Real-Time Model-Checking: Parameters Everywhere

Transcription

1 FHGJIKDLMNPOQG R SUT G<KVLXWZY[G]\<^<NP_J`badceIgf*IhOiGkjGgf$l mhngggfpoqqyrggfg sut57b*)wvb9x! yx59{zp 57!<,}&~x!-,}$ }5ƒ,}& )+ ˆ",x x)š %*)+ k u(5 r,x ˆ&,5 )w,(š zg 9((*(57œ!-~ ; z,u ž (Ÿ B5ƒ,}{ Œ =AwE*(@4?A?4= %{ Œ Ž*Žx AV9( ; A,&#4A ;*!$Ž4~ ) Ž& ~}Ž4#

2 Real-Time Model-Checking: Parameters Everywhere VÉRONIQUE BRUYÈRE Institut d Informatique Université de Mons-Hainaut, Le Pentagone, Avenue du Champ de Mars, B-7000 Mons, Belgium, VeroniqueBruyere@umhacbe JEAN-FRANÇ OIS RASKIN Département d Informatique Université Libre de Bruxelles, Boulevard du Triomphe CP, B-050-Bruxelles, Belgium Jean-FrancoisRaskin@ulbacbe Abstract In this paper, we study the model-checking and parameter synthesis problems of the logic TCTL over timed automata where parameters are allowed both in the model (timed automaton) and in the property (temporal formula) Our results are as follows On the negative side, we show that the model-checking problem of TCTL extended with parameters is undecidable over timed automata with only one parametric clock The undecidability result needs equality in the logic On the positive side, we show that when equality is not allowed in the logic, the model-checking and the parameter synthesis problems become decidable Our method is based on automata theoretic principles and an extension of our method to express duration of runs in timed automata using Presburger arithmetic Introduction In this paper, we further investigate the model-checking problem of real-time formalisms with parameters In recent works, parametric real-time model-checking problems have been studied by several authors Alur et al study in [AHV9] the analysis of timed automata where clocks are compared to parameters They showed that when only one clock is compared to parameters, the emptiness problem is decidable But this problem becomes undecidable when three clocks are compared to parameters Wang in [Wan95, WH97], Emerson et al in [ET99], Alur et al in [AETP99] and the authors of this paper in [BDR0] study the introduction of parameters in temporal logics The model-checking problem for TCTL extended with parame- Supported by the FRFC project Centre Fédéré en Vérification funded by the Belgian National Science Fundation (FNRS) under grant nr 4500 ters over timed automata (without parameters) is decidable On the other hand, only a fragment of LTL extended with parameters is decidable Unfortunately, in all those previous works, the parameters are only in the model (expressed as a timed automaton) or only in the property (expressed as a temporal logic formula) Nevertheless, when expressing a temporal property of a parametric system, it is natural to refer in the temporal formula to the parameters used in the system In this paper, we study the model-checking problem of the logic TCTL extended with parameters over the runs of a timed automaton with one parametric clock To the best of our knowledge, this is the first work that study the model-checking and parameter synthesis problems with parameters both in the model and in the property Let us illustrate the kind of properties that we can express with a parametric temporal logic over a parametric timed automata The automaton of Figure is a discrete timed automaton with two clocks and two parameters and Here we explicitely model the elapse of time by self loops labelled by Other transitions are instantaneous State is labelled with atomic proposition and in all other states this proposition is false The possible runs of this automaton starting at are as follows The control instantaneously leaves and goes through to come back in, the time spent in this cycle is constrained by the parameters and In fact, the control has to leave at most time units after entering it and the control has stay exactly time units in state To express properties of those behaviors, we use TCTL logic augmented with parameters Let us consider the next three formulae for configuration, ie the control is in state and clocks and have value : "!#$&%(*) 7 +,

3 4 q 0 y q 0 σ y = 0 {x} x= θ 0 {y} q x θ {x} 0 x θ q formulae given in the example above are in the decidable fragment The paper is organized as follows In Section, we introduce the model of one parametric clock timed automaton and the parametric extension of TCTL that we consider In Section, we establish the undecidability of the modelchecking problem if equality can be used in the logic and we show how to solve the problem algorithmically if the use of equality is not allowed in the logic Proofs of two important propositions introduced in Section are postponed in Section 4 We finish the paper in Section 5 by drawing some conclusions Parameters Everywhere +, Figure A parametric timed automaton!# "! $ %( ) * 0 4 4*!# +!# $ ) * The parameter synthesis problem associated to formula, asks for which values of and, the formula is true at configuration + By observing the model and the formula, we can deduce the following constraint on the parameters: 4 This means that any cycle throught the four states has duration bounded by 4 Formula + formalizes the next question In all the cases where the value assigned to parameter is greater than the value assigned to parameter, is it true that any cycle has a duration bounded by 4 4? As there is no free parameter in the question, the question has a YES-NO answer This is a model-checking problem For formula,, the answer is YES in configuration Finally, formula +, lets parameter free and formalizes the question What are the possible values that can be given to such that for any value of &, a cycle throught the four states lasts at most time units? This is again a parameter synthesis problem and the answer is In this paper, we study the algorithmic treatment of such problems Our results are as follows On the negative side, we show that the model-checking problem of TCTL extended with parameters is undecidable over timed automata with only one parametric clock The undecidability result needs equality in the logic On the positive side, we show that when equality is not allowed in the logic, the modelchecking problem becomes decidable and the parameter synthesis problem is solvable Our algorithm is based on automata theoretic principles and an extension of our method (see [BDR0]) to express durations of paths of a timed automata using Presburger arithmetic In particular, all the In this section, we introduce parameters in the automaton used to model the system as well as in the logic used to specify properties of the system The automata are parametric timed automata as defined in [AHV9] with a discrete time domain and one parametric clock The logic is Parametric Timed CTL Logic as defined in [BDR0] Notation Let be a fixed finite set of parameters that appear both in the automata and in the logical formulae A parameter valuation for is a function! which assigns a natural number to each parameter In the, with sequel, & mean any linear term! " "# and $&%( )+* A parameter valuation is naturally extended to linear terms by defining (, for any We denote by the unique parametric clock The same notation is used for both the clock and a value of the clock A guard - is any conjunction of +, with 0 * We denote by the set of guards Notation +4- means that satisfies - under valuation We use notation for the set of atomic propositions Parametric Timed Automata We recall the definition of one parametric clock timed automata as introduced in [AHV9] We make the hypothesis that non-parametric clocks have all been eliminated by a technique related to the region construction, see [AHV9] for details Definition A parametric timed automaton is a tuple 5 #7 9, where 5 is a finite set of states, 7:%;5=< >*<?@< 4BADC!EF<?5 is a finite set of edges, GB5! 4H is a labeling function and 9IJ5 9 + to each state A configuration of and is a clock value!k assigns an invariant is a pair +, where is a state

