On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap

Size: px

Start display at page:

Download "On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap"

Bernadette Todd
5 years ago
Views:

1 SVC On the Language Inclusion Problem for Timed Automata 1 On the Language Inclusion Problem for Timed Automata: Closing a Decidability Gap Joël Ouaknine Computer Science Department, Carnegie Mellon University James Worrell Department of Mathematics, Tulane University SVC seminar Sept. 2, 2003

2 A : SVC On the Language Inclusion Problem for Timed Automata 2 Timed Automata Standard modeling formalism for real-time. Finite-state automata with clocks. Timed trace semantics: sequences of events with real-valued delay timestamps. u = E.g., h0:3;a;2;b;0;c;1:1;ai. a b,c a 3.4 L(A) := set of timed traces accepted by A. a a a a a x:=0 x=1?

3 Language inclusion problem, L(B) & SVC On the Language Inclusion Problem for Timed Automata 3 Known Facts about Timed Automata Emptiness problem, L(A)? = ;: PSPACE-complete [Alur et al. 90] Universality problem, L(A)? = TT: Undecidable [Alur-Dill 94]? L(A): Undecidable [Idem]

4 ? L(A) SVC On the Language Inclusion Problem for Timed Automata 4 Our Main Contribution Theorem. If A has at most one clock, the language inclusion problem is decidable. L(B)

5 ? L(A) SVC On the Language Inclusion Problem for Timed Automata 5 Our Main Contribution Theorem. If A has at most one clock, the language inclusion problem is decidable. L(B) This result is unexpected: in all other known computational models, deciding language inclusion always uses L(B) L(A) () L(B) L(A) = ;: However, one-clock timed automata cannot be complemented...

6 SVC On the Language Inclusion Problem for Timed Automata 6 Timed Automata Language Inclusion: Related Work Digitization techniques: [Henzinger-Manna-Pnueli 92], [Bošnački 99], [Ouaknine-Worrell 03a] Determinizable classes of timed automata: [Alur-Fix-Henzinger 94], [Wilke 96], [Raskin 99] Fuzzy semantics / noise-based techniques: [Maass-Orponen 96], [Gupta-Henzinger-Jagadeesan 97], [Fränzle 99], [Henzinger-Raskin 00], [Puri 00], [Asarin-Bouajjani 01], [Ouaknine-Worrell 03b]

7 SVC On the Language Inclusion Problem for Timed Automata 7 Some Applications Hardware and software systems are often described via high-level specifications, describing their intended functional behavior. Specifications are often given as finite-state machines. A proposed implementation IMP meets its specification SPEC iff L(IMP ) L(SPEC ): Our work enables us to describe and handle timed specifications: timed automata with a single clock.

8 SVC On the Language Inclusion Problem for Timed Automata 8 Example: A Login Protocol x>10? restart START login_name x:=0 restart x>60? VALIDATE x<60? pw_wrong pw_correct x<60? connected DELAY restart x>60? LOG_ERROR x:=0 log_pw_wrong x:=0 log_pw_wrong LOG_ERROR pw_wrong x<60? RE_VALIDATE pw_correct x<60?

9 SVC On the Language Inclusion Problem for Timed Automata 9 passive OPEN create TCB CLOSED CLOSE delete TCB active OPEN create TCB snd SYN LISTEN CLOSE delete TCB SYN RCVD CLOSE snd FIN FIN WAIT_1 rcv ACK of FIN x FIN WAIT_2 rcv FIN snd ACK rcv SYN snd SYN, ACK rcv ACK of SYN x CLOSE snd FIN rcv FIN snd ACK rcv ACK of FIN x rcv SYN snd ACK ESTAB CLOSING TIME_WAIT SEND snd SYN rcv SYN, ACK snd ACK rcv FIN snd ACK Timeout=2MSL delete TCB SYN SENT CLOSE WAIT CLOSE snd FIN LAST_ACK rcv ACK of FIN x CLOSED TCP spec. (DARPA) &

10 SVC On the Language Inclusion Problem for Timed Automata 10 Some Applications (ctd.) Compositional and assume-guarantee verification: Let NET = B 1 jjb 2 jj :::jjb n be a network of timed automata.

11 SVC On the Language Inclusion Problem for Timed Automata 11 Some Applications (ctd.) Compositional and assume-guarantee verification: Let NET = B 1 jjb 2 jj :::jjb n be a network of timed automata. Suppose you want to verify that L(NET ) = ;.

12 SVC On the Language Inclusion Problem for Timed Automata 12 Some Applications (ctd.) Compositional and assume-guarantee verification: Let NET = B 1 jjb 2 jj :::jjb n be a network of timed automata. Suppose you want to verify that L(NET ) = ;. Find one-clock automata A 1, A 2, :::, A n such that L(B i ) L(A i ).

