LSVbouyer/files/bouyer-hdr-soutenance.pdf · Reachability analysis in timed automata Improving further [BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata

Soutenance d’habilitation

“From Qualitative to Quantitative Analysisof Timed Systems”

Patricia Bouyer

January 12, 2009

1/48

Introduction

Outline

1. Introduction

2. Reachability analysis in timed automata

3. Model-checking timed temporal logics

4. Modelling resources in timed systemsOptimizing resourcesManaging resources

5. Probabilistic analysis of timed automata

6. Summary and perspectives

2/48

Introduction

Context: verification of timed systems

What are timed systems?

What we want to avoid

; Verification by model-checking

system:

⇒

property:

G (request→F grant)model-checking

algorithm

yes/no

3/48

Introduction



What we want to avoid; Verification by model-checking

system:

⇒

property:


algorithm

yes/no

3/48

Introduction





system:

⇒

property:


algorithm

yes/no

3/48

Introduction


What are timed systems?What we want to avoid

Ariane 5, 1996

Atlanta airport, 2008

Mars climate obs., 1998

Blackout, 2003

Radiotherapy in Toulouse, 2007

Bug Pentium, 1994


system:

⇒

property:


algorithm

yes/no

3/48

Introduction





system:

⇒

property:


algorithm

yes/no

3/48

Introduction

A running example

4/48

Introduction

A running example: natural questions

Can I reach Pontivy from Oxford?

What is the minimal time to reach Pontivy fromOxford?

What is the minimal fuel consumption to reachPontivy from Oxford?

Can I use my computer all the way?

How likely will I visit Paris and for how long?

...

4/48

Introduction

A first model of the system

Oxford

Pontivy

Dover

Calais

Paris

London

Stansted

Nantes

Poole

St Malo

5/48

Introduction

Can I reach Pontivy from Oxford?

Oxford

Pontivy

Dover

Calais

Paris

London

Stansted

Nantes

Poole

St Malo

This is a reachability question in a finite graph: Yes, I can!

5/48

Introduction

A second model of the system

Oxford

Pontivy

Dover

Calais

Paris

London

Stansted

Nantes

Poole

St Malo

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

6/48

Introduction

How long will that take?

Oxford

Pontivy

Dover

Calais

Paris

London

Stansted

Nantes

Poole

St Malo

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

It is a reachability (and optimization) questionin a timed automaton: at least 350mn = 5h50mn!

6/48

Introduction

The timed automaton model: an example

safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe

23−→ safeproblem−−−−−→ alarm

15.6−−→ alarmdelayed−−−−−→ failsafe

x 0

23 0 15.6 15.6 ···

y 0

23 23 38.6 0

failsafe2.3−−→ failsafe

repair−−−−→ repairing22.1−−→ repairing

done−−−→ safe

··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe

23−→ safeproblem−−−−−→ alarm


x 0

23 0 15.6 15.6 ···

y 0

23 23 38.6 0




··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe

problem−−−−−→ alarm15.6−−→ alarm

delayed−−−−−→ failsafe

x 0 23

0 15.6 15.6 ···

y 0 23

23 38.6 0




··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe

problem−−−−−→ alarm


x 0 23 0

15.6 15.6 ···

y 0 23 23

38.6 0




··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6

15.6 ···

y 0 23 23 38.6

0




··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0

failsafe

2.3−−→ failsaferepair−−−−→ repairing

22.1−−→ repairingdone−−−→ safe

··· 15.6

17.9 17.9 40 40

0

2.3 0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0




··· 15.6 17.9

17.9 40 40

0 2.3

0 22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0


repair−−−−→ repairing

22.1−−→ repairingdone−−−→ safe

··· 15.6 17.9 17.9

40 40

0 2.3 0

22.1 22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0




··· 15.6 17.9 17.9 40

40

0 2.3 0 22.1

22.1

7/48

Introduction


safe alarm

repairing

failsafe

problem, x :=0

repair

, x615

y :=0

delayed, y :=0

156x616

repair

26y∧x656

y :=0

done, 226y625

safe23−→ safe



x 0 23 0 15.6 15.6 ···

y 0 23 23 38.6 0




··· 15.6 17.9 17.9 40 40

0 2.3 0 22.1 22.1

7/48

Introduction

Basics of timed automata

[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).