4 Whenever a parameter valuation is given, becomes a usual one-clock timed automaton denoted by We recall the next definitions of transition and run in Definition Let be a parameter valuation A transition + *(! + * between two configurations + and + * is allowed in if () 9 + and 9 +, () there exists an edge - 7 such that? - and if *, if A run +* of is an infinite sequence of transitions *,! * such that (Non Zenoness property) The duration D +* at configuration + * of is equal to : % A finite run is a finite sequence of transitions It is shortly denoted by + *( * such that + *( (resp + * ) is its first (resp last) configuration Its duration D is equal to D Note that in the previous definition of transition, time increment is first added to, guard - is then tested, and finally is reset according to Parametric Timed CTL Logic Formulae of Parametric Timed CTL logic, PTCTL for short, are formed by a bloc of quantifiers over some parameters followed by a quantifier-free temporal formula They are defined as follows Notation means any atomic proposition and D are linear terms as before Definition 4 A PTCTL formula is of the form G such that, B* %(, 5 - * for each,, and is given by the following grammar & 5?+G! " U(*)+ U(,) Note that usual operators U and U are obtained as U and U We also use the following abbreviations: $-(*)+ for U(*), $-(*) for U(,)+, (,) for $(,)+ ", and 0(,) for $-(*) " We use notation QF-PTCTL for the set of quantifier-free formulae of PTCTL The set of parameters that are free in, that is, not under the scope of a quantifier, is denoted by 4 Thus, for a QF-PTCTL formula, we have 5 So the set of free parameters of are the parameters that appear effectively in the formula and in the automaton We now give the semantics of PTCTL Definition 5 Let be a parametric timed automaton and + *( be a configuration of Let, be a PTCTL formula Given a paramater valuation on, the satisfaction relation * is defined inductively as follows If 7, then *( according to following rules: 9 + iff there exists a run * in with + + and iff there exists a run + *, in with + + and ( G 9 + " iff * : ; 9 + <$>= iff + or *( = 9?& + iff there exists a run + *, in with + + and * U(*) = iff there exists a run + in with + *( +, there exists such that D * 4 (, + = and + * 4 for all 9 U(,)= iff for any run " *, in with + +, there exists such that D + * ((, + = and for all If, then + *( iff there exists such that + BA- where is defined on C A by on C and If, then * iff for all, + BA- where is defined on C A by on C and G The problems that we want to solve in this paper are the next ones The first problem is the model-checking problem for PTCTL formulae with no free parameters In this case, we omit the index by in the satisfaction relation + since no parameter (neither in the automaton nor in the formula) has to receive a valuation Problem The model-checking problem is the following Given a parametric timed automaton and a PTCTL formula such that 0, given a configuration + *( of, does + *( D hold? The second problem is the more general problem of parameter synthesis for PTCTL formulae such that is any subset of Problem 7 The parameter synthesis problem is the following Given a parametric timed automaton and a configuration + *( of, given a PTCTL formula, compute a symbolic representation of the set of parameter valuations on such that + 0 This symbolic representation should support boolean operations, projections and checking emptiness We verify the existence of a run starting in EGF#HJILK to ensure that time can progress in MON from that configuration