13 SVC On the Language Inclusion Problem for Timed Automata 13 Some Applications (ctd.) Compositional and assume-guarantee verification: Let NET = B 1 jjb 2 jj :::jjb n be a network of timed automata. Suppose you want to verify that L(NET ) = ;. Find one-clock automata A 1, A 2, :::, A n such that L(B i ) L(A i ). Write ABS = A 1 jja 2 jj :::jja n.

14 SVC On the Language Inclusion Problem for Timed Automata 14 Some Applications (ctd.) Compositional and assume-guarantee verification: Let NET = B 1 jjb 2 jj :::jjb n be a network of timed automata. Suppose you want to verify that L(NET ) = ;. Find one-clock automata A 1, A 2, :::, A n such that L(B i ) L(A i ). Write ABS = A 1 jja 2 jj :::jja n. Theorem: If L(ABS ) = ;,thenl(net ) = ;.

15 SVC On the Language Inclusion Problem for Timed Automata 15 Sketch of the Algorithm? L(A) to a Reduce the language inclusion question L(B) reachability question on an infinite graph H.

16 SVC On the Language Inclusion Problem for Timed Automata 16 Sketch of the Algorithm? L(A) to a Reduce the language inclusion question L(B) reachability question on an infinite graph H. Construct a compatible 4 well-quasi-order on H: W 4 W Whenever : W if is safe, W then is safe. 0 0 Any infinite sequence W 1, W 2, W 3, ::: eventually saturates: there exists i < j such that W i 4 W j.

17 SVC On the Language Inclusion Problem for Timed Automata 17 Sketch of the Algorithm? L(A) to a Reduce the language inclusion question L(B) reachability question on an infinite graph H. Construct a compatible 4 well-quasi-order on H: W 4 W Whenever : W if is safe, W then is safe. 0 0 Any infinite sequence W 1, W 2, W 3, ::: eventually saturates: there exists i < j such that W i 4 W j. Explore H, looking for bad nodes. The search must eventually terminate.

18 SVC On the Language Inclusion Problem for Timed Automata 18 Sketch of the Algorithm? L(A) to a Reduce the language inclusion question L(B) reachability question on an infinite graph H. Construct a compatible 4 well-quasi-order on H: W 4 W Whenever : W if is safe, W then is safe. 0 0 Any infinite sequence W 1, W 2, W 3, ::: eventually saturates: there exists i < j such that W i 4 W j. Explore H, looking for bad nodes. The search must eventually terminate. For simplicity, we will focus on universality: A? = TT.

19 SVC On the Language Inclusion Problem for Timed Automata 19 Higman s Lemma Let Λ = fa 1 ;a 2 ;::: ;a n gbe an alphabet. Let 4 be the subword order on Λ Λ, the set of finite words over Λ. Ex.: HIGMAN 4 HIGHMOUNTAIN Then 4 is a well-quasi-order on Λ Λ : Any infinite sequence of words W 1, W 2, W 3, ::: must eventually have two words W i 4 W j, with i < j.

20 SVC On the Language Inclusion Problem for Timed Automata 20 Higman s Lemma Let Λ = fa 1 ;a 2 ;::: ;a n gbe an alphabet. Let 4 be the subword order on Λ Λ, the set of finite words over Λ. Ex.: HIGMAN 4 HIGHMOUNTAIN Then 4 is a well-quasi-order on Λ Λ : Any infinite sequence of words W 1, W 2, W 3, ::: must eventually have two words W i 4 W j, with i < j.

21 SVC On the Language Inclusion Problem for Timed Automata 21 Timed Automata Configurations Let A be a timed automaton with a single clock x, and discrete locations, s 1, :::, s n. Astate of A is a pair (s; v): s is a location. v 2 R + is the value of clock x. A configuration of A is a finite set of states. s x>2? b 0 1 a x:= 0 s 1<x <3? b

22 SVC On the Language Inclusion Problem for Timed Automata 22 Timed Automata Configurations Let A be a timed automaton with a single clock x, and discrete locations, s 1, :::, s n. Astate of A is a pair (s; v): s is a location. v 2 R + is the value of clock x. A configuration of A is a finite set of states. (s 1 ; 1:4) x>2? b s 1 1<x <3? b a x:= 0

23 SVC On the Language Inclusion Problem for Timed Automata 23 Timed Automata Configurations Let A be a timed automaton with a single clock x, and discrete locations, s 1, :::, s n. Astate of A is a pair (s; v): s is a location. v 2 R + is the value of clock x. (s 1 ; 4:5) x>2? b s 1 1<x <3? b a x:= 0 A configuration of A is a finite set of states.