Theorem [AD90,AD94]

The reachability problem is decidable (and PSPACE-complete) in timedautomata.

timed automaton

finite bisimulation

large (but finite) automaton(region automaton)

8/48

Introduction

Basics of timed automata

[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).

Theorem [AD90,AD94]

The reachability problem is decidable (and PSPACE-complete) in timedautomata.

timed automaton

finite bisimulation

large (but finite) automaton(region automaton)

8/48

Introduction

Outline

1. Introduction






9/48

Reachability analysis in timed automata

Outline

1. Introduction






10/48


What about the practice?

the region automaton is never computed

instead, symbolic computations are performed using zones

Example of a zone

Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)

x2

x13

5

x1−x2=4

x0 x1 x2

x0

x1

x2

∞ −3 ∞∞ ∞ 45 ∞ ∞

11/48


What about the practice?

the region automaton is never computed

instead, symbolic computations are performed using zones

Example of a zone

Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)

x2

x13

5

x1−x2=4

94

2

x0 x1 x2

x0

x1

x2

0 −3 09 0 45 2 0

11/48


Backward computation

Final

Init

, the backward computation always terminates!

12/48



Final

Init


12/48



Final

Init


12/48



Final

Init


12/48



Final

Init


12/48



Final

Init


12/48


Forward computation

Init

Final

/ the forward computation may not terminate...

; abstractions need to be used, that ensure termination...

13/48


Forward computation

Init

Final



13/48


Forward computation

Init

Final



13/48


Forward computation

Init

Final



13/48


Forward computation

Init

Final



13/48


Forward computation

Init

Final



13/48


Forward computation

Init

Final

/ the forward computation may not terminate...; abstractions need to be used, that ensure termination...

13/48


An abstraction: the extrapolation operator

3

x2

x1

5

2

Z

4 9

0 −3 09 0 45 2 0

0 −2 0∞ 0 ∞∞ 2 0

Extra2

14/48


An abstraction: the extrapolation operator

Extra2(Z)

x2

x1

Z

2

2

0 −3 09 0 45 2 0

0 −2 0∞ 0 ∞∞ 2 0

Extra2

14/48


Results

[Bou03] Bouyer. Untameable Timed Automata! (STACS’03).[Bou04] Bouyer. Forward Analysis of Updatable Timed Automata (Formal Methods in System Design).

Abug

x363

x1,x3:=0

x2=3

x2:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2=2

x2:=0

x1=3

x1:=0

x2>x1+2

x4<x3+2

Theorem [Bou03,Bou04]

In Abug, any extrapolation operator is incorrect!

The extrapolation operator is correct in diagonal-free timedautomata.

15/48


Results


Abug

x363

x1,x3:=0

x2=3

x2:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2=2

x2:=0

x1=3

x1:=0

x2>x1+2

x4<x3+2




15/48


Results


Abug

x363

x1,x3:=0

x2=3

x2:=0

x1=2,x1:=0

x2=2,x2:=0

x1=2,x1:=0

x2=2

x2:=0

x1=3

x1:=0

x2>x1+2

x4<x3+2




15/48


Improving further

[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International

Journal on Software Tools for Technology Transfer).

the extrapolation operator can be made coarser:

local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints

[BBLP03,BBLP06]

; has leaded to a practical improvement in of up to 20%!

Since then...

further improvement due to better data structure manipulations...

... but no further algorithmic improvement!

16/48


Improving further

[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International

Journal on Software Tools for Technology Transfer).

the extrapolation operator can be made coarser:

local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints

[BBLP03,BBLP06]

; has leaded to a practical improvement in of up to 20%!

Since then...

further improvement due to better data structure manipulations...

... but no further algorithmic improvement!

16/48

Model-checking timed temporal logics

Outline

1. Introduction






17/48


MotivationChecking reachability properties may not be enough:

basically only safety properties can be verified [ABBL98,ABBL03]

what about liveness properties?