5 $ Decision Problems In this section, we prove that the model-checking problem is decidable when equality is not used in operators U(,) and U(,) Our proof is based on a translation to Presburger arithmetic We prove that the model-checking problem becomes undecidable as soon as equality is allowed When equality is not used, we solve the more general parameter synthesis problem for formulae of QF-PTCTL Our approach is as follows : we construct a Presburger formula 5+ with free variables and all such that + iff 5 ( is true, for any valuation on and any value of the clock Therefore the model-checking problem is decidable since Presburger arithmetic has a decidable theory Indeed, if we denote by 5 a PTCTL formula with no free parameters, then + * 4 iff 5 5 is true In the sequel, we use subscripts to indicate what are the limitations imposed to in operators U(*) and U(*) For instance, notation PTCTL means that A E can only be equality Undecidability Results for Equality We prove here that Problem is undecidable for PTCTL The proof relies on the undecidability of Presburger arithmetic with divisibility A E Presburger arithmetic with divisibility, PAD for short, is an extention of Presburger arithmetic with integer divisibility relation The additional divisibility relation is noted as and means divides Let be variables with 0 and be a linear term over the set of variables Every formula of PAD can be put into the following form: 5 5 # = where $ * and each is one of the following atomic formulae:,,,,, We say that such a formula is in normal form The Presburger theory is the set of its sentences that are true While PA is a decidable theory, PAD theory is undecidable [Bès0] Theorem For any sentence of PAD, we can construct a parametric timed automaton, a configuration + and a PTCTL formula such that is TRUE iff the answer to the model checking problem + * 4 for is YES Proof Let us make the assumption that sentence is in normal form, that is 5 5 # σ 0 {x} x z 0 x=z x=z 0 {x} Figure Automaton for We are going to construct a PTCTL formula A E and a paramatric timed automaton over the set of parameters equal to 5 * For each subformula of the form or, we define the PTCTL formula A E For each subformula of the form, we construct the next parametric timed automaton and PTCTL formula A E The automaton given in Figure We label the unique initial state of this automaton by and the unique final state by It is easy to see that there is a path from the initial state to the final state with length! iff! For formula, we take #" A+ Now we construct formula as follows 5 $ 5 5 & 0J7% J7% 000 J7% We construct the automaton by first taking the union of all the previous automata (introduced for the divisibility subformulae) We then merge their initial states into a unique state of that we call The label of is the union of the labels Finally, we add a new state to and an edge J B from any final state of to state labelled with and without guard and reset To complete the construction, we add a self-loop + on that allows time to progress It is easy to see that given, we have 4 iff is TRUE As a direct consequence of the last theorem, we have: Corollary 9 The model-checking problem for PTCTL is A E undecidable Decidability for PTCTL without Equality In this section, we provide solutions to the modelchecking problem and the parameter synthesis problem for PTCTL A & % )(& Our solutions require to work with automata that are more general than in Definition E Notation +* 0 Linear terms & are any ", with "# (instead of ) Whenever a linear term is used, σ 4

6 Comparison symbol belongs to the extended set 0 * For any constant, notation (resp ) means and (resp ) Equivalently, (resp ) iff there exists such that (resp ) Any is called an -atom, any is called an -atom An -formula is any conjunction of -atoms, and a -formula is any conjunction of -atoms We denote by C the set of boolean combinations of -atoms and it is supposed that -atoms Lemma Any formula of C can be rewritten as a disjunction of conjunctions of -atoms and -atoms with limited to 0 * Proof The formula is first put into disjunctive normal form Second we suppress negation in any as follows This is done easily for B 0 * Negation is replaced by $ 0 Negation is equivalent to 0?$ Similarly for Third we replace and thanks to, 0 and Finally this formula is put into disjunctive normal form Definition An extended parametric timed automaton 5 #7 9 is defined as before except that () any guard - used in 7 is an -formula, () function 9 5! C assigns to any state an invariant in C From now on, we call automaton any extended parametric timed automaton It should be noted that the extension of to 0 * is only valid inside automata, and not inside PTCTL formulae Solutions to the model-checking problem and the parameter synthesis problem are obtained as a corollary of the next theorem Theorem Let be an automaton and be a state of formula Then there Let be a QF-PTCTL A & % )( E exists a C formula 5+ with free variables and all such that * iff 5+ ( * is true, for any valuation on and any clock value ( The construction of formula 5 is effective Corollary 4 The model-checking problem for PTCTL A & % )( is decidable E Proof Let 5 be a PTCTL formula with no free parameters Then * iff is true Note that any C formula is a Presburger formula Indeed operators and can be rewritten in Presburger arithmetic, * as well as any linear term 5 ", with "*D since they satisfy (see Notation 0) As Presburger arithmetic has a decidable theory, the model-checking problem is decidable Since the construction of formula 5 is effective and that Presburger arithmetic supports boolean operations, projections and checking emptiness, the next corollary is immediate Corollary 5 Let be an automaton and * be a configuration of Let * %( with and let 5 000?5 be a PTCTL A % )( formula E Then formula with free parameters in is an effective characterization of the set of valuations on 0 such that * The proof of Theorem is by induction on the way formula is constructed Instead of the grammar given in Definition 4, we prefer to work with the grammar & 5 #+G "-$" & U(,)& )& This grammar is equivalent because % ) can be replaced by ), formula ) by ( ) 7 $?, formula ( ) by "& $ % ), and formula U(,) = byj?= U(,) "?= #$ (*)?= It is not difficult to check that the semantics of the new operator ) is given by + *( ) iff there exists a run + of with * + such that *? for any such that D * Let us give a flavour of the proof of Theorem on formula O& O& The satisfaction relation + & holds iff in, there exists a transition + *! + * such that * < and + is the first configuration of an infinite run Suppose that A 5 has been constructed by induction as a formula of C If we replace invariant 9 of state by 9+ A 5, then relation + * holds automatically So, what we still need is a C formula that expresses the existence of an infinite run in starting at configuration + * This is possible: Proposition Let be an automaton and be a state Then there exists a C formula such that for any valuation and any clock value, D * is true iff there exists an infinite run in starting with + The construction of is effective The proof of this proposition is postponed in Section 4 Looking at the semantics of formula U(,) =, we see that we also need a C formulae that expresses the existence of a finite run in starting and ending at given configurations such that D ( This is again possible: 5

