = fC; C1 ; C00000 ; C3 g, = fC; C1 ; C00000 ; C3 ; C0101 g; C0101 is stable, = fC; C1 ; C00000 ; C3 ; C0101 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g;

38. similarly, C0110 is stable, and

= fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 ; C020 g

39.

C020 is also stable, and = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 ; C020 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 ; C020 ; C021 g;

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

27

40. from C021 , the action b can be taken, and there is no unstability in this case. Moreover, the action

can be also executed (C021 is pseudo-stable w.r.t. C3 ), and C021 = (s0 ; (fx 4 ^ y 6g; fx 4 ^ 2 y 4g)), = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 ; C020 g; 41.

42.

43.

44.

C020 is pseudo-time-stable w.r.t. C021 , and C020 = (s0 ; (f3 < x < 4 ^ y 6g; f3 < x < 4 ^ 2 y 4 ^ y xg)), = fC; C1 ; C00000 ; C3 ; C0101 g, = fC; C1 ; C00000 ; C3 ; C0101 ; C0110 g; C0110 is pseudo-time-stable w.r.t. C020 , and C0110 = (s0 ; (f1 x 3 ^ 2 y 4 ^ y x + 1g; f1 x 3 ^ 2 y 4 ^ y xg)), = fC; C1 ; C00000 ; C3 ; g, = fC; C1 ; C00000 ; C3 ; C0101 g; C0101 is pseudo-time-stable w.r.t. C0110 : C0101 = (s0 ; (f1 x 3 ^ 0 y < 2 ^ y x 1g; f1 x 3 ^ 0 y < 2 ^ 0 x y 1g)); = fC; C1 ; C3 ; g, = fC; C1 ; C3 ; C00000 g; C00000 is also pseudo-time-stable w.r.t. C0101 , and C00000 = (s0 ; (f0 < x < 1 ^ 0 y < 2 ^ y < x + 1g; f0 < x < 1 ^ y xg)), = fC1 ; C3 ; g, = fC; C1 ; C3 g;

45.

C is stable, = fC; C1 ; C3 ; g, = fC; C1 ; C3 ; C00000 g;

46.

C00000 is also stable, = fC; C1 ; C3 ; C00000 g, = fC; C1 ; C3 ; C00000 ; C0101 g;

47. the same holds for C0101 ,

= fC; C1 ; C3 ; C00000 ; C0101 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 g;

48. the next step adds C0101 to the stable classes, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 g; 49.

C020 is also stable, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g;

50. the same occurs for C021 ,

= fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 g;

51. from C2 , the action d can be taken, leading to C4 . Now, C2 is pseudo-stable, and its or has to be modified: C2 = (s2 ; (fx 0 ^ y 0g; fx 4 ^ y 0g)), = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g; 52. again, C021 is stable w.r.t.

C2 , and = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 g;

28

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

53. from C2 , also e can be taken, leading to C5 .

C2 is pseudo-stable, and due to this, C2 = (s2 ; (fx 0 ^ y 0g; fx 4 ^ 0 y 6g)), = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g;

54. now, C021 occurs to be stable w.r.t.

C2 , and = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 g;

55.

C2 is stable w.r.t. both its successors C4 and C5 : = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 g, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 ; C4 ; C5 g;

56. in the last two steps of the algorithm, C4 and C5 are added to stable classes, = fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 ; C4 ; C5 g,

= fC; C1 ; C3 ; C00000 ; C0101 ; C0110 ; C020 ; C021 ; C2 ; C4 ; C5 g and the algorithm terminates.

7.2. The process of generating simulating set-graph using modified time-successors Again, we start from the initial cor-partition

0 consisting of the classes

C = (s0 ; (fx = 0 ^ y = 0g; fx = 0 ^ y = 0g)), C0 = (s0 ; (fx > 0 ^ 0 y 6g; fx > 0 ^ 0 y 6g)), C00 = (s0; (fx = 0 ^ 0 < y 6g; fx = 0 ^ 0 < y 6g)) and Ci = (si; (fx 0 ^ y 0g; fx 0 ^ y 0g)) for i = 1; 2; 3; 4; 5, where the initial class is C ( = ;, = fC g). 1. The class C has the time-successor C0 , w.r.t. which it is stable; ( 2.

C0 is its own (stable) time-successor, and has the action-successor C2 w.r.t. this, C0 is pseudo-stable, and its or has to be modified: C0 = (s0 ; (fx > 0 ^ 0 y 6g; fx 4 ^ 0 y 6g)). Now, = ;, = fC g;

3. considering 4.

5. 6.

7.