And other properties?

“the monkey will eventually write the complete works of Shakespeare”

“every request is eventually granted”

“the machine produces 56 items per day until it needs to be repaired”

Need for specification languages expressing timing constraints...

“the airbag inflates no more than 56ms after the car crashes”

; critical property

“the reponse time of the memory circuit is no more than 10−12s”

; performance, quality of service

... and for algorithms to verify those properties.

We will focus on timed extensions of LTL [Pnu77]

18/48


Motivation

[ABBL98] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (FSTTCS’98).[ABBL03] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (Theoretical Computer Science).

Checking reachability properties may not be enough:

basically only safety properties can be verified [ABBL98,ABBL03]

what about liveness properties?







; critical property





18/48



basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?







; critical property





18/48



basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?







; critical property





18/48



basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?






; critical property





18/48









; critical property





18/48









; critical property





18/48









; critical property





18/48


Motivation

[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).








; critical property





18/48


Motivation

[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).








; critical property





18/48


Two classical timed extensions of LTL: MTL and TPTL

[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).

[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).

MTL (Metric Temporal Logic) [Koy90]

ψ = G (request→ F61 grant)

19/48







0 1 2 3 4|= ψ

61

61

61

19/48







0 1 2 3 4|= ψ

61

61

61

0 1 2 3 46|= ψ

[0,1]

19/48







19/48



[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).



TPTL (Timed Propositional Temporal Logic) [AH89]

19/48







ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))

19/48








ϕ = G (request→ x · F (ack ∧ F (grant ∧ x 6 2)))

19/48









0 1 2 3 4|= ϕ

62 62

19/48









0 1 2 3 4|= ϕ

62 62

0 1 2 3 46|= ϕ

62

19/48


Expressiveness of these logics

Conjecture (Alur & Henzinger, since 1990)

TPTL is strictly more expressive than MTL, and the TPTL formula

ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))

cannot be expressed in MTL.

However...

0 1 2

F=1 •

61

ϕ ≡

G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )

∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48





ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))


However...

0 1 2

F=1 •

61

ϕ ≡ G • →

F61 • ∧ F[1,2] •

∨

F61 ( • ∧ F61 • )∨

F61 ( F61 • ∧ F=1 • )

20/48


Expressiveness results

[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).

Theorem [BCM05]

The conjecture is correct: TPTL is strictly more expressive than MTL.

Also, MTL+Past is strictly more expressive than MTL.

The formulas

x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past


0 1

21/48



[Kam68] Kamp. Tense logic and the theory of linear order (PhD UCLA).[GPSS80] Gabbay, Pnueli, Shelah, Stavi. On the temporal analysis of fairness (POPL’80).[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).

Theorem [BCM05]

The conjecture is correct: TPTL is strictly more expressive than MTL.Also, MTL+Past is strictly more expressive than MTL.

Recall: LTL+Past and LTL are equally expressive [Kam68,GPSS80].

The formulas



0 1

21/48




Theorem [BCM05]


The formulas



0 1

21/48




Theorem [BCM05]


The formulas



0 1

21/48


Back to the model-checking problem


algorithm

yes/no

timed

autom

aton MTLTPTL formula

Theorem [AH94,AFH96,OW06...]

The model-checking problem is (mostly) undecidable...

Can be rather easily explained using channel machines...

... and more tractable fragments need be defined!

22/48




algorithm

yes/no

timed

autom

aton

MTLTPTL formula





22/48




algorithm

yes/no

timed

autom






22/48



[AH94] Alur, Henzinger. A really temporal logic (Journal of the ACM).[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).[OW06] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (FoSSaCS’06).


algorithm

yes/no

timed

autom






22/48





algorithm

yes/no

timed

autom






22/48





algorithm

yes/no

timed

autom






22/48


The quest for tractable fragments of MTL

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

23/48



[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

MITL [AFH96]: ban punctuality

G (• → F62 •) is in MITLG (• → F=1 •) is not in MITL

23/48



[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

MITL [AFH96]: ban punctuality

timed regularityverification in exponential space

23/48



[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Safety-MTL [OW05]: restrict to safety properties