7 Notation 7 Let be an automaton and be a valuation of and a clock value, we denote such that there exists a Given two states by C A the set of durations finite run * in such that D be an automaton and be two 0 * and be a linear term Then there exists a C formula (*) A such that for any valuation and any clock value, (*) A D * is true iff there exists ; in set C A The construction of (*) A is effective Proposition Let states Let The proof of this proposition is also postponed in Section 4 We are now ready to proof Theorem We first need the next variations of Propositions and Lemma 9 Let be an automaton and be a state Let C There exists a formula + in C such that for any valuation and any clock value, D * is true iff there exists an infinite run in with first configuration * and + 4 Proof First is modified as follows A copy of is added to 5 such that + and 9 9+ A copy -( is also added for any edge + -( leaving Then by Proposition applied to, we get the expected formula + Lemma 0 Let be an automaton and be a state Let C for all 5 There exists a formula in C such that for any valuation and any clock value, + ( is true iff there exists an infinite run in such that for each configuration *( of Proof The proof is similar to the previous one The automaton is modified such that for any state of 5, 9 ( is replaced by 9 Proposition We obtain formula by Lemma Let be an automaton and be two states Let 0 * and be a linear term Let C, for all 5 Let C There exists a formula A A + in C such that for any valuation (,) and any clock value (,), A A + ( * is true iff there exists a finite run in such that D, + * and *( for every configuration *( of distinct from * Proof A copy of is added to 5 as well as a copy of any edge of 7 entering as entering Then + and 9 9+ For any state of 5, 9 ( is We obtain formula (*) replaced by 9 ( thanks to Proposition applied to A A, then iff there exists an infinite run starting with Proof of Theorem (by induction on ) If and + Therefore 5 if otherwise Similarly, if +G with 0 5 G *, then If = $, then 5 $ If?=, then 5 & Let us now treat = Recall that B& * = iff there exists a transition + *! + * such that + *? = and + is the first configuration of an infinite run Let - be the edge of 7 that has lead to transition *! + Then, if *, and if By induction hypothesis, A has been constructed such that A ( is true iff + * 4 ;= Thus, by Lemma 9 with A, we get the expected formula 5 A 9+ A A * $ A 9 + A A! + where 7#" is the set of edges that reset the clock Let us turn to formula = U(*) We have + & iff either () (, * and + is the first configuration of an infinite run, or () there exists a finite run * > such that D (, = is satisfied at any configuration of distinct from *, is satisfied at and + is the first configuration of an infinite run For any state 5, formulae and have been constructed by induction hypothesis So, in the first case, by Lemma 9 with, we have the next formula $ + G % + In the second case, we first apply Lemma 9 to state formula A to get formula by Lemma with next formula $ A&, (*) A A + Therefore, formula 5 is the disjunction $ and A A % + After, 5 and, we get the $ $ A A Let be ) = Then * iff there exists a finite run * such that D (, * = for each configuration of distinct from + * and * is the first configuration of an infinite run As above, we construct formula $ A& ) A A +

8 5 and A*+ Hence 5 $ A Finally, suppose that ;= Then + iff there is an infinite run with first configuration + such where, is formula A that all its configurations satisfy = It follows by Lemma 0 with, 5, that 5 + is equal to + The proof is completed since all the formulae belong to C and their construction is effective 4 Durations The aim of this section is a proof of Propositions and Several steps are necessary In Subsections 4 and 4, we work with a reset-free automaton such that the clock is never reset, and we concentrate on runs of the form * 0, $,, such that $ and are fixed subsets of states, and is a fixed clock value In Subsection 4, a sequence of transformations is performed on the automaton such that -terms used in guards and invariants are limited to equalities " These simplifications allow the description by a Presburger formula of durations of runs * - J 0, $,, in Subsection 4 In the last subsection, no restriction is no longer imposed to The automaton is just slightly modified in a way to reset clock inside a state (called reset-state), instead of along an edge We there study in details set C A introduced in Notation 7 Any run * + 0 can be decomposed into a sequence of runs,, going from reset-states to reset-states Its duration is thus the sum of durations, Any falls into durations being studied in Section 4 Therefore, set C A is symbolically described by a rational expression whose letters are durations in resetfree automata Thanks to this rational expression, we are finally able to prove Propositions and 4 Automata Transformations Hypothesis ( ) We assume that 5 D$ #7 9 is a reset-free automaton with a set $%(5 of initial states and a set %,5 of final states We also assume such that $, no edge enters $ and no edge leaves We suppose that is a fixed clock value Given a valuation, we denote by + * the set of runs of of the form * O J 0 with $ and We are going to perform a sequence of transformations on that will preserve + * in the following sense During a transformation, state will possibly be splitted into several copies Runs before and after the splitting can be supposed identical up to a renaming of any into The aim of these transformations is a simplification of guards and invariants used in the automaton Guards will disappear Invariants of states 5 $ will be a conjunction of at most one -atom (of the form ) and of a certain number of -atoms This simplification is possible, mainly because the automaton is reset-free Definition An automaton is normalized if () no guard labels the edges, that is 7 % 5 < >*< 5, () any invariant 9 + is a conjunction 9 C + +9 of an -formula 9 C + and a -formula 9 with limited to 0 *, () 9 C + 9 C + for any edge + 7 such that 5 Lemma Any automaton can be effectively normalized with set + * preserved for any valuation Proof We can assume that all the edges entering state are labelled with the same guard - Indeed, every state not satisfying this property is split into several copies and the edges entering are redirected to each copy according to the guards labelling those edges The copies of have the same + and 9 + as, they all belong to if Therefore, guard - can be erased from all the edges entering and added as a conjunction to 9+ Property () follows Now by Lemma, the new formula 9 - is rewritten, where each as a disjunction of formulae, is a conjunction of an -formula and a -formula with 0 * We modify by splitting state into states,, such that + and 9 Accordingly, we split any edge of 7 that enters or leaves state The copies all belong to $ (resp ) if belongs to $ (resp ) Property () thus holds To get Property (), for any edge, replace 9 C and9 C by the -formula9 C + 9 C + All these transformations preserve + * Definition 4 A normalized automaton is called simplified if () 9 C + is a conjunction of -atoms # if >: $, and of -atoms G, if, () for any state 5, 9 C contains at most one -atom & with equal to, () for any run, for any -atom ", there exists at most one configuration + *( of such that 9 C + equals G can be effec- Proposition 5 Any normalized automaton tively simplified with set ation + * preserved for any valu- Proof The proof of Proposition 5 needs several steps At the end of each step, the automaton will be normalized if necessary Each transformation described in the proof will preserve set * for any valuation Given a state, we will often view 9 + as a set of -atoms and -atoms (instead of a conjunction) and we will say that such a term belongs to (instead of 9 + ) or appears in Let us note that EFBK remains any I -formula if F 7