24 SVC On the Language Inclusion Problem for Timed Automata 24 Timed Automata Configurations Let A be a timed automaton with a single clock x, and discrete locations, s 1, :::, s n. Astate of A is a pair (s; v): s is a location. v 2 R + is the value of clock x. A configuration of A is a finite set of states. f( ; 2); (s 1 ; 1:4)g x>2? b s 1 1<x <3? b a x:= 0

25 SVC On the Language Inclusion Problem for Timed Automata 25 Timed Automata Configurations (ctd.) Every timed trace u gives rise to a configuration of A. Ex.: u = h0:5;a;0:2;b;0:4;cileads to f(s 5 ; 0:6); (s 6 ; 0:4)g. b 1 s c 3 s a x:=0 s 5 ::: s 2 c 4 s a b x:=0 s 6 :::

26 SVC On the Language Inclusion Problem for Timed Automata 26 Bisimilar Configurations If C is a configuration, let A[C] be A started in configuration C. Definition. A relation R on configurations is a bisimulation if, whenever C 1 R C 2,then 8a ±,8t 2 R +,9t 2 2 R 1 such that 2 if + t 1;a! A[C 0 1 ],thena[c 2] t 2;a ] A[C 1 Vice-versa.! A[C 0 2 ],andc 0 1 R C 0 2.

27 SVC On the Language Inclusion Problem for Timed Automata 27 Bisimilar Configurations If C is a configuration, let A[C] be A started in configuration C. Definition. A relation R on configurations is a bisimulation if, whenever C 1 R C 2,then 8a ±,8t 2 R +,9t 2 2 R 1 such that 2 if + t 1;a! A[C 0 1 ],thena[c 2] t 2;a ] A[C 1! A[C 0 2 ],andc 0 1 R C 0 2. Vice-versa. We say that C 1 and C 2 are bisimilar, written C 1 ο C 2, if there exists some bisimulation relating them.

28 SVC On the Language Inclusion Problem for Timed Automata 28 Bisimilar Configurations If C is a configuration, let A[C] be A started in configuration C. Definition. A relation R on configurations is a bisimulation if, whenever C 1 R C 2,then 8a ±,8t 2 R +,9t 2 2 R 1 such that 2 if + t 1;a! A[C 0 1 ],thena[c 2] t 2;a ] A[C 1! A[C 0 2 ],andc 0 1 R C 0 2. Vice-versa. We say that C 1 and C 2 are bisimilar, written C 1 ο C 2, if there exists some bisimulation relating them. Theorem. If C 1 ο C 2,then A[C 1 ] is universal () A[C 2 ] is universal:

29 SVC On the Language Inclusion Problem for Timed Automata 29 Bisimilar Configurations: Examples C 1 = f( ; 0:5)g fi C 2 = f( ; 1:3)g: C 1 : C 2 : ~

30 A : SVC On the Language Inclusion Problem for Timed Automata 30 Bisimilar Configurations: Examples C 1 = f( ; 0:5)g fi C 2 = f( ; 1:3)g: C 1 : C 2 : ~ x>1? s ± 0 s 1 ±

31 A : SVC On the Language Inclusion Problem for Timed Automata 31 Bisimilar Configurations: Examples C 1 = f( ; 0:5)g fi C 2 = f( ; 1:3)g: C 1 : C 2 : ~ x>1? s ± 0 s 1 ± A[C 2 ] is universal, but A[C 1 ] rejects h0;ai.

32 SVC On the Language Inclusion Problem for Timed Automata 32 Bisimilar Configurations: Examples (ctd.) ~

33 SVC On the Language Inclusion Problem for Timed Automata 33 Bisimilar Configurations: Examples (ctd.) ~ ~

34 SVC On the Language Inclusion Problem for Timed Automata 34 Bisimilar Configurations: Examples (ctd.) ~ ~ ~

35 SVC On the Language Inclusion Problem for Timed Automata 35 Bisimilar Configurations: Examples (ctd.) C 1 : C 2 : ~

36 A : SVC On the Language Inclusion Problem for Timed Automata 36 Bisimilar Configurations: Examples (ctd.) C 1 : C 2 : ~ x<1_x>2? s ± 0 s 1 ±

37 A : SVC On the Language Inclusion Problem for Timed Automata 37 Bisimilar Configurations: Examples (ctd.) C 1 : C 2 : ~ x<1_x>2? s ± 0 s 1 ± A[C 2 ] is universal, but A[C 1 ] rejects h0:5;ai.

38 SVC On the Language Inclusion Problem for Timed Automata 38 From Bisimulation to Simulation Definition. We say that C 1 is simulated by C 2, written C 1 4 C 2,ifthere exists C 0 2 C 2 such that C 1 ο C 0 2.