G (• → F62 •) is in Safety-MTLG (• → F •) is not in Safety-MTL

23/48



[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).[OW08] Ouaknine, Worrell. Some recent results in Metric Temporal Logic (FORMATS’08).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Safety-MTL [OW05]: restrict to safety properties

only finite counter-examples need be looked forverification using alternating timed automatadecidable, but non-primitive recursive [OW08]

23/48



[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Bounded-MTL [BMOW07]: restrict to bounded future

G65 (• → F62 •) is in Bounded-MTLG (• → F62 •) is not in Bounded-MTL

23/48




MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

Bounded-MTL [BMOW07]: restrict to bounded future

expresses non-regular propertiesonly time-bounded prefixes need to be verifiedverification in exponential space

23/48




MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLLTL [BMOW07]: a flatness condition on the formula

G (• → F=1 •) is in coFlat-MTLLTL

FG61 • is not in coFlat-MTLLTL

23/48




MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLLTL [BMOW07]: a flatness condition on the formula

expresses non-regular propertiesonly counter-examples of the following form need to be looked for:

LTL LTL LTL LTL

hardhardhardhard

verification in exponential space

23/48



[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLMITL [BMOW08]: a flatness condition on the formula

FG61 • is in coFlat-MTLMITL

FG=1 • is not in coFlat-MTLMITL

23/48



[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).

MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

coFlat-MTLMITL [BMOW08]: a flatness condition on the formula

only counter-examples of the following form need to be looked for:

non-punctual non-punctual non-punctual non-punctual

punctualpunctualpunctualpunctual

the largest (known) fragment for which...... verification in exponential space!

23/48



MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

non-tractable

tractable

23/48



MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

PSPACE-c.

undec./NPR

EXPSPACE-c.

23/48



MTL

LTL

MITL

Safety-MTL

Bounded-MTL

coFlat-MTLLTL

coFlat-MTLMITL

PSPACE-c.

undec./NPR

EXPSPACE-c.

Algorithmics needs now to be worked out!

23/48

Modelling resources in timed systems

Outline

1. Introduction






24/48


Motivation

System resources might be relevant and even crucial information

energy consumption,memory usage,price to pay,bandwidth,...

; timed automata are not powerful enough!

A possible solution: use hybrid automata

Theorem [HKPV95]

The reachability problem is undecidable in hybrid automata.

An alternative: weighted/priced timed automata [ALP01,BFH+01]

; hybrid variables do not constrain the system

25/48


Motivation





Theorem [HKPV95]




25/48


Motivation





Theorem [HKPV95]




25/48


Motivation





Theorem [HKPV95]




25/48


Motivation

System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...



The thermostat example

Off

T=−0.5T

(T>18)

On

T=2.25−0.5T

(T622)

T619

T>21

22

18

21

19

2 4 6 8 10 time

Theorem [HKPV95]




25/48


Motivation

System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...



The thermostat example

Off

T=−0.5T

(T>18)

On

T=2.25−0.5T

(T622)

T619

T>21

22

18

21

19

2 4 6 8 10 time

Theorem [HKPV95]




25/48


Motivation

[HKPV95] Henzinger, Kopke, Puri, Varaiya. What’s decidable wbout hybrid automata? (SToC’95).





Theorem [HKPV95]




25/48


Motivation

[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).





Theorem [HKPV95]




25/48

Optimizing resources

A third model of the system

Oxford

Pontivy

Dover

Calais

Paris+2

London +2

Stansted

Nantes

Poole

St Malo

+3

+3

+3

+3

+3

+3

+3

+3

+2

+2

+7

+1

+2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

26/48


How much fuel will I use?

Oxford

Pontivy

Dover

Calais

Paris+2

London +2

Stansted

Nantes

Poole

St Malo

+3

+3

+3

+3

+3

+3

+3

+3

+2

+2

+7

+1

+2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

It is a quantitative (optimization) questionin a weighted timed automaton: at least 68 anti-planet units!