9 5 5 $ 7 $! $ First step -atoms Assume that belongs to some state of Let us show that this -atom can be eliminated at the cost of a new -atom The idea is the following If for some 000( *, then iff and The automaton is transformed in a way to compute modulo Formally we construct 5 #$ D7 9 where 5 5 < >*, $ $&< >*, <( >*, + # and *+ # D * iff 7 and Function 9 is defined as follows For any + #, let 9 + # 9 + If + # contains, eliminate this state if :, replace by if If + #, add -atom and -atom As depends on the parameter valuation, value such that is not known in advance Therefore the final automaton is the disjoint union of the automata, with 000( * The elimination of -atoms is performed similarly Second step -atoms &0 Let us fix an -atom 0 Recall that the automaton is reset-free Along a run + *, as soon as?0 is satisfied at some configuration of, the next occurrences of 0 are automatically satisfied and can be thus eliminated The automaton is transformed in a way to count occurrences of 0G thanks to a counter equal to or 4 in case of or 4 and more occurrences of &0 Thus when the counter has value 4, any incrementation lets it at value 4 Formally we construct 5 #$ D7 D 9 where 5 < 4 *, <@ 4 *, + D and 9 + # 9 + Sets $ and 7 are defined as follows For any $, state + D belongs to $ with if?0 belongs to, and otherwise For any + 7, edge + D + D * belongs to 7 with ( if contains 0, and otherwise Finally, we suppress?0 in any state + 4 containing it Now, consider a run * starting with configuration + D * and having a transition D + D * such that + # contains 0 Necessarily # by construction of, # : by Hypothesis ( ) and since is normalized (Property ()) So -atom =0 is satisfied at configuration + # iff -atom = is satisfied at some configuration of between D * and + #*( Therefore, -atom G0 can be eliminated at the cost of a new -atom This can be achieved by modifying Figure ) We add to 5 in the following way (see a copy + of any state + together with a copy of + and a copy 9 + of 9 Sets $ and are let unchanged To any edge c = 0 x= α _ c = 0 Figure Automaton for -atoms?0 c = * + *, we add a copy * + * and another copy * + * with label Every edge * + is replaced by the edge * + * At last, we suppress -atom +0 from any state + ;: that contains it Third step -atoms & Let us given an -atom G Here, as soon as the last (instead of first) occurrence of = is satisfied along a run *, then the previous occurrences of are automatically satisfied Thus is transformed twice as before with the difference that runs are treated in the reverse direction The first transformation is defined as follows Let 5 D$ D7 9 with 5 5 < 4 *, $ $< 4 *, + # and 9 + # 9 For any, state D belongs to with if belongs to, and otherwise For any + 7, edge * D + # * belongs to 7 with if contains, and otherwise In any state + 4 that contains?, this -atom is eliminated Let be a run in + * ending with configuration +! # # and having a transition + #*(! # * such that D contains? Then, D: and Therefore? is satisfied at configuration D iff either is satisfied at configuration #, or = is satisfied at some configuration of between + D and D The second transformation of works as follows (see Figure 4) We add to 5 a copy of any state + together with a copy of and 9 Any initial state is replaced by the initial state Any final state + has its copy To any edge * + *, we add a copy * + * and another copy * + * with label We suppress from any state that contains it and we add to any state