= fC g, = fC; C0 g). the action b. Due to

C , it is stable w.r.t. its time-successor C0 , and = fC g, = fC; C0 g;

C0 is stable w.r.t. its action-successor C2 , but pseudo-unstable w.r.t. the action a and its successor C1 . Then, C00 = (s0 ; (f0 < x < 4 ^ 0 y 6g; f1 x 3 ^ 0 y 6g)), C01 = (s0 ; (fx 4 ^ 0 y 6g; fx 4 ^ 0 y 6g), = ;, = fC g; C occurs to be stable w.r.t. C00 , = fC g, = fC; C00 g; C00 is pseudo-stable w.r.t. C2 , and C00 = (s0 ; (f0 < x < 4 ^ 0 y 6g; f1 x 3 ^ 2 y 4g)), = ;, = fC g; C occurs to be stable w.r.t. C00 , = fC g, = fC; C00 g;

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

8.

9. 10. 11.

C00 is pseudo-stable w.r.t. its time-successor C01 , and C00 = (s0 ; (f0 < x < 4 ^ 0 y 6g; f1 x 3 ^ 2 y 4 ^ y x + 2g)), = ;, = fC g; C is stable w.r.t. C00 , and = fC g, = fC; C00 g; C00 is also stable w.r.t. all its successors, and = fC; C00 g, = fC; C00 ; C01 ; C1 ; C3 g; C01 is pseudo-stable w.r.t. its successor C2 , and C01 = (s0 ; (fx 4 ^ 0 y 6g; fx 4 ^ 2 y 4g), = fC g, = fC; C00 ; C1 ; C3 g;

12. now, C00 is pseudo-stable w.r.t. its time-successor

C01 , and C00 = (s0 ; (f0 < x < 4 ^ 0 y 6g; f1 x 3 ^ 2 y 4 ^ y xg)), = ;, = fC; C1 ; C3 g;

13. 14.

C is stable w.r.t. C00 , = fC g, = fC; C00 ; C1 ; C3 g; C00 is stable w.r.t. its action-successors C1 and C3 and its time-successor C01 , and again = fC; C00 g, = fC; C00 ; C01 ; C1 ; C3 g;

15. in the next two steps, C1 and C3 are added to the stable classes: = fC; C00 ; C1 ; C3 g, = fC; C00 ; C1 ; C3 ; C01 g; 16.

C01 is stable w.r.t. C2 and C3 , and = fC; C1 ; C3 ; C00 ; C01 g, = fC; C1 ; C3 ; C00 ; C01 ; C2 g;

17. from C2 , the action d can be taken, which causes pseudo-stability: C2 = (s2 ; (fx 0 ^ y 0g; fx 4 ^ y 0g)), = fC; C1 ; C3 ; C00 ; g, = fC; C1 ; C3 ; C00 ; C01 g; 18. 19.

C01 is still stable w.r.t. C2 and C3 : = fC; C1 ; C3 ; C00 ; C01 g, = fC; C1 ; C3 ; C00 ; C01 ; C2 g; C2 is pseudo-stable w.r.t. the action e and the class C5 : C2 = (s2 ; (fx 0 ^ y 0g; fx 4 ^ 0 y 6g)), = fC; C1 ; C3 ; C00 g, = fC; C1 ; C3 ; C00 ; C01 g;

20. again, C01 is stable w.r.t.

C2 and C3 : = fC; C1 ; C3 ; C00 ; C01 g, = fC; C1 ; C3 ; C00 ; C01 ; C2 g;

21.

C2 is stable w.r.t. both its successors C4 and C5 : = fC; C1 ; C3 ; C00 ; C01 ; C2 g, = fC; C1 ; C3 ; C00 ; C01 ; C2 ; C4 ; C5 g;

22. finally, C4 and C5 are added to the list of the stable classes, = fC; C1 ; C3 ; C00 ; C01 ; C2 ; C4 ; C5 g, = fC; C1 ; C3 ; C00 ; C01 ; C2 ; C4 ; C5 g, and the algorithm terminates.

29

30

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

7.3. Time-abstracting delay-simulating set-graph generation.

0 consisting of the classes C = (s0 ; (fx = 0 ^ y = 0g; fx = 0 ^ y = 0g)), C0 = (s0 ; (fx > 0 ^ 0 y 6g; fx > 0 ^ 0 y 6g)), C00 = (s0; (fx = 0 ^ 0 < y 6g; fx = 0 ^ 0 < y 6g)) and Ci = (si; (fx 0 ^ y 0g; fx 0 ^ y 0g)) for i = 1; 2; 3; 4; 5, where the initial class is C ( = ;, = fC g). As before, we start from the initial cor-partition

1. Class C is stable w.r.t. its time-successor = fC g, = fC; C0 ; C1 ; C2 ; C3 g.

C0 and action-successors C1 , C2 and C3 . Then,

2. Considering C0 , the class occurs to be pseudo-stable w.r.t. the action a and its successor C1 . Then, C0 = (s0 ; (fx > 0 ^ 0 y 6g; f0 < x 3 ^ 0 y 6g)), = ;, = fC; C1 ; C2 ; C3 g; 3. again, C is stable, and = fC g, = fC; C0 ; C1 ; C2 ; C3 g, 4.