26/48


Weighted/priced timed automata [ALP01,BFH+01]


`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost :

6.5 + 0 + 0 + 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5

+ 0 + 0 + 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0

+ 0 + 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0

+ 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7

+ 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7

= 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

`01.3−−→ `0

c−−→ `1u−−→ `3

0.7−−−→ `3c−−→ ,

x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7

cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7

Question: what is the optimal cost for reaching,?

inf06t62

min (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 9

; strategy: leave immediately `0, go to `3, and wait there 2 t.u.

27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7


inf06t62

min (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 9


27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7


inf06t62

min (

5t + 10(2− t) + 1 , 5t + (2− t) + 7

) = 9


27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7


inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )

= 9


27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7


inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9


27/48




`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

x=2,c+1

x=2,c+7


inf06t62

min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9


27/48


Optimization problems in weighted timed automata

[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).[BBBR07] Bouyer, Brihaye, Bruyere, Raskin. On the optimal reachability problem (Formal Methods in System Design).

Theorem [ALP01,BFH+01,BBBR07]

The optimal reachability problem is decidable (and PSPACE-complete) in(weighted) timed automata.

Theorem [BBL04,BBL08]

The optimal mean-cost problem is decidable (and PSPACE-complete) in(weighted) timed automata.

; In both cases, the corner-point abstraction can be used

(a refinement of the region automaton)

28/48



[BBL04] Bouyer, Brinksma, Larsen. Staying alive as cheaply as possible (HSCC’04).[BBL08] Bouyer, Brinksma, Larsen. Optimal infinite scheduling for multi-priced timed automata (Formal Methods in System Design).







28/48



[BBL04] Bouyer, Brinksma, Larsen. Staying alive as cheaply as possible (HSCC’04).[BBL08] Bouyer, Brinksma, Larsen. Optimal infinite scheduling for multi-priced timed automata (Formal Methods in System Design).







28/48


What if an unexpected event happens?

Oxford

Pontivy

Dover

Calais

Paris+2

London +2

Stansted

Nantes

Poole

St Malo

+3

+3

+3

+3

+3

+3

+3

+3

+2

+2

+7

+1

+2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

Flightcancelled!

On strike!!!

; modelled as timed games

29/48



Oxford

Pontivy

Dover

Calais

Paris+2

London +2

Stansted

Nantes

Poole

St Malo

+3

+3

+3

+3

+3

+3

+3

+3

+2

+2

+7

+1

+2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

Flightcancelled!

On strike!!!


29/48



Oxford

Pontivy

Dover

Calais

Paris+2

London +2

Stansted

Nantes

Poole

St Malo

+3

+3

+3

+3

+3

+3

+3

+3

+2

+2

+7

+1

+2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

Flightcancelled!

On strike!!!


29/48


Weighted timed games

`0 `1

(y=0)

`2

`3

,x62,c,y :=0

u

u

u

u

x=2,c

x=2,c

Question: what is the optimal cost we can ensure while reaching,?

inf06t62

max (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

3

; strategy: wait in `0, and when t = 43 , go to `1

30/48



`0 `1

(y=0)

`2

`3

,x62,c,y :=0

u

u

u

u

x=2,c

x=2,c


inf06t62

max (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max (

5t + 10(2− t) + 1

, 5t + (2− t) + 7 ) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max (

5t + 10(2− t) + 1 , 5t + (2− t) + 7

) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )

= 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1

3


30/48



`0

+5

`1

(y=0)

`2

+10

`3

+1

,x62,c,y :=0

u

u

u

u

x=2,c+1

x=2,c+7


inf06t62

max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1

3


30/48


Optimal reachability in weighted timed games

[LMM02] La Torre, Mukhopadhyay, Murano. Optimal-reachability and control for acyclic weighted timed automata (TCS@02).[ABM04] Alur, Bernardsky, Madhusudan. Optimal reachability in weighted timed games (ICALP’04).[BCFL04] Bouyer, Cassez, Fleury, Larsen. Optimal strategies in priced timed game automata (FSTTCS’04).

This topic has been fairly hot these last couple of years...e.g. [LMM02,ABM04,BCFL04]

Theorem [BBR05,BBM06]

Optimal timed games are undecidable, as soon as automata have threeclocks or more.