10 5 + c = Figure 4 Automaton for -atoms & x= α c = 0 _ c = 0 Fourth step -atoms G At this point of the proof, state only contains -atoms of the form if : $, and of the form or if Hence Property () of Proposition 5 holds Let us prove Property () Suppose that 9 C ) I for some set of linear terms Let Then 9 C is equivalent to "G ) Thus 9 C + can be replaced by and 9+ by 9 + ) It remains to prove Property () Let be a run in * Assume that there are several configurations + *,, in such that contains a given -atom Time does not progress from + * to +! *, that is, for all Only the first occurrence of at state is useful, the next ones can be forgotten Therefore, is transformed in a way to count occurrences of and to remember any progress of time As before, a counter has value or 4 in case of or 4 and more occurrences of ; Moreover, values and 4 are indexed by if time has progressed since the first occurrence of Formally we construct 5 #$ D7 D 9 where 5 < & 4 4 *, <! 4 4 *, + D and 9 D 9 + For any $, state D belongs to $ with if belongs to, and # otherwise For any 7, edge *+ # D * belongs to 7 where is computed according Table Finally, for any state + # containing G, we suppress this state if 54, we suppress from this state if 4 Indeed recall that counter 4 indicates that it is at least the second occurrence of " Since the presence of index! 4 4L 4 4L 4 4L if contains! 4 4L! 4 4L 4 4 otherwise Table Computation of means a progress of time since the first occurrence of, this -term cannot be satisfied at state 4 and can be suppressed at state 4 4 Durations in Reset-Free Automata In this subsection, we again make Hypothesis ( ) When is a reset-free automaton that has been simplified according to proposition 5, we are going to construct a Presburger formula describing all the possible durations of runs in, in other words a Presburger formula for C (see Notation 7) This formula will impose constraints on durations like,,, - and -, with Notation Let be a variable used to denote a duration and be a variable for a clock value We call -atom any or A -atom is of first type if is of the form G& & G it is of second type if it of the form A -formula is either of first type, or of second type A first type -formula is an -atom of first type, a second type -formula is a conjunction of -atoms of second type Proposition 7 Let 5 #$ D7D 9 be a simplified automaton There exists a Presburger formula * such that for any valuation and any clock value (, ( * is true iff there exists a run in + * with duration This formula is a disjunction of formulae of the form C that is, a conjunction of a first type -formula, a second type -formula, an -formula C and a -formula Its construction is effective 9

11 Proof In this proof, as already done before, we often view an -formula as a set of -atoms and conversely () We can suppose that $ is reduced to one initial state and to one final state At the end of the proof, it will remain to take a disjunction over of $ and the constructed formulae From now on, we suppose that $ D* and * () Assumption We first make the assumption that contains no -atom and contains no -atom I As is simplified, this means that for any state 5, either 9 C + & or 9 C + equals some " The proof is done by induction on the -atoms that appear as 9 C with 5 Let us show how to construct It will have no -formula of second type due to the assumption 5, that Base case Suppose that 9 C + " for all is Durations of runs in + are thus independent on the clock values They are simply equal to the number of edges labeled by along runs from to And to any of these runs is associated the set of -atoms contained in the states of the run Therefore the proof consists in a kind of determinization [LP9] of that has to take into account the formulae9 + The alphabet is reduced to one letter, while label is understood as the empty word Formally, let be the set of -atoms that belong to the states of 5 Define 5 < 4 For +, we define Closure as the set of + such that there exists a run from to with duration and L 9 We define a classical [LP9] automaton with 4 as set of states, one initial state equal to Closure 9 * and set of final states equal to %, Any edge is defined as Closure such that + + for some * with 7 %, 9 + There exists a path in from to state iff there exists a run in from to such that + and is the set of -atoms contained in the states of Moreover, the duration of is the length of the corresponding path in As the alphabet is the one-letter alphabet >*, automaton has the special structure of a frying pan automaton (see Figure 5) This shows that formula is a disjunction of formulae constructed in the following way Let be a final state of, let If does not belong to the cycle of, then and equals where is the length of the path from to If belongs to the cycle of, then and equals where is the length of the shortest path from to and is the length of the cycle of * Figure 5 Frying pan automaton General case Now consider a particular -atom " us denote by C the set of states such that 9 C + is equal to G As is simplified, any run of + * contains or state of C We are going to prove that the expected formula * is equal to * $ Let where describes durations of runs containing no state of C, and describes durations of runs containing exactly state of C All runs containing no state of C constitute set * of an automaton obtained from by erasing all states in C As has one -atom less, can be constructed by induction hypothesis Let us now fix C and a run * that contains it This run is decomposed into a run * * with duration and a run * J * with duration Duration of is equal to such that, and satisfies Durations and can be computed by induction in the following way Let us begin with Automaton is modified into by erasing states of C * and edges leaving Formula 9 C ( is replaced by The unique final state is The new automaton has one -atom less, so * can be constructed by induction hypothesis such that * D * is true Recall that is a disjunction of formulae C where is a first type -atom, is an C -formula and is a -formula Suppose that is one among 7G As satisfies and (, then ( So must be replaced by one among the formulae G It becomes a conjunction of -atoms and -atoms modified formula C is denoted by C The 0