C0 is stable w.r.t. b and C3 , but pseudo-stable w.r.t. and C3 , and C0 = (s0 ; (fx > 0 ^ 0 y 6g; f0 < x 3 ^ 0 y 4g)), = ;, = fC; C1 ; C2 ; C3 g;

5. again, C is stable, and = fC g, = fC; C0 ; C1 ; C2 ; C3 g, 6. the same occurs for C0 , giving = fC; C0 g, = fC; C0 ; C1 ; C2 ; C3 g, 7. in the next two steps, C1 and C3 are added to stable classes: = fC; C0 ; C1 ; C3 g, = fC; C0 ; C1 ; C2 ; C3 g; 8.

9.

C2 is stable w.r.t. the action d and C4 , but pseudo-stable w.r.t. the action e and C5 : C2 = (s2 ; (fx 0 ^ y 0g; fx 0 ^ y 6g)); = fC1 ; C3 g, = fC; C0 ; C1 ; C2 g; C is stable, and = fC; C1 ; C3 g, = fC; C0 ; C1 ; C2 ; C3 g;

10. the same holds for C0 , = fC; C0 ; C1 ; C3 g, = fC; C0 ; C1 ; C2 ; C3 g; 11. similarly, C2 is considered as stable, = fC; C0 ; C1 ; C2 ; C3 g, = fC; C0 ; C1 ; C2 ; C3 ; C4 ; C5 g; 12. finally, C4 and C5 are added to the list of the stable classes: = fC; C00 ; C1 ; C2 ; C3 ; C01 g, = fC; C00 ; C1 ; C2 ; C3 ; C01 ; C4 ; C5 g; and the algorithm terminates.

P. Dembi´nski et all. / Verification of Timed Automata Based on Similarity

31

7.4. Simulating set-graph - discrete case The following example shows the process of generating discrete simulating set-graph for the automaton in Fig. 11. Similarly as before, we start from the initial cor-partition 0 consisting of the classes C = (s0 ; (fx = 0 ^ y = 0g; fx = 0 ^ y = 0g)), C0 = (s0 ; (fx > 0 ^ y 0g; fx > 0 ^ y 0g)), C00 = (s0 ; (fx = 0 ^ y > 0g; fx = 0 ^ y > 0g)) and C1 = (s1 ; (fx 0 ^ 0 y 6g; fx 0 ^ 0 y 6g)), Ci = (si ; (fx 0 ^ y 0g; fx 0 ^ y 0g)) for i = 2; 3; 4; 5; 6, where the initial class is C ( = ;, = fC g). 1. The class C is stable w.r.t. its action-successor

C1 , = fC g, = fC; C1 g;

2. from the class C1 , the action a can be taken. There is pseudo-stability w.r.t. C1 = (s1 ; (fx 0 ^ 0 y 6g; f0 x 3 ^ 0 y 6g)); = ;, = fC g; 3. again, C is stable w.r.t. its action-successor

C2 , and

C1 , = fC g, = fC; C1 g;

4. from C1 , the action b can be taken, leading to C3 . There is no unstability in this case, but considering and C4 , C1 occurs to be pseudo-stable, and C1 = (s1 ; (fx 0 ^ 0 y 6g; f0 x 3 ^ 0 y 4g)); = ;, = fC g; 5. again, C is stable w.r.t. its action-successor 6.

C1 , = fC g, = fC; C1 g;

C1 is stable w.r.t. all its successors C2 , C3 and C4 , and = fC; C1 g, = fC; C1 ; C2 ; C4 ; C3 g;

7. in the next two steps, C2 and C4 are added to the list of stable classes: = fC; C1 ; C2 ; C4 g, = fC; C1 ; C2 ; C4 ; C3 g; 8. from C3 , the action pseudo-stable and

d can be taken.

The class is stable, but considering the action

C3 = (s3 ; (fx 0 ^ y 0g; fx 0 ^ 0 y 6g)); = fC; C2 ; C4 g, = fC; C1 ; C2 ; C4 g;

9.

C1 is stable w.r.t. all its successors, and = fC; C1 ; C2 ; C4 g, = fC; C1 ; C2 ; C4 ; C3 g;

10. similarly, C3 is stable,

= fC; C1 ; C2 ; C4 ; C3 g, = fC; C1 ; C2 ; C4 ; C3 ; C5 ; C6 g;

11. the two last steps of the algorithm add C5 and C6 to the stable classes: = fC; C1 ; C2 ; C4 ; C3 ; C5 ; C6 g, = fC; C1 ; C2 ; C4 ; C3 ; C5 ; C6 g;

e and C5 , it is

Recommend Documents

Verification of Asynchronous Circuits using Timed Automata