Theorem [BLMR06]

Turn-based optimal timed games are decidable in 3EXPTIME whenautomata have a single clock. They are PTIME-hard.

31/48



[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).




Theorem [BLMR06]


31/48



[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).[BLMR06] Bouyer, Larsen, Markey, Rasmussen. Almost-optimal strategies in one-clock priced timed automata (FSTTCS’06).




Theorem [BLMR06]


31/48

Managing resources

A fourth model of the system

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

−2

−2

−2

−2

−2

−2

−2

−2

+5

+5

−2

−2

−2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

32/48

Managing resources

Can I work with my computer all the way?

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

−2

−2

−2

−2

−2

−2

−2

−2

+5

+5

−2

−2

−2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

batterycharge

40

20

2 13 16.5 22.3 45 56 60.4

32/48

Managing resources

Can I work with my computer all the way?

Oxford+5

Pontivy+5

Dover−2

Calais−2

Paris0

London +5

Stansted +5

Nantes +5

Poole−2

St Malo−2

−2

−2

−2

−2

−2

−2

−2

−2

+5

+5

−2

−2

−2

x :=0

106x612

146x615x :=0

276x630

x :=0

96x612

x :=0

216x624

x=27x :=0

x=3

x :=0176

x621

x :=0

36x6

6

x :=0

276x6

32

36x6

6x :=0

x=24

x :=0

96x615

x :=0

x=13

x :=0

126x615

x=17

x :=0

x=6

x :=0

126x614

batterycharge

40

20

2 13 16.5 22.3 45 56 60.432/48

Managing resources

An example of resource management

`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

Lower-bound problem: can we stay above 0?

Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?

33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1

Lower-bound problemLower-upper-bound problem: can we stay within bounds?


33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1lost!



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1lost!



33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1

Lower-bound problemLower-upper-bound problemLower-weak-upper-bound problem: can we “weakly” stay withinbounds?

33/48

Managing resources


`0

−3

`1

+6

`2

−6

x=1x :=0

Globally (x61)

00

1

2

3

4

1

Lower–bound problem ; L

Lower-upper-bound problem ; L+U

Lower-weak-upper-bound problem ; L+W

33/48

Managing resources

Only partial results so far [BFLMS08]

[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).

0 clock!

L

L+W

L+U

exist. problem univ. problem games

∈ PTIME ∈ PTIME∈ UP ∩ co-UP

PTIME-hard

∈ PTIME ∈ PTIME∈ NP ∩ co-NP

PTIME-hard

∈ PSPACE

NP-hard∈ PTIME EXPTIME-c.

34/48

Managing resources



1 clock

L

L+W

L+U


∈ PTIME ∈ PTIME ?

∈ PTIME ∈ PTIME ?

? ? undecidable

34/48

Managing resources



n clocks

L

L+W

L+U


? ? ?

? ? ?

? ? undecidable

34/48

Managing resources

Single-clock L+U-games

TheoremThe single-clock L+U-games are undecidable.

We encode the behaviour of a two-counter machine:

each instruction is encoded as a module;

the values c1 and c2 of the counters are encoded by the energy level

e = 5− 1

2c1 · 3c2

when entering the corresponding module.

There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.

; We present a generic constructionfor incrementing/decrementing the counters.

35/48

Managing resources






e = 5− 1

2c1 · 3c2




35/48

Managing resources






e = 5− 1

2c1 · 3c2




35/48

Managing resources






e = 5− 1

2c1 · 3c2




35/48

Managing resources

Generic module for incrementing/decrementing

m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources


m

−6

m1

−6

+5

module ok

m2

+30

m3

+30

−5

module ok

n

−αx :=0

x :=0

x=1

x=1

x :=0

x=1

energy

x0 1

5−e

5−e6

5−αe6

α=3: increment c1

α=2: increment c2

α=12: decrement c1

α=18: decrement c2

36/48

Managing resources

Partial conclusion and perspectives

Weighted timed automata, an interesting model for representingresources in timed systems

, some optimization problems are (fully) decidable(with a reasonable complexity)

; algorithmics needs to be further developed

/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)

restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes

Many open problems to be solved, e.g. in resource management

Compute equilibria in weighted timed games; towards a theory of timed games

37/48

Managing resources









37/48

Managing resources









37/48

Managing resources









37/48

Managing resources






restriction of the underlying timed automaton to one clock anddevelopment of specific algorithms

development of approximation schemes



37/48

Managing resources









37/48

Managing resources









37/48

Managing resources









37/48

Probabilistic analysis of timed automata

Outline

1. Introduction






38/48


Motivation

The goal

Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.