12 Let us now describe We modify into by erasing states of C * and edges entering Formula 9 C ( is replaced by The new unique initial state is By induction hypothesis, * is constructed as a disjunction of formulae 7 C where is one among Formula is true with * ( * Thus any in is one among the formulae 7 that is -atoms of the form Moreover any modified formula or in C becomes a -formula The C is denoted by Finally, we can describe D It has the form G( or ( ( " for - is a disjunction of formu- Hence formula lae ( C such that has the form G and C has the form C or () Under the assumption that contains no -atoms and contains no -atom?, we have constructed a formula * with no -formula of second type So we have to take into account -formula 9 C and -atoms appearing in Thus must satisfy 9 C + and must satisfy any, in It follows that the final formula is equal to 9 C C ) 4 Runs and Durations This subsection is devoted to the proofs of Propositions and Here is any automaton 5D7D9& Without lost of generality, we can suppose that is state-reset, that is for any of, the edges entering the state either all reset clock or none resets it, so clock can be seen to be reset at states instead of along edges (see Lemma below) Thus in the sequel we will consider the set 7 of edges as a subset of 5 < >* < < 5 and we call reset-state any state that resets the clock Given two states, a valuation and a clock value, a run * in possibly contains some reset-states It thus decomposes as a sequence of runs,, such that for any, contains no reset-state, except for the first and the last configurations of The duration D of each can be computed thanks to Proposition 7 with the initial clock value equal to ( if and equal to if 0 For any,, let us denote by * the Presburger formula corresponding to which is a disjunction of formulae J C So the total duration D is equal to the sum %+% D Durations of runs * 0, ie set C A, can be symbolically represented thanks to rational expressions on an alphabet whose letters are formulae C that appear in the * s Thanks to this symbolic description of C A, we are able to prove Propositions and Let us explain in details all these ideas Lemma Any automaton can be effectively transformed into a state-reset automaton Proof The proof is similar to the proof of Lemma If two edges enter a given state, with one resetting the clock and the other not, is splitted into two states and the edges entering are redirected to one or the other copy according to the fact that is reset or not We can thus suppose that the edges entering all reset the clock or none does reset it Resetting the clock can thus be done at state instead of along an edge entering Let 5D7D9& be a state-reset automaton with 7;%,5 < * < <5 and %,5 the set of its resetstates Let us fix two states, a parameter valuation, a clock value and let us study all the runs + * + 0 in First construction For each couple! of states of such that * and *, we construct from the following reset-free automaton A 5 D$ D7 9 with initial and final states The set of states is * where are copies of with ( (,, 9 ( 9 and 9 States are non reset The set 7 of 7 5 edges is the union of restricted to with the next set of copied edges - with - -( with - - with - The unique initial state is and the unique final state is Automaton be a clock A satisfies Hypothesis ( ) Let 7

13 C A C value such that if is a reset-state, otherwise The runs of + A * are exactly the non-empty runs * - 0 of that pass through no reset-state (except possibly the first and the last state of the run) By Proposition 7, the durations of runs in + A are described by formula A* * equal to some disjunction A where A A A A & A Note that in formula A *, if is a reset-state, then necessarily "5 Hence, due to instantiation of value to variable A, any formula has no longer free variable A A, is one of the -atoms ; or, is a conjunction of -atom of the form A, and becomes a -formula For each couple! and each, we associate a distinct letter A A to each formula The set of all these letters is denoted by We say that letter A is a resetletter if is a reset-state The set of reset-letters is denoted " Second construction We construct a classical automaton over the alphabet as follows The set of states equals * and the set of edges A for some * The unique initial (resp final) state is (resp ) A path in from to indicates how a run + * in is decomposed according to resetstates of The duration of such a run can symbolically be viewed as a word over that labels the corresponding path in Set C A is thus symbolically represented as a rational set over that we denote by A It is important to note that any word of A has at most one letter that is non reset (the first letter of the word) If is a reset-state, then A % ", otherwise A % "7 0 " * Rational expressions The concatenation of two letters A and A of is interpreted as follows It is the sum of durations and described by A A A and It is the conjunction of -formulae and -formulae described by A C A A A and C Let be denoting * and Rat0 be the smallest family closed under 0 and, and containing As sum and conjunction operations are commutative, it is not difficult to prove that any rational language over can be effectively rewritten as a finite union of languages in * Rat 0 Therefore A with (* or a reset-state, then otherwise, if : *, 0 with Rat 0 * Rat 70 "& More precisely, if is * Rat 70 We are now fully equiped to prove Proposition and Proposition Proof of Proposition Let us prove that one can construct a C formula + such that there exists an infinite run starting with + * iff ( is true Such a run exists iff for some 5, set C A contains arbitrarily large durations We say that C A (or equivalently A ) is non Zeno if this property holds By induction on the rational expression defining A, we are going to construct a formula NZ A C such that NZ A ( is true iff A is non Zeno Thus formula + is equal to A NZ A + As A is a finite union of sets * Rat *0, it is non Zeno iff one among the s is non Zeno Thus NZ A NZ In case *, then clearly NZ Let Rat 0 Let A >* for some A A Recall that is a conjunction # # C # between a -atom of first type, a -formula of second type, an -formula and a -formula If equals or (, then NZ If equals or, then is arbitrarily large if In this case, NZ C, otherwise NZ Suppose now that 0, then is non Zeno if or is non Zeno, that is NZ NZ% $ NZ If, then is non Zeno if is evolutive, that is, contains a non null duration This property is studied hereafter Let us study when Rat 0 is evolutive and denote by E the related formula of C Consider case A >* for some A As above let us study formulae and Suppose that If equals, then is non null iff 0 Then E is the formula of C equal C When is, we have a similar formula such that is replaced by If equals, then a possible non null value for is either or if We get formula E of C equal to (* $ C A similar argument holds if Finally if 0, then E E $ E, and if, then E" E Proof of Proposition Let $ be a linear term and B 0 * We have to show that there exists a formula ( A of C that describes the existence of a duration $ in set C A "

14 () We begin with * To test if there exists $ in C A is equivalent to test that G $ with being the minimum duration of C A We first suppose that is a reset-state Let A with sets in * Rat 0 By induction on the rational expression defining any, let us construct a Presburger formula Min that describes the minimum duration in It has no free variable since is a reset-state This formula will be a conjunction where is a -atom of the form (, is a -formula of the form and is a -formula Therefore ( formula A is equal to, such that each formula is obtained by modifying Min as follows Any formula equal to is replaced by formula $ The resulting formula belongs to C In case *, then Thus Min is equal to 9 + such that is instantiated to inside9 Let Rat 70 Consider case ; A >* for some resetletter A A " Suppose that As -atom is either or, then the minimum duration equals So formula Min is equal to If 0, then the minimum duration in equals the sum of the minimum durations in and Let Min where equals and equals Let Min where equals ( and equals Thus Min is equal to G If 5, then the minimum duration in is the minimum duration in, ie Min Min We now suppose that is not a reset-state Let A such that * or 0 with * Rat 7*0 For each, the Presburger formula Min * that we want to construct has a slightly different form It has now free variable, it is a conjunction where is a -atom of the form or, is a -formula of the form &;, is an C -formula and is a -formula Consequently, formula ( A will now be equal to, such that each formula is obtained by modifying Min as follows Any formula respectively equal to G ( or G ( is replaced by formula + $ or $ * ( C If,*, then and Min is 9 + Let 5 0 with " and * Rat 0 By the first part of the proof, the minimum duration of is expressed by formula Min+A equal to with and A For A, we A have an associated formula # # C # such that -atom is one among 7G, G,,, and is ( The minimum duration A for is I or I Hence for concatenation 0, we have formula Min C such that is : or :, is A, is and C C is () We now turn to B0 * The approach is similar but with the maximum (instead of minimum) duration Again we consider the two cases : is or is not a reset-state Suppose that is a reset-state Let A& with any in * Rat 70 By induction on the rational expression defining any, we will construct a formula Max (without free variable ) that describes the maximum duration in Note that when is non Zeno (see proof of Proposition ), durations in can be arbitrarily large We will thus denote symbolically by the (non existing) maximum duration Formula Max will be a disjunction of conjunctions such that is either or, is either or (equivalently with ) and is a - ( formula We will get the next formula A equal to where each formula is obtained by modifying Max in the following way If equals, then equals If equals 7, then equals $ If O *, then Max is 9 + such that 5 in 9 Let Rat 70 Let us study case A * with A A " a reset-letter Let the associated formula Let us study and J If is, then Max equals If is withj, then Max equals Finally, suppose that is with being a non empty conjunction Then the maximum duration is the greatest value, for some, which is strictly less than the smallest, denoted by Assume that and for some D 000( * If, then the maximum duration is given by formula equal to I with condition equal to If, then equals & and equal to Thus Max is a disjunction over the different possible values of and of formulae A$ such that A is the conjunction between, and Let us now treat case 0 If Max% contains a conjunction Max contains a conjunction I & and,

15 then Max contains the conjunction & If in Max or in Max, then Max contains the conjunction Finally if, then the maximum duration equals if is evolutive (see Proof of Proposition ), and otherwise Thus Max is the formula * E $ * 5 E It has the right form because E C and by Lemma We now suppose that is not a reset-state Let A such that O * or O 0 with * Rat 70 For each, formula Max (with free variable ) is now a disjunction of conjunctions ( such that is either ( or, or, is, is an C -formula and is a -formula The ( requested formula A is obtained in a way similar as done before If I*, then Max 9 Let 0 with " and * Rat 7*0 We already know that the maximum duration of can be expressed by a formula MaxA equal to a disjunction of with equal to or For A, A the maximum duration of & # C can be studied as before, including two additional cases 7 and for It is not difficult to see that we obtain a formula Max which is a disjunction of formulae of the form C It remains to study the maximum duration in concatenation 0 Again this can be done as before according to the different cases for and The resulting formula Max7 * has the right form 5 Conclusion In this paper, we have studied algorithmic solutions to the model-checking and parameter synthesis problems of the logic PTCTL over one parametric clock timed automata On the negative side, we showed that the model-checking problem of TCTL extended with parameters is undecidable over timed automata with only one parametric clock The undecidability result needs equality in the logic On the positive side, we showed that when equality is not allowed in the logic, the model-checking problem becomes decidable and the parameter synthesis problem is solvable Our algorithm is based on automata theoretic principles and an extension of our method (see [BDR0]) to express durations of paths of a timed automata using Presburger arithmetic To the best of our knowledge, this is the first work that studies the model-checking and parameter synthesis problems with parameters both in the model (timed automaton) and in the property (PTCTL formula) The problems solved C in this paper are important as it is very natural to refer in the properties of the system to parameters appearing in the model of the system We have illustrated in the introduction the kind of properties that can be expressed and automatically verified in our framework As future works, we plan to investigate if the method proposed here can be extended from discrete to dense timed models References [AETP99] Rajeev Alur, Kousha Etessami, Salvatore La Torre, and Doron Peled Parametric temporal logic for model measuring Lecture Notes in Computer Science, 44:59 7, 999 [AHV9] [BDR0] [Bès0] [ET99] R Alur, TA Henzinger, and MY Vardi Parametric real-time reasoning In Proceedings of the 5th Annual Symposium on Theory of Computing, pages 59 0 ACM Press, 99 V Bruyère, E Dall olio, and J-F Raskin Durations, parametric model-checking in timed automata with Presburger arithmetic Technical Report CFV-00-, Centre Fédéré en Vérification (Belgique), 00 a short version to appear in Proc of Stacs 0 Alexis Bès A survey of arithmetical definability A tribute to Maurice Boffa, Special Issue of Belg Math Soc, pages 54, 00 E Allen Emerson and Richard J Trefler Parametric quantitative temporal reasoning In Logic in Computer Science, pages 4, 999 [LP9] Harry Lewis and Christos Papadimitriou Elements of the theory of computation Prentice Hall, 99 [Wan95] Farn Wang Timing behavior analysis for realtime systems In In Proceedings of the Tenth IEEE Symposium on Logic in Computer Science, pages, 995 [WH97] Farn Wang and Pao-Ann Hsiung Parametric analysis of computer systems In Algebraic Methodology and Software Technology, pages 59 55, 997 4