39 SVC On the Language Inclusion Problem for Timed Automata 39 From Bisimulation to Simulation Definition. We say that C 1 is simulated by C 2, written C 1 4 C 2,ifthere exists C 0 2 C 2 such that C 1 ο C 0 2. Theorem. If C 1 4 C 2,then A[C 1 ] is universal =) A[C 2 ] is universal:

40 SVC On the Language Inclusion Problem for Timed Automata 40 Constructing a Decidable Bisimulation Relation Let K 2 N be the largest constant appearing in clock constraints of A. Theorem. Let C and C 0 be configurations of A. If there exists a bijection f : C! C 0 that preserves locations: f (s; v) = ( ;v 0 ) =) s =, integer parts of clock x,uptok: f (s; v) = ( ;v 0 ) =) ((dve = dv 0 e ^ bvc = bv 0 c) _ v; v 0 > K), the ordering of the fractional parts of clock x: ), i ;v i ) = ( i ;v0 i ) =) (v i <v j () v 0 i <v0 j f (s ο C then. C 0

41 n o 1); f1g; (1; 2);::: ;fkg;(k; 1) (0; f0g; SVC On the Language Inclusion Problem for Timed Automata 41 Constructing a Decidable Bisimulation Relation (ctd.) Let K be the largest constant appearing in clock constraints of A. Let REG = be the collection of one-dimensional regions of A. Let S = f ;s 1 ;::: ;s n gbe the set of locations of A. Let Λ = S REG. Let C be a configuration of A. For simplicity, assume all the fractional parts of states C in are distinct. Note that each state in C has a unique matching letter in Λ. Encode as a H(C) 2 Λ word, ordered by increasing fractional C parts Λ of states.

42 SVC On the Language Inclusion Problem for Timed Automata 42 Constructing a Decidable Bisimulation Relation (ctd.) Corollary. For any configurations C and C 0 of A, H(C) = H(C 0 ) =) C ο C 0 :

43 SVC On the Language Inclusion Problem for Timed Automata 43 Constructing a Decidable Bisimulation Relation (ctd.) Corollary. For any configurations C and C 0 of A, H(C) = H(C 0 ) =) C ο C 0 : Theorem. For any configurations C and C 0 of A, H(C) 4 H(C 0 ) =) C 4 C 0 :

44 SVC On the Language Inclusion Problem for Timed Automata 44 Constructing a Decidable Bisimulation Relation (ctd.) Corollary. For any configurations C and C 0 of A, H(C) = H(C 0 ) =) C ο C 0 : Theorem. For any configurations C and C 0 of A, H(C) 4 H(C 0 ) =) C 4 C 0 : Corollary. For configurations C and C 0 of A,ifH(C) 4 H(C 0 ),then A[C] is universal =) A[C 0 ] is universal:

45 SVC On the Language Inclusion Problem for Timed Automata 45 The Algorithm: Recapitulation Reduce the universality question L(A)? = TT to a reachability question on the infinite Λ graph. Λ The subword 4 order Λ on is a compatible well-quasi-order: Λ 4 H(C Whenever ): H(C) 0 if is universal, A[C then ] is universal. 0 A[C] Any infinite sequence H(C 1 ), H(C 2 ), H(C 3 ), ::: eventually saturates: there exists i < j such that H(C i ) 4 H(C j ). Explore, looking for a word/configuration from which A cannot Λ perform some event. The search must Λ eventually terminate.

46 SVC On the Language Inclusion Problem for Timed Automata 46 Summary We have given an algorithm to decide the language inclusion? question L(A), A provided has at most one L(B) clock. Unexpected and fundamentally new result in the theory of timed automata. Interesting potential applications to hardware/software engineering and verification.

47 SVC On the Language Inclusion Problem for Timed Automata 47 Closing the Gap Our decidability result is for all practical purposes the tightest one can get in terms of restricting the resources of timed automata: Theorem. For A a timed automaton, the universality question L(A)? = TT remains undecidable under any of the following restrictions: A has two clocks and a one-event alphabet, or A has two clocks and uses a single constant in clock constraints, or A has a single location and a one-event alphabet, or A has a single location and uses a single constant in clock constraints.

48 SVC On the Language Inclusion Problem for Timed Automata 48 Future Work Complexity of the algorithm. Extend (if possible) to Büchi timed automata. Efficient implementation.

Timed Automata. Rajeev Alur. University of Pennsylvania

Timed Automata. Rajeev Alur. University of Pennsylvania Timed Automata Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ SFM-RT, Bertinoro, Sept 2004 model temporal property Model Checker yes error-trace Advantages Automated formal verification,