In the running example: “how likely will I visit Paris?”

“how long should I expect be waiting in Paris?”

A relaxed semantics for timed automata

removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.

A new timed and probabilistic model

models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata

39/48


Motivation

The goal








39/48


Motivation

The goal








39/48


Motivation

The goal








39/48


Methodology

Rough idea

Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.

We put (continuous) distributions over delays...

... and discrete distributions over transitions.

; this naturally defines a probability measure P over sets of runs.

P(A |= ϕ

)measures “how likely A satisfies ϕ”

Two natural questions:

; decide whether P(A |= ϕ

)= 1 (qualitative question)

; compute (an approximation of) P(A |= ϕ

)(quantitative question)

40/48


Methodology

Rough idea





P(A |= ϕ







40/48


Methodology

Rough idea





P(A |= ϕ







40/48


Methodology

Rough idea





P(A |= ϕ







40/48


Methodology

Rough idea





P(A |= ϕ







40/48


Methodology

Rough idea





P(A |= ϕ







40/48


Methodology

Rough idea





P(A |= ϕ







40/48


An example

`0

(x61)

`1 `2

(x61)

`3

(x61)

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

)= 1

Indeed, almost surely, paths are of the form e∗1 e2

(e4e5

)ω

41/48


An example

`0

(x61)

`1 `2

(x61)

`3

(x61)

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •)

but P(A |= G (• ⇒ F •)

)= 1


(e4e5

)ω

41/48


An example

`0

(x61)

`1 `2

(x61)

`3

(x61)

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

)= 1


(e4e5

)ω

41/48


An example

`0

(x61)

`1 `2

(x61)

`3

(x61)

e2, x61

e3, x=1

e4, x>3, x :=0

e5, x61

e6, x=0

e1, x61 e7, x61

A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)

)= 1


(e4e5

)ω

41/48


The classical region automaton

`0,0

`0,(0,1)

`0,1

`1,0

`1,(0,1)

`1,1

`2,0 `3,0

`3,(0,1)

`3,1

e1

e1

e1

e1

e1

e1

e2

e2

e2e2

e2

e2

e3

e4

e 4

e 4

e5

e5

e 5

e6

e7

e7

e7

e7

e7

e1

... viewed as a finite Markov chain MC (A)

Proposition

For single-clock timed automata,

P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

)= 1

(this is independent of the choice of the distributions...)

42/48


The pruned region automaton

`0,0

`0,(0,1)

`0,1

`1,0

`1,(0,1)

`1,1

`2,0 `3,0

`3,(0,1)

`3,1

e1

e1

e1

e1

e1

e1

e2

e2

e2

e2

e2

e2

e3

e4

e 4

e 4

e5

e5

e 5

e6

e7

e7

e7

e7

e7

e1


Proposition


P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

)= 1


42/48



`0,0

`0,(0,1)

`0,1

`1,0

`1,(0,1)

`1,1

`2,0

`3,0

`3,(0,1)

`3,1

e1

e1

e1

e1

e1

e1

e2

e2

e2

e2

e2

e2

e3

e4

e 4

e 4

e5

e5

e 5

e6

e7

e7

e7

e7

e7

e1


Proposition


P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

)= 1


42/48



`0,0

`0,(0,1)

`0,1

`1,0

`1,(0,1)

`1,1

`2,0

`3,0

`3,(0,1)

`3,1

e1

e1

e1

e1

e1

e1

e2

e2

e2

e2

e2

e2

e3

e4

e 4

e 4

e5

e5

e 5

e6

e7

e7

e7

e7

e7

e1


Proposition


P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

)= 1


42/48



`0,0

`0,(0,1)

