Steering Committee - MOVEP'14movep14.irccyn.ec-nantes.fr/files/proceedings-movep14.pdfSteering Committee Franck Cassez (National ICT Australia , Sydney, Australia) Thierry J eron (Inria

2

Steering Committee

• Franck Cassez (National ICT Australia , Sydney, Australia)

• Thierry Jeron (Inria Rennes-Bretagne Atlantique, Rennes, France)

• Didier Lime (IRCCyN, Ecole Centrale de Nantes, France)

• Christof Loding (RWTH Aachen, Germany)

• Nicolas Markey (LSV, CNRS & ENS de Cachan, France)

• Pierre-Alain Reynier (LIF, Aix-Marseille Universite & CNRS, Marseille,France)

3

Organisation Committee

• Didier Lime (IRCCyN, Ecole Centrale de Nantes, France) – Chair

• Benoıt Delahaye (LINA, Universite de Nantes, France) – Co-chair

• Claude Jard (LINA, Universite de Nantes, France)

• Olivier H. Roux (IRCCyN, Ecole Centrale de Nantes, France)

• Michele-Anne Audrain (IRCCyN, CNRS, France)

• Virginie Dupont (IRCCyN, CNRS, France)

• Laurence Drant (LINA, CNRS, France)

• Elodie Guidon (LINA, Universite de Nantes, France)

• Anne-Francoise Quin (LINA, CNRS, France)

4

Program Committee

• Ahmed Bouajjani (LIAFA, Universite Paris-Diderot, France)

• Gilles Barthe (IMDEA, Spain)

• Krishnendu Chatterjee (IST, Austria)

• Alessandro Cimatti (IRST, Italy)

• Veronique Cortier (LORIA, CNRS & INRIA, France)

• Pedro D’Argenio (FaMAF, Universidad Nacional de Cordoba, Argentina)

• Giorgio Delzanno (University of Genova, Italy)

• Dino Distefano (Facebook, United Kingdom)

• Javier Esparza (Technische Universitat Munchen, Germany)

• Martin Franzle (University of Oldenburg, Germany)

• Hugo Gimbert (LaBRI, CNRS & University of Bordeaux, France)

• Boudewijn Haverkort (University of Twente, the Netherlands)

• Petr Jancar (Technical University, Ostrava, Czech Republic)

• Bengt Jonsson (Uppsala University, Sweden)

• Joost-Pieter Katoen (RWTH Aachen University, Germany)

• Felix Klaedtke (NEC Laboratories Europe, Germany)

• Kim G. Larsen (Aalborg University, Denmark)

• Martin Leucker (University of Lubeck, Germany)

• Rupak Majumdar (MPI-SWS & UCLA, Germany)

• Oded Maler (VERIMAG, CNRS, France)

• Antoine Mine (CNRS & ENS Paris, France)

• Dave Parker (University of Birmingham, United Kingdom)

• Jean-Francois Raskin (Universite Libre de Bruxelles, Belgium)

• Stefan Schwoon (LSV, CNRS & ENS Cachan, France)

• Jeremy Sproston (University of Torino, Italy)

• Luca Vigano (King’s College London, United Kingdom)

5

6

Contents

Invited contributions 8E. Bartocci. Runtime Verification . . . . . . . . . . . . . . . . . . . . . 10P. Bouyer. An introduction to timed automata . . . . . . . . . . . . . 25S. Delaune. Verification of Security Protocols: from Confidentiality to

Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53M. Faella. Hybrid Systems . . . . . . . . . . . . . . . . . . . . . . . . 56H. Hermanns. Specification and evaluation of Markov models . . . . . 58J.-P. Katoen. Logic and Verification . . . . . . . . . . . . . . . . . . . 59M. Koutny. Concurrent Systems . . . . . . . . . . . . . . . . . . . . . 60D. Parker. Probabilistic Real-time Systems . . . . . . . . . . . . . . . 61J.-F. Raskin. Quantitative Games . . . . . . . . . . . . . . . . . . . . 62P.-A. Reynier. Robustness of Timed Systems . . . . . . . . . . . . . . 64S. Schewe. Beautiful games you cannot stop playing . . . . . . . . . . 69

Student sessions 74A. Ait Wakrime. Deadlock-freedom of component-based approach for

scientific applications . . . . . . . . . . . . . . . . . . . . . . . . . 76E. Ben Abdallah. Exhaustive search of dynamical properties in process

hitting using answer set programming . . . . . . . . . . . . . . . 82F. Blahoudek. Chasing the Best Buchi Automata for Nested Depth-

first Search Based Model Checking . . . . . . . . . . . . . . . . . 89R. Bozianu. Safraless Synthesis for Epistemic Temporal Specifications 95P. Carlier. Composition of stochastic timed automata . . . . . . . . . 102M. Folschette. Efficient analysis on very large models . . . . . . . . . . 108P. Gardy. Quantitative verification: deciding temporal logics with

numerical assertions . . . . . . . . . . . . . . . . . . . . . . . . . 114S. Getir. Model-based probabilistic incremental verification for evolv-

ing systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119D. Gebler. Metric assume-guarantee reasoning with probabilistic pro-

cess calculi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Q. Hautem. k-fault tolerant Nash equilibria . . . . . . . . . . . . . . . 130G. Kılınc. Observable Liveness . . . . . . . . . . . . . . . . . . . . . . 135I. Mainz. Symbolic representation of convex polyhedra . . . . . . . . . 141L. Nenzi. Verification of stochastic and spatial behaviours of complex

systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147H. Normann. True concurrency models as Psi-calculi . . . . . . . . . . 154M. Perrin. Update Consistent Distributed Data Types . . . . . . . . . 160A. Reyes-Amaro. New parallel algorithms for combinatorial optimization166

7

M. Tinacci. Collective adaptive systems: a language, a model, anapproximation technique . . . . . . . . . . . . . . . . . . . . . . . 172

8

Invited contributions

9

Runtime Verification

Ezio BartocciInstitute of Computer EngineeringVienna University of Technology

Vienna, Austria

[email protected]

AbstractRuntime verification is concerned with the analysis of software or hardware at execution time. It isbased on extracting information from a running system and monitoring if the observed behaviourssatisfy or violate the properties of interest. These techniques are critical for system correctness,reliability, security, and robustness. They are more practical than exhaustive formal verification andmore versatile than conventional testing. During the last decade, many important tools and techniqueshave been developed and successfully employed in several application domains that go beyond theprogram verification: mixed-signal analysis, falsification analysis of cyber-physical and biologicalsystems, signal processing and music detection. These notes, without claiming to be exhaustive, areintended to provide the students of MOVEP 2014 with a general overview about the logic formalismsto specify properties and some of the monitoring techniques developed in this area of research.

1 General Problem

Runtime verification (RV) or monitoring [12, 35] is a lightweight yet powerful formal technique usedto check whether the current execution of a program satisfies or violates a property of interest. Thistechnique differs from the classical and more expensive model checking [20, 55] that aims instead toverify the correctness of the property exhaustively for all the possible program behaviors. Monitoringis generally used when the system model is too big to handle with model checking due to the state-explosion problem, or when the system model is not available, or it is a black-box where only the outputsare observable. Furthermore, runtime verification can also be used to trigger some system recoveryactions when a safety property is violated.

RV is the problem of, given a program P, execution trace τ of P, and temporal logic formula φ ,decide whether τ satisfies φ . To perform RV, one typically transforms φ into a monitor (a possiblyparameterized finite state machine) Mφ and instruments P so that it emits events of interest to Mφ . Thisallows Mφ to process these events and determine whether the event sequence satisfies φ .

The overhead associated with RV is a measure of how much longer a program takes to execute due toruntime monitoring. If the original program executes in time R, and the instrumented program executesin time R+M with monitoring, we say that the monitoring overhead is M

R .RV is event-triggered if the monitor is invoked whenever a new event is triggered by the system.

This approach guarantees that all the events of interest are correctly processed. However, the overheadbecomes unpredictable and it depends on the frequency with which the events are processed by themonitor. While this is acceptable in many applications, it may be unacceptable in applications withreal-time constraints. In such cases, overhead control is necessary.

For example, in [36] the authors presented an overhead-control technique that selectively turns moni-toring on and off, such that the use of a short-term or long-term overhead budget is maximized and never

10

2 Ezio Bartocci

exceeded. Gaps in monitoring, however, introduce uncertainty in the monitoring results. To quantify theuncertainty, one needs to estimate the current state of the program [62, 38, 10].

An alternative approach is time-triggered monitoring [16], where the monitors take a snapshot of theobservable program variables at regular intervals. In this case the overhead is constant, but an importantproblem to address is how to choose the right sampling period that should be ideally smaller than thetime required for the variables of interest to change their values.

Monitoring can be performed also without program instrumentation. In this case, it requires only toprocess a set of measurements. For this reason, this technique is very flexible and it has been applied inseveral application domains that go beyond the program verification: mixed-signal analysis [37], analysisof the numerical simulations of biological models [23, 24], music detection [27], etc. The analysis thatcan be performed using RV techniques is generally referred as falsification analysis since monitoring islimited to safety properties that are possible to falsify with a finite number of events.

These notes are intended to provide the students of MOVEP 2014 with a general overview about thelogic formalisms and monitoring techniques employed in RV. In Section 2 we present the most famoustemporal logic formalisms to specify the requirements to be monitored. Finally, in Section 3 we reviewsome popular monitoring techniques.

2 Temporal Logics

2.1 Linear Temporal Logic

Temporal Logic (TL) [53] provides a convenient framework for writing, in a compact and formal way,specifications that the system under test should satisfy. The most popular formalism to specify safetyproperties to be monitored is the Linear Temporal Logic (LTL). LTL operates on a discrete time model,where a program produces a sequence of events (trace) that determines the truth value of the atomicelements of a temporal logic formula. In LTL only the order of these events is really important, whilethe actual time at which these events occur cannot be specified.

Definition 1 (Linear Temporal Logic (LTL) Syntax [53]). The syntax for a LTL formula is described bythe following grammar:

ϕ ::=> |p | ¬ϕ | ϕ ∧ϕ | ©ϕ| ϕ U ϕ

where p ∈ AP, >is true. A LTL formula has atomic propositions p, logical connectives ¬ ∧, temporaloperators© (next), U (until). We can define the following derivative logical and temporal operators:

⊥ψ ∨ϕψ → ϕψ ↔ ϕψ♦ψ

⇔⇔⇔⇔⇔⇔

¬>¬(¬ψ ∧¬ϕ)¬ψ ∨ϕ(ψ → ϕ)∧ (ϕ → ψ)¬(⊥ U ¬ψ)> U ψ

false (⊥)or (∨)implies (→)equivalent (↔)always ()eventually (♦)

The classical logical connectives (¬, ∨, ∧,→,↔) specifies the relationship between logical statementsat the current time. The temporal operators describe the relationship of logical expressions over time.

The future operator globally (ψ) specifies that the expression ψ is true now and will be true at allpoints in the future, eventually (♦ψ) specifies that ψ must be true at the current time or at some point inthe future, and until (ϕ U ψ) specifies that at current time or at some point in the future ψ must be trueand that ϕ must at least have been true at every point between the current time and that point.

11

Runtime Verification 3

Definition 2 (Linear Temporal Logic (LTL) Semantics [53]). Let be τ = τ0τ1 · · ·τi · · · ∈ Σω (trace) aninfinite word with i ∈ N being a position corresponding to a particular time step. Then the semantics ofan LTL formula is defined inductively as follows:

τ, i |=>τ, i |= pτ, i |= ¬ϕτ, i |= ϕ1∧ϕ2τ, i |=© ϕτ, i |= ϕ1 U ϕ2

⇔⇔⇔⇔⇔

p ∈ τi

τ, i 6|= ϕτ, i |= ϕ1 and τ, i |= ϕ2τ, i+1 |= ϕ∃k ≥ i τ,k |= ϕ2 and ∀l : i≤ l < k τ, l |= ϕ1

Moreover, τ |= ϕ holds⇔ τ,0 |= ϕ .

A typical property stated in temporal logic is (req→ ♦(ack)), indicating that it is invariably thecase that a request eventually triggers an acknowledgment.

2.2 Metric Temporal Logic

In the last years, temporal logic has been extended to the specification of properties of real-valued sig-nals [45] defined over dense time [47, 4, 5] and applied to diverse domains, such as analog circuits [37],biochemical reactions [24], synthetic biological circuits [9] and music [27].

The most popular extension is the Metric Temporal Logic (MTL) in which the temporal modalities ofLTL are augmented with timing constraints [41]. For example, it is possible to specify the requirementsthat a real-time system should satisfy (the following example is adapted from [52]): every time an alarmis triggered, it is then followed by a shutdown event in 10 time units unless the reboot event is calledfirst. The aforementioned property can be stated in MTL as it follows:

(alarm → (♦(0,10)reboot ∨♦10shutdown)))

where ♦(0,10) specifies that eventually sometime in the next 10 time units and ♦10 specifies that inexactly 10 time units.

Definition 3 (Metric Temporal Logic (MTL) Syntax [41]). The syntax for a MTL formula is describedby the following grammar:

ϕ ::=> |p | ¬ϕ | ϕ ∧ϕ | ϕ UI ϕ

where p ∈ Σ, Σ is an alphabet of atomic events, UI is the time-constrained version of the until op-erator, I ⊂ R≥0 is open, closed, or half-open interval with endpoints in N∪∞. The annotation of Iis omitted when I = [0,∞). The expression ’≥ 2’ specifies [2,∞) and ’= 3’ specifies the singleton 3.Additional temporal can be defined as it follows:

©I ϕ♦I ϕI ϕϕ1 UI ϕ2

⇔⇔⇔⇔

⊥ UI ϕ> UI ϕ¬♦I ¬ϕ¬((¬ϕ1) UI (¬ϕ2))

constrained next timeconstrained eventuallyconstrained alwaysdual-until

The use of the dual-until allows to translate any MTL formula into a negation normal form, in whichnegation is only applied to propositional variables.

12

4 Ezio Bartocci

There are two time models that are considered in the literature: the interval-based and the pointwise.In the interval-based time model, traces consist of continuous signals, differing from the point-basedtime model, where each state has a time-stamp. However, using the interval-based time model, boththe satisfiability problem (asking whether a given MTL formula ϕ is satisfiable by a signal) and themodel checking problem (asking whether a timed automaton satisfies a given MTL formula ϕ) becomeundecidable [4]. Hence, here we consider only the MTL semantics over the pointwise time model, whereformulas are interpreted over time words.

Definition 4 (Timed word [52]). Given Σ as the alphabet of atomic events, a timed word ρ is a finiteor infinite sequence (σ0,τ0)(σ1,τ1) · · · where σi ∈ Σ and τi ∈ R+, such that the sequence (τi) is strictlyincreasing and non-Zeno, so it is either finite or diverges to infinity, reflecting the fact that a system canonly change the state in a bounded time interval. Finally, we write T Σω for the set of non-Zeno timedwords over Σ.

Definition 5 (MTL Semantics over pointwise timed model [50]). Given a timed word ρ = (σ ,τ) and aMTL formula ϕ , the satisfaction relation (σ ,τ) |= ϕ is defined as follows:

(ρ, i) |=>(ρ, i) |= p(ρ, i) |= ¬ϕ(ρ, i) |= ϕ1∧ϕ2(ρ, i) |= ϕ1 UI ϕ2

⇔⇔⇔⇔

σi = p(ρ, i) 6|= ϕ(ρ, i) |= ϕ1 and (ρ, i) |= ϕ2∃ j ≥ i such that (ρ, j) |= ϕ2,τ j− τi ∈ I, and (ρ,k) |= ϕ1 ∀k : i≤ k ≤ j

Moreover, ρ |= ϕ holds ⇔ (ρ,0) |= ϕ . The language of ϕ is the set L(ϕ) = ρ ∈ T Σω : ρ |= ϕ ofnon-Zeno words that satisfy ϕ .

Ouaknine and Worrel in [52] show that while the problem of satisfiability for MTL over infinite timedwords is still undecidable, this is not true for finite timed words for which the problem becomes decidablebut it has a non primitive recursive complexity [51]. The same authors have proved also in [50] that if werestrict the interval of the until (UI) to have a finite length, then the satisfiability problem becomes fullydecidable (for finite and infinite timed words). This fragment of MTL logic is called Safety MTL [50].

2.3 Signal Temporal Logic

In [3], the authors show that the source of undecidability for the continuous semantics in MTL is dueto the excessive precision of time constraints. For example, in MTL it is possible to specify punctualformulas, such as 2p with a singleton interval as time constraint. This problem has led the communityto propose fragments of MTL in which punctual formulas cannot be expressed. A very popular fragmentof MTL that does not allow punctual specification is the Metric Interval Temporal Logic (MITL). Aluret al. in [3] provide a method to traslate MITL formula into non-deterministic timed automata in whichthe decision problem for both model checking and satisfiability (and so monitoring) is EXPSPACE.

An important extension of MITL that deals with real-value signals instead of boolean signals is theSignal Temporal Logic (STL). STL [45] is very suitable to characterize behavioural patterns in time se-ries of real values generated during the simulation of a dynamical system. STL extends the dense-timesemantics of MITL, with a set of parameterized numerical predicates playing the role of atomic propo-sitions. STL provides two different semantics: a boolean semantics that returns yes/no depending if theobserved trace satisfies or not the STL specification and a quantitative semantics that also returns mea-sure of robustness of the specification. Recently, Donze et. al [25] proposed a very efficient monitoring

13


algorithm for STL robustness, now implemented in the Breach [22] tool. The combination of robustnessand sensitivity-based analysis of STL formulae have been successfully applied in several domains rang-ing from analog circuits [37] to systems biology [23, 24], to study the parameter space and also to refinethe uncertainty of the parameter sets. In the following we recall the syntax and the quantitative semanticsof STL [26] that will be used in the rest of the paper. The boolean semantics can be inferred using thesign of the quantitative result (positive for true and negative for false).

We adopt the same conventions as in [25]. We define B = ⊥,> as the set of the boolean values.We write R= R∪B for the totally ordered set of real numbers with the smallest element ⊥ and greatestelement >. A signal will be a function D→ E, with D an interval of R+ and E ⊂R. If E = B the signalsare boolean, whereas if E =R are real-valued signals. A execution trace w is a set of real-valued signalsxw

1 , · · · ,xwk defined over some interval D of R+, which is called time domain of w.

Definition 6 (STL syntax). The syntax of the STL is given by

ϕ :=>| xi ≥ 0 |¬ϕ |ϕ1∧ϕ2 |ϕ1 UI ϕ2,

where xi are the variables, > is a true formula, ⊥ = ¬>, conjunction and negation are the standardboolean connectives, I is a closed, dense-time non-singular interval in R+. The interval can be boundedsuch as I = [a,b] and unbounded such as I = [a,+∞) for 0≤ a < b.

The until operator ϕ1 UI ϕ2 requires ϕ1 to hold from now until, in a time between a and b time units,ϕ2 becomes true. The eventually operator ♦I and the always operator I can be defined as usual:♦Iϕ :=>UIϕ , Iϕ := ¬♦I¬ϕ.The set of rules (see [25]) to determine a time interval dom(ϕ,w) over which a formula ϕ are defined asit follows:

dom(>,w) = dom(xi ≥ 0,w) = Ddom(¬ϕ,w) = dom(ϕ,w)dom(ϕ1∧ϕ2,w) = dom(ϕ1,w)∩dom(ϕ2,w)dom(ϕ1 UI ϕ2) = t ∈ R|t, t + in f (I) ∈ dom(ϕ1,w) and t, t + in f (I) ∈ dom(ϕ2,w)

Definition 7 (STL Boolean Semantics [25]). Given a trace w, the satisfiability of a STL formula φ isset according the following rules:

w, t |=>w, t |= xi ≥ 0w, t |= ¬ϕw, t |= ϕ1∧ϕ2w, t |= ϕ1 UI ϕ2

⇔⇔⇔⇔

xwi (t)≥ 0

w, t 6|= ϕw, t |= ϕ1 and w, t |= ϕ2

∃t ′ ∈ t + I : w, t ′ |= ϕ2 and ∀t ′′ ∈ [t, t ′], w, t′′ |= ϕ1

Given a formula ϕ and an execution trace w the satisfaction signal χ(ϕ,w, .) is defined as follows [25]:

∀t ∈ dom(ϕ,w), χ(ϕ,w, t) :=> if w, t |= ϕ⊥ otherwise

In [45] the authors provide a monitoring procedure that is recursive on the structure of the formula, goingfrom the atomic predicates up to the top formula, by computing for each subformula ψ the satisfactionsignal χ(ψ,w, .).

14

6 Ezio Bartocci

1"0"$1"

$4"

4"

trigger"

<="400" >="200"

Figure 1: Example of mixed signal stabilisation property adapted from [46]

Example 8 (Stabilisation property (adapted from [46])). Figure 1 shows a signal that is stabilises aftera trigger event rises. We can specify a stabilisation property in STL as it follows:

(|x|< 4∧ (↑ trigger→ ♦[0,400][0,200](|x|< 1)))

meaning that the absolute value of a continuous signal x is always < 6 and whenever the trigger rises,within 400 time units |x| will drop below 1 and remains there for at least 200 time units.

Definition 9 (STL Quantitative Semantics [25]). Given a formula ϕ , trace w, and time t ∈ dom(ϕ,w),the quantitative semantics ρ(ϕ,w, t) as it follows:

ρ(>,w, t) = >ρ(xi ≥ 0,w, t) = xw

i (t)

ρ(¬ϕ,w, t) = −ρ(ϕ,w, t)ρ(ϕ1∧ϕ2,w, t) = min(ρ(ϕ1,w, t),ρ(ϕ2,w, t))

ρ(ϕ1 UIϕ2,w, t) = supt ′∈t+I

(min(ρ(ϕ2,w, t ′), inft ′′∈[t,t ′]

(ρ(ϕ1,w, t ′′))))

where ρ is the quantitative satisfaction function, returning a real number ρ(ϕ,w, t) quantifying the degreeof satisfaction of the property ϕ by the trace w at time t. Moreover, ρ(ϕ,w) := ρ(ϕ,w,0).

The quantitative semantics has the property [25] that whenever ρ(ϕ,w, t) 6= 0, the sign of robustnessindicates if the formula is satisfied or violated.

15


Theorem 10 (Soundness [25]). Given a STL formula ϕ , a trace w and a time t:

ρ(ϕ,w, t)> 0ρ(ϕ,w, t)< 0

⇒⇒

w, t |= ϕw, t 6|= ϕ

Figure 2: Example of the robustness estimate for the formula (x≤−10→ (♦[0,2]x≥ 10)).

Example 11 (Robustness estimate). Figure 2 shows a signal and the robustness estimate for the follow-ing STL formula:

(x≤−10→ (♦[0,2]x≥ 10))

meaning: it is always true that whenever the value is below -10 eventually for 2 time units will begreater than 10. In this case we can see that the robustness is increasing along the signal. Hence, at theend of the signal perturbations and noise will have less influence on the property satisfiability.

16

8 Ezio Bartocci

3 Monitoring Techniques

3.1 Monitoring LTL

We denote L (ϕ) = w∈ Σω |w |= ϕ as the language generated by an LTL-formula ϕ and correspondingto a set of models of a LTL-formula ϕ . The languages generated by two formulae ϕ and ψ are the sameL (ψ) = L (ϕ) iff ϕ ≡ ψ . A common technique to verify the correctness of a property is to generatea monitor from a LTL-formula. Such a monitor can be then executed in parallel with the applicationto be verified at runtime (online synchronous monitoring) or can be used after the program executionto check a finite set of recorded executions (offline monitoring). There are two main approaches togenerate synchronous monitors. The first method relies on the generation of automata-based monitors.In particular, there are several papers [29, 30, 65] describing how to build a reduced nondeterministicBuchi automaton [17] able to recognize infinite words of the language L (ϕ) of a LTL formula ϕ . ABuchi automaton can be then turned to a monitor [21, 31] in the form of a deterministic finite statemachine (DFSM). Generally, the process of converting a LTL formula into a monitor is expensive andthe size of the Buchi automata generated can be 2O(|ϕ|) [30]. However, once the monitor is generated, itsexecution can be very efficient. In particular, Rosu et. at. showed in [21] how to build particular DFSMscalled binary transition tree finite state machines (BTT-FSM) that perform a transition from a state toanother state of the monitor by evaluating an optimal number of atomic propositions. Figure 3 shows anexample of two automata-based monitors to check the property:

ϕ = (green→¬red U yellow)

This formula specifies the requirement that a traffic light when it is green should always not become redbefore being yellow.

GREEN% YELLOW% RED% GREEN% RED% RED%&%YELLOW%

CORRECT% ERROR%

LTL%FORMULA%

ϕ = green→ ¬red U yellow( )

DFSM%

0%

2%

1%

s1, s8, s6, s4 , s3, s2

s3

s5

s1, s2, s3, s4 , s5, s6, s7, s8 s3, s7

s1, s5

s2, s4 , s7, s8

TABLE%OF%SYMBOLS%s1 = !yellow∧!red ∧!greens2 = yellow∧!red ∧!greens3 = !yellow∧ red ∧!greens4 = yellow∧ red ∧!greens5 = !yellow∧!red ∧ greens6 = yellow∧!red ∧ greens7 = !yellow∧ red ∧ greens8 = yellow∧ red ∧ green

GREEN%

YELLOW%

RED%

RED%

YELLOW%

N%

Y%

FALSE%

FALSE%

N%

N%

Y%

Y%

1%

2%

N%

N%Y%

Y%

BTT7FSM%

GREEN% GREEN&%RED%

RED%&%YELLOW%

ERROR%

Figure 3: Automata-based monitors to check the property of a traffic light that always when it is green,then it is not red until it is yellow.

An alternative monitoring approach is based on formula rewriting [57, 11] or formula progression [6].

17


The monitor in this case is a rewriting engine, that rewrites the current formula into a new formulaexpressing what needs to be satisfied by the current observed events and what are the future obligationsto meet. The overhead required for monitoring with this approach is higher than by using a DFSM. Onthe other hand this method is more flexible, because does not require a process of translation from LTLformula to monitor and allows to change at runtime the formula to be monitored. In the following, weprovide some basic definitions for the LTL rewriting function and the monitoring result.

Definition 12 (LTL rewriting function[11]). Let SLT L be the set of all the possible LTL formulae andφ ,φ1,φ2 ∈ SLT L, σ ∈ Σ an event, the LTL rewriting function R : SLT L×Σ→ SLT L is inductively definedas follows:

R(>,σ) = >R(⊥,σ) = ⊥

R(¬φ ,σ) = ¬R(φ ,σ)R(Xφ ,σ) = φ

R(p ∈ AP,σ) = >, if p ∈ σ ,⊥ otherwiseR(φ1∨φ2,σ) = R(φ1,σ)∨R(φ2,σ)R(φ1Uφ2,σ) = R(φ2,σ)∨R(φ1,σ)∧φ1Uφ2

R(φ ,σ) = R(φ ,σ)∧φR(φ ,σ) = R(φ ,σ)∨φ

Definition 13 (Monitoring[11]). Let u ∈ Σ∗ denote a finite word. The evaluation of the satisfactionrelation, |=3: Σ∗×LT L→ B3, with B3 = >,⊥,? of a formula ϕ with respect to u is defined as:

u |=3 ϕ =

> if ∀σ ∈ Σw : uσ |= ϕ⊥ if ∀σ ∈ Σw : uσ 6|= ϕ? otherwise

While the aforementioned online monitoring techniques do not need to know in advance the lengthof the execution trace, offline monitoring consists instead in evaluating the satisfaction relation of a LTLformula over a finite execution trace. This can be defined recursively on the structure of the formula andon the length of the trace. Rosu and Havelund in [58] provide, based upon the previous observation,a technique to generate from a LTL formula an efficient dynamic programming algorithm that processthe execution trace backward propagating the values of satisfaction of the subformulas bottom-up. Forexample, Algorithm 1 shows the generated code for the property ϕ = (green→¬red U yellow). Itis easy to see [58] that the time complexity of this algorithm is Θ(n ·m) and the memory consumption is2 ·m bits, where n is the length of the trace and m is the size of the LTL formula.

3.2 Monitoring with uncertainty

Let ϕ be the formula (a⇒ c), that means always an event a is finally followed by an event c and letτ be the trace a b b c a d b c. In this example the formula ϕ clearly holds. Suppose now that the trace isincomplete, due to disabled monitoring: τ = a b b c − b c, with − indicating a set of events that couldnot be observed (or gap). Although it is not possible to be really sure that the property is satisfied, theproblem we are interested to solve is to quantify the uncertainty with which the trace τ satisfies ϕ .

3.2.1 “Filling in” the gaps

In order to quantify the uncertainty in monitoring, our approach is to use a statistical model of the moni-tored system to “fill in” sampling-induced gaps in event sequences, and then calculate the probability thatthe property of interest is satisfied or violated. In our previous works [62, 10, 38], we have chosen theDynamic Bayesian Networks (DBNs) [59], a suitable formalism to characterize the temporal probabilitymodel of the instrumented program emitting events. DBNs can have multiple state variables (modeling

18

10 Ezio Bartocci

Algorithm 1 - OFFLINE MONITORING ALGORITHM FOR ϕ = (green→¬red U yellow)

Input: trace t = e1e2 · · ·en

Output: true or false

1: next[7]← (yellow ∈ en); . yellow

2: next[6]← (red ∈ en); . red

3: next[5]← (¬next[6]); . ¬red

4: next[4]← next[7]; . ¬red U yellow

5: next[3]← (green ∈ en); . green

6: next[2]← (next[3] implies next[4]); . green→¬red U yellow

7: next[1]← next[2]; . (green→¬red U yellow)

8: for i = n−1 downto 1 do 9: now[7]← (yellow ∈ ei); . yellow

10: now[6]← (red ∈ ei); . red

11: now[5]← (¬now[6]); . ¬red

12: now[4]← (now[7]∨ (now[5]∧next[4])); . ¬red U yellow

13: now[3]← (green ∈ ei); . green

14: now[2]← (now[3] implies now[4]); . green→¬red U yellow

15: now[1]← (now[2]∧next[1]); . (green→¬red U yellow)

16: next← now;17: return next[1];

the states of a program that are usually hidden) and multiple observation variables (representing the out-put events). A DBN is essentially a first-order Markov Process where each variable at time t can dependonly by other variables at the same time t or at time t−1.

In [62, 10] we used Hidden Markov Models (HMM), that are essentially DBNs with only one statevariable and one observation variable. A HMM is a Markov model in which the system being modeledis assumed to be a Markov process with unobserved (hidden) states. In a regular Markov model, statesare directly visible to the observer, and therefore state transition probabilities are the only required pa-rameters. In a HMM, states cannot be observed; rather, each state has a probability distribution for thepossible observations (formally called observation symbols). The classic state estimation problem forHMMs is to compute the most likely sequence of states that generates a given observation sequence.

One can obtain a HMM for a system automatically, by learning it from complete traces using standardHMM learning algorithms(i.e. Baum–Welch) [56]. These algorithms require the user to specify thedesired number of states in the HMM and they allow (but do not require) the user to provide informationabout the structure of the HMM, specifically, that certain entries in the transition probability matrix andthe observation probability matrix are close to zero. This information can help the learning algorithmconverge more quickly and find globally (instead of locally) optimal solutions.

In contrast to our previous work [62, 10], in [38] we succinctly represent the program model, theprogram monitor, their interaction, and their observations as a generic DBN. This allowed us to properlyformalize a new kind of event, called peek events, which are inexpensive observations of part of theprogram state. In many applications, program states and monitor states are correlated, and hence peekevents can be used to narrow down the possible states of the monitor DFSM. We use peek events at theend of monitoring gaps to refocus the DBN and DFSM states. Our combination of these two kind ofobservations, program events and peek events, is akin to sensor fusion in robotics.

19


3.2.2 Runtime Verification with State Estimation (RVSE)

To quantify the uncertainty, one can estimate the current state of the program. We developed a frameworkfor this, called Runtime Verification with State Estimation (RVSE) [62], in which a HMM is used tosuccinctly model the program and the uncertainty in predictions due to incomplete information.

While monitoring is on, the observed program events drive the transitions of the property checker,modeled as a deterministic finite state machine (DFSM). They also provide information used to helpcorrect the state estimates (specifically, state probability distributions) computed from the HMM transi-tion probabilities, by comparing the output probabilities in each state with the observed outputs. Whenmonitoring is off, the transition probabilities in the HMM alone determine the updated state estimateafter the gap, and the output probabilities in the HMM drive the transitions of the DFSM. Each gap ischaracterized by a gap length distribution, which is a probability distribution for the number of missedobservations during that gap. Our algorithm was based on an optimal state estimation algorithm, knownas the forward algorithm, extended to handle gaps. Unfortunately, this algorithm incurs high overhead,especially for longer sequences of gaps, because it involves repeated matrix multiplications using theobservation-probability and transition-probability matrices. In our measurements, this was often morethan a factor of 10 larger than the overhead of monitoring the events themselves.

3.2.3 Approximate Precomputed Runtime Verification with State Estimation (AP-RVSE)

To reduce the runtime overhead, we developed a version of the algorithm, which we call the approximateprecomputed RVSE (AP-RVSE), which pre-computes the matrix calculations and stores the results in atable [10]. Essentially, AP-RVSE pre-computes a potentially infinite graph unfolding, where nodes arelabeled with state probability distributions, and edges are labeled with transitions. To ensure the table isfinite, we introduced an approximation in the calculations, controlled by an accuracy ε parameter: if anewly computed matrix differs from the matrix on an existing node by at most ε according to the 1-norm,then we re-use the existing node instead of creating a new one. With this algorithm, the runtime overheadis low, independent of the desired accuracy, but higher accuracy requires larger tables, and the memoryrequirements could become problematic. Also, if the set of gap length distributions that may appear inan execution is not known in advance, precomputation is infeasible.

3.2.4 Runtime Verification with Particle Filtering (RVPF)

In a recent paper [38] we have introduced an alternative approach, called Runtime Verification withParticle Filtering (RVPF), to control the balance between runtime overhead, memory consumption, andprediction accuracy. In one of the most common forms of particle filtering (PF) [33], the probabilitydistribution of states is approximated by the proportion of particles in each state. The particle filteringprocess works in three recurring steps. First, the particles are advanced to their successor states by sam-pling from the HMM’s transition probability distribution. Second, each particle is assigned a weightcorresponding to the output probability of the observed program event. Third, the particles are resam-pled according to the normalized weights from the second step; this has the effect of redistributing theparticles to the states to provide a better prediction of the program events. We exploit the knowledgeof the current program event and the particular structure of the DBN to improve the variance of the PF,by using sequential importance resampling (SIR). In this PF variation, resampling (which is a majorperformance bottleneck) does not have to be performed in each round, and the particles are advanced totheir successor states by sampling from the HMM’s transition probability distribution conditioned by thecurrent observation.

20

12 Ezio Bartocci

Adjusting the number of particles used by RVPF provides a versatile way to tune the memory re-quirements, runtime overhead, and prediction accuracy.With larger numbers of gaps, the particles getmore widely dispersed in the state space, and more particles are needed to cover all of the interestingstates. To evaluate the performance and accuracy of RVPF, we implemented it in [38] along with ourprevious two algorithms in C and compared them through experiments based on the benchmarks usedin [10]. Our results confirm RVPF’s versatility.

References

[1] L. de Alfaro, M. Faella & M. Stoelinga (2009): Linear and branching system metrics. IEEE Transactions onSoftware Engineering 35(2), pp. 258–273.

[2] R. Alur & D. L. Dill (1994): A Theory of Timed Automata. Theor. Comput. Sci. 126(2), pp. 183–235,doi:10.1016/0304-3975(94)90010-8.

[3] R. Alur, T. Feder & T. A. Henzinger (1996): The Benefits of Relaxing Punctuality. Journal of ACM 43(1),pp. 116–146, doi:10.1145/227595.227602.

[4] R. Alur & T. A. Henzinger (1993): Real-Time Logics: Complexity and Expressiveness. Inf. Comput. 104(1),pp. 35–77.

[5] R. Alur & T. A. Henzinger (1994): A Really Temporal Logic. J. ACM 41(1), pp. 181–203.

[6] F. Bacchus & F. Kabanza (1998): Planning for temporally extended goals. Annals of Mathematics andArtificial Intelligence 22(1–2), pp. 5–27, doi:10.1023/A:1018985923441.

[7] H. Barringer, Y. Falcone, B. Finkbeiner, K. Havelund, I. Lee, G.J. Pace, G. Rosu, O. Sokolsky & N. Tillmann(2010): Preface. In: Proc. of RV 2010, the First International Conference on Runtime Verification, St.Julians, Malta, November 1-4, 2010, Lecture Notes in Computer Science 6418, Springer, doi:10.1007/978-3-642-16612-9.

[8] H. Barringer, D. Rydeheard & K. Havelund (2010): Rule Systems for Run-Time monitoring: From Eagle toRuleR. Journal of Logic and Computation 20(3), pp. 675–706, doi:10.1093/logcom/exn076.

[9] E. Bartocci, L. Bortolussi & L. Nenzi (2013): A temporal logic approach to modular design of syntheticbiological circuits. In: Proc. of CMSB 2013, LNCS 8130, pp. 164–178, doi:10.1007/978-3-642-39176-7.

[10] E. Bartocci, R. Grosu, A. Karmarkar, S. A. Smolka, S. D. Stoller, E. Zadok & J. Seyster (2012): Adap-tive Runtime Verification. In: Proc. of RV 2012, the third International Conference on Runtime Verifica-tion, September, 2012 Istanbul, Turkey, Lecture Notes in Computer Science 7687, Springer, pp. 168–182,doi:10.1007/978-3-642-35632-2 18.

[11] A. Bauer & Y. Falcone (2012): Decentralised LTL monitoring. In: FM 2012: Formal Methods, 7436,Springer Berlin Heidelberg, pp. 85–100, doi:10.1007/978-3-642-32759-9 10.

[12] A. Bauer, M. Leucker & C. Schallhart (2006): Monitoring of real-time properties. In: Proc. of FSTTCS, the26th Conference on Foundations of Software Technology and Theoretical Computer Science, Lecture Notesin Computer Science 4337, Springer-Verlag, Berlin, Heidelberg, doi:10.1007/11813040 37.

[13] A. Bauer, M. Leucker & C. Schallhart (2010): Comparing LTL semantics for runtime verification. Journal ofLogic and Computation 20(3), pp. 651–674, doi:10.1093/logcom/exn075.

[14] A. Bauer, M. Leucker & C. Schallhart (2011): Runtime verification for LTL and TLTL. ACM Transactionson Software Engineering and Methodology 20(4), doi:10.1145/2000799.2000800.

[15] G. Behrmann, A. David, K. G. Larsen, J. Hakansson, P. Pettersson, W. Yi & M. Hendriks (2006): UPPAAL4.0. In: Proc. of QEST 2006, the Third International Conference on the Quantitative Evaluation of Systems,Riverside, California, USA, IEEE Computer Society, pp. 125–126, doi:10.1109/QEST.2006.59.

[16] B. Bonakdarpour, S. Navabpour & S. Fischmeister (2011): Sampling-Based Runtime Verification. In: Proc.FM 2011: Formal Methods, the 17th International Symposium on Formal Methods, Limerick, Ireland, June

21


20-24, 2011, Lecture Notes in Computer Science 6664, Springer, pp. 88–102, doi:10.1007/978-3-642-21437-0 9.

[17] J. R. Buchi (1990): On a decision method in restricted second order arithmetic. In: The Collected Works ofJ. Richard Buchi, Springer New York, pp. 425–435, doi:10.1007/978-1-4613-8928-6 23.

[18] S. Callanan, D. J. Dean, M. Gorbovitski, R. Grosu, J. Seyster, S. A. Smolka, S. D. Stoller & E. Zadok(2008): Software monitoring with bounded overhead. In: Proc. of IPDPS 2008, the 22nd IEEE InternationalSymposium on Parallel and Distributed Processing, Miami, Florida USA, April 14-18, 2008, IEEE, pp. 1–8,doi:10.1109/IPDPS.2008.4536433.

[19] F. Cassez (2012): The Complexity of Codiagnosability for Discrete Event and Timed Systems. IEEE Trans-actions on Automatic Control 57(7), pp. 1752–1764, doi:10.1109/TAC.2012.2183169.

[20] E. M. Clarke & E. Emerson (1982): Design and Synthesis of Synchronization Skeletons Using BranchingTime Temporal Logic. In Dexter Kozen, editor: Logics of Programs, Lecture Notes in Computer Science131, Springer Berlin / Heidelberg, pp. 52–71, doi:10.1007/BFb0025774.

[21] M. d’Amorim & G. Rosu (2005): Efficient Monitoring of ω-Languages. In: Proc. of CAV 2005, the 17th In-ternational Conference on Computer Aided Verification, Edinburgh, Scotland, UK, July 6-10, 2005, LectureNotes in Computer Science 3576, Springer, pp. 364–378, doi:10.1007/11513988 36.

[22] A. Donze (2010): Breach, A Toolbox for Verification and Parameter Synthesis of Hybrid Systems. In: Proc.of CAV 2010: the 22nd International Conference on Computer Aided Verification, Edinburgh, UK, LectureNotes in Computer Science 6174, Springer-Verlag, pp. 167–170, doi:10.1007/978-3-642-14295-6 17.

[23] A. Donze, G. Clermont & C.J. Langmead (2010): Parameter Synthesis in Nonlinear Dynamical Systems:Application to Systems Biology. Journal of Computational Biology 17(3), pp. 325–336, doi:10.1007/978-3-642-02008-7 11.

[24] A. Donze, E. Fanchon, L. M. Gattepaille, O. Maler & P. Tracqui (2011): Robustness analy-sis and behavior discrimination in enzymatic reaction networks. PLoS One 6(9), p. e24246,doi:10.1371/journal.pone.0024246.

[25] A. Donze, T. Ferrer & O. Maler (2013): Efficient Robust Monitoring for STL. In: Proc. of CAV 2013: the25th International Conference on Computer Aided Verification, Saint Petersburg, Russia, July 13-19, LectureNotes in Computer Science 8044, Springer-Verlag, pp. 264–279, doi:10.1007/978-3-642-39799-8 19.

[26] A. Donze & O. Maler (2010): Robust satisfaction of temporal logic over real-valued signals. In: Proc. ofFORMATS 2010: the 8th International Conference on Formal Modeling and Analysis of Timed Systems,Klosterneuburg, Austria, September 8–10, Lecture Notes in Computer Science 6246, Springer-Verlag, pp.92–106, doi:10.1007/978-3-642-15297-9 9.

[27] A. Donze, O. Maler, E. Bartocci, D. Nickovic, R. Grosu & S. A. Smolka (2012): On Temporal Logic andSignal Processing. In Supratik Chakraborty & Madhavan Mukund, editors: Proc. of ATVA 2012: 10thInternational Symposium on Automated Technology for Verification and Analysis, Thiruvananthapuram,India, October 3-6, Lecture Notes in Computer Science 7561, Springer-Verlag, pp. 92–106, doi:10.1007/978-3-642-33386-6 9.

[28] M. B. Dwyer, G. S. Avrunin & J. C. Corbett (1999): Patterns in property specifications for finite-state ver-ification. In: Proc. of ICSE ’99, the 21st international conference on Software engineering, Los Angeles,California, USA, ACM, pp. 411–420, doi:10.1145/302405.302672.

[29] K. Etessami & G. J. Holzmann (2000): Optimizing Buchi Automata. In: Proc. of CONCUR 2000 - Con-currency Theory, the 11th International Conference University Park, PA, USA, August 2225, 2000, LectureNotes in Computer Science 1877, Springer, pp. 153–168, doi:10.1007/3-540-44618-4 13.

[30] P Gastin & D. Oddoux (2003): LTL with Past and Two-Way Very-Weak Alternating Automata. In:Proc. of MFCS 2003, the 28th International Symposium in Mathematical Foundations of Computer Sci-ence,Bratislava, Slovakia, August 25-29, 2003, Lecture Notes in Computer Science 2747, Springer, pp. 439–448, doi:10.1007/978-3-540-45138-9 38.

22

14 Ezio Bartocci

[31] M. Geilen (2001): On the Construction of Monitors for Temporal Logic Properties. Electr. Notes Theor.Comput. Sci. 55(2), pp. 181–199, doi:10.1016/S1571-0661(04)00252-X.

[32] A. Genon, T. Massart & C. Meuter (2006): Monitoring Distributed Controllers: When an efficient LTLalgorithm on Sequences Is Needed to Model-Check Traces. In: Proc. of FM 2006: Formal Methods, the14th International Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006, Lecture Notesin Computer Science 4085, pp. 557–572, doi:10.1007/11813040 37.

[33] N.J. Gordon, D.J. Salmond & A.F.M. Smith (1993): Novel approach to nonlinear/non-Gaussian Bayesianstate estimation. In: IEEE Proceedings on Radar and Signal Processing, 140, IEEE, pp. 107–127.

[34] M. Gunzert & A. Naegele (1999): Component-based development and verification of safety criticalsoftware for a brake-by-wire system with synchronous software components. PDSE ’99, pp. 134–145,doi:10.1109/PDSE.1999.779745.

[35] K. Havelund & G. Rosu (2002): Runtime Verification, RV 2002: Preface. Electr. Notes Theor. Comput. Sci.70(4), pp. 201–202, doi:10.1016/S1571-0661(05)80585-7.

[36] X. Huang, J. Seyster, S. Callanan, K. Dixit, R. Grosu, S. A. Smolka, S. D. Stoller & E. Zadok (2012):Software Monitoring with Controllable Overhead. STTT 14, pp. 327–347.

[37] K. D. Jones, V. Konrad & D. Nickovic (2010): Analog Property Checkers: A DDR2 Case Study. Form.Methods Syst. Des. 36(2), pp. 114–130, doi:10.1007/s10703-009-0085-x. Available at http://dx.doi.org/10.1007/s10703-009-0085-x.

[38] K. Kalajdzic, E. Bartocci, S. A. Smolka, Scott Stoller & G. Grosu (2013): Runtime Verification with ParticleFiltering. In: Proc. of RV 2013, the fourth International Conference on Runtime Verification, INRIA Rennes,France, 24-27 September, 2013, Lecture Notes in Computer Science 8174, Springer, pp. 149–166.

[39] M. Komorowski, M. J. Costa, D. A. Rand & M. PH Stumpf (2011): Sensitivity, robustness, and identifiabilityin stochastic chemical kinetics models. PNAS USA 108(21), pp. 8645–8650, doi:10.1073/pnas.1015814108.

[40] H. Kopetz, M. Holzmann & W. Elmenreich (2001): A universal smart transducer interface: TTP/A. Comput.Syst. Sci. Eng. 16(2), pp. 71–77, doi:10.1109/ISORC.2000.839507.

[41] R. Koymans (1990): Specifying Real-time Properties with Metric Temporal Logic. Real-Time Syst. 2, pp.255–299, doi:10.1007/BF01995674.

[42] L. Lamport (1978): Time, Clocks and the Ordering of Events in a Distributed System. Communications ofthe ACM 21(7), pp. 558–565, doi:10.1145/359545.359563.

[43] O. Lichtenstein, A. Pnueli & L. Zuck (1985): The glory of the past. Lecture Notes in Computer Science 193,pp. 196–218, doi:10.1007/3-540-15648-8 16.

[44] M. Lukasiewycz, M. Glaß, J. Teich & P. Milbredt (2009): FlexRay schedule optimization of the static seg-ment. In: Proc. of the CODES+ISSS ’09, the 7th IEEE/ACM international conference on Hardware/softwarecodesign and system synthesis, Grenoble, France, ACM, pp. 363–372, doi:10.1145/1629435.1629485.

[45] O. Maler & D. Nickovic (2004): Monitoring Temporal Properties of Continuous Signals. In: Proc. ofFORMATS-FTRTFT 2004: the Joint International Conferences on Formal Modeling and Analysis of TimedSystmes and Formal Techniques in Real-Time and Fault -Tolerant Systems, Grenoble, France, September22-24, Lecture Notes in Computer Science 3253, Springer-Verlag, pp. 152–166, doi:10.1007/978-3-540-30206-3 12.

[46] O. Maler & D. Nickovic (2013): Monitoring properties of analog and mixed-signal circuits. STTT 15(3),pp. 247–268, doi:10.1007/s10009-012-0247-9.

[47] O. Maler, D. Nickovic & A. Pnueli (2008): Pillars of Computer Science. chapter Checking Temporal Proper-ties of Discrete, Timed and Continuous Behaviors, Springer-Verlag, Berlin, Heidelberg, pp. 475–505. Avail-able at http://dl.acm.org/citation.cfm?id=1805839.1805865.

[48] N. Markey (2003): Temporal logic with past is exponentially more succinct. EATCS Bulletin 79, pp. 122–128.

23


[49] S.P. Miller, M.W. Whalen & D.D. Cofer (2010): Software model checking takes off. Communications of theACM 53(2), pp. 58–64, doi:10.1145/1646353.1646372.

[50] J. Ouaknine & J. Worrell (2006): Safety Metric Temporal Logic Is Fully Decidable. In: Proc. of TACAS 2006:the 2th International Conference on Tools and Algorithms for the Construction and Analysis of Systems,Vienna, Austria, March 25 - April 2, Lecture Notes in Computer Science 3920, Springer, pp. 411–425.

[51] J. Ouaknine & J. Worrell (2007): On the decidability and complexity of Metric Temporal Logic over fi-nite words. Logical Methods in Computer Science 3(1). Available at http://dx.doi.org/10.2168/LMCS-3(1:8)2007.

[52] J. Ouaknine & J. Worrell (2008): Some Recent Results in Metric Temporal Logic. In: Proceedings of the 6thInternational Conference on Formal Modeling and Analysis of Timed Systems, FORMATS ’08, Springer-Verlag, Berlin, Heidelberg, pp. 1–13, doi:10.1007/978-3-540-85778-5 1.

[53] A. Pnueli (1977): The temporal logic of programs. Proc. 18th IEEE Symposium on Foundations of ComputerScience, pp. 46–57, doi:10.1109/SFCS.1977.32.

[54] T. Pop, P. Pop, P. Eles, Z. Peng & A. Andrei (2008): Timing analysis of the FlexRay communication protocol.Real-Time Systems 39(1–3), pp. 205–235, doi:10.1109/ECRTS.2006.31.

[55] J.P. Queille & J. Sifakis (1982): Specification and verification of concurrent systems in CESAR. In:Proc. of the 5th Colloquium on International Symposium on Programming, Springer-Verlag, pp. 337–351,doi:10.1007/3-540-11494-7 22.

[56] L.R. Rabiner (1989): A Tutorial on Hidden Markov Models and Selected Applications in Speech Recognition.Proceedings of the IEEE 77(2), pp. 257–286, doi:10.1109/5.18626.

[57] G. Rosu & K. Havelund (2005): Rewriting-Based Techniques for Runtime Verification. Automated SoftwareEngineering 12(2), pp. 151–197, doi:10.1007/s10515-005-6205-y.

[58] G. Rosu & K. Havelund (2005): Rewriting-Based Techniques for Runtime Verification. Autom. Softw. Eng.12(2), pp. 151–197. Available at http://dx.doi.org/10.1007/s10515-005-6205-y.

[59] S. Russell & P. Norvig (2010): Artificial Intelligence: A Modern Approach, 3rd edition. Prentice-Hall.[60] K. Sen, A. Vardhan, G. Agha & G. Rosu (2006): Decentralized runtime analysis of multithreaded applica-

tions. doi:10.1109/IPDPS.2006.1639591.[61] K. Sen, A. Vardhan, G. Agha & G. Rou (2004): Efficient decentralized monitoring of safety in distributed

systems. 26, pp. 418–427, doi:10.1109/ICSE.2004.1317464.[62] S. D. Stoller, E. Bartocci, J. Seyster, R. Grosu, K. Havelund, S. A. Smolka & E. Zadok (2011): Runtime

Verification with State Estimation. In: Proc. of RV 2011, the Second international conference on Runtimeverification, San Francisco, CA, USA, Lecture Notes in Computer Science 7186, Springer-Verlag, pp. 193–207, doi:10.1007/978-3-642-29860-8 15.

[63] S. Tripakis (2005): Decentralized observation problems. pp. 6–11, doi:10.1109/CDC.2005.1582122.[64] Y. Wang, T.-S. Yoo & S. Lafortune (2007): Diagnosis of Discrete Event Systems Using Decentral-

ized Architectures. Discrete Event Dynamic Systems: Theory and Applications 17(2), pp. 233–263,doi:10.1