`0,1

`1,0

`1,(0,1)

`1,1

`2,0

`3,0

`3,(0,1)

`3,1

e1

e1

e1

e1

e1

e1

e2

e2

e2

e2

e2

e2

e3

e4

e 4

e 4

e5

e5

e 5

e6

e7

e7

e7

e7

e7

e1


Proposition


P(A |= ϕ

)= 1 iff P

(MC (A) |= ϕ

)= 1


42/48


Probabilistic model-checking

[BBBBG08] Baier, Bertrand, Bouyer, Brihaye, Großer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).[BBBM08] Bertrand, Bouyer, Brihaye, Markey. Quantitative model-checking of one-clock timed automata under probabilistic semantics (QEST’08).

Theorem [BBBBG08]

For single-clock timed automata, the almost-sure model-checking

of LTL is PSPACE-complete;

of ω-regular properties is NLOGSPACE-complete;

of the non-zenoness property is in NLOGSPACE.

Theorem [BBBM08]

In single-clock timed automata, we can compute (an approximation of)the probability of satisfying an LTL/ω-regular property (for exponentialdistributions).

; none of these results extend to two-clock timed automata...

43/48




Theorem [BBBBG08]





Theorem [BBBM08]



43/48




Theorem [BBBBG08]





Theorem [BBBM08]



43/48


Perspectives

Further study this timed and probabilistic model

timed automata with an arbitrary number of clocks(hint: restrict the distributions)model-checking timed properties like those in MTL

measurability of MTL propertiescan we get a better complexity than NPR?

performance analysis (expected time, mean waiting time, etc.)(this model, a 1

2-player model, generalizes continuous-time Markov chains)

Study the 1 12 - and 2 1

2 -player models(to model non-determinism and interaction)

preliminary result: quantitative model-checking of the 2 12-player

model is undecidable

Design an irrefutable example

44/48


Perspectives











44/48


Perspectives











44/48

Summary and perspectives

Outline

1. Introduction






45/48


Summary

A progressive lift from qualitative to quantitative considerations:

quantitativeverification

qualitativeverification

untimedproperties

timedproperties

resource-basedproperties

Reachability(2.)

Timed prop.(3.)

Resources(4.)

Proba. analysisof LTL (5.)

46/48


Summary

A progressive lift from qualitative to quantitative considerations:

quantitativeverification

qualitativeverification

untimedproperties

timedproperties

resource-basedproperties

Reachability(2.)

Timed prop.(3.)

Resources(4.)

Proba. analysisof LTL (5.)

46/48


Perspectives


study further the resource management problem

develop approximation schemes(undecidability relies on the infinite precision of the system)

compute equilibria

Probabilities and timed automata

investigate further the 12 -player model

model with several clocks(hint: restrict the allowed distributions)

quantitative properties (time and resources)performance analysis: expected time, etc.

add non-determinism and interaction (1 12 - and 2 1

2 -player models)(preliminary results: undecidability rather far away...)

design an irrefutable example

47/48


Perspectives


study further the resource management problem

develop approximation schemes(undecidability relies on the infinite precision of the system)

compute equilibria

Probabilities and timed automata

investigate further the 12 -player model

model with several clocks(hint: restrict the allowed distributions)

quantitative properties (time and resources)performance analysis: expected time, etc.

add non-determinism and interaction (1 12 - and 2 1

2 -player models)(preliminary results: undecidability rather far away...)

design an irrefutable example

47/48


Perspectives

[BMR08] Bouyer, Markey, Reynier. Robust analysis of timed automata via channel machines (FoSSaCS’08).

Adequation of timed models to timed systems

Two main approaches: relaxed satisfactionrobust satisfaction

Relaxed satisfaction: cf probabilities and timed automata

Robust satisfaction:

develop further the purely channel-machine approach of [BMR08]synthesize systems that are robustly correct by constructionfurther think of other notions of robustness

48/48


Perspectives







48/48


Perspectives







48/48

Documents

LSVbouyer/files/bouyer-hdr-soutenance.pdf · Reachability analysis in timed automata Improving further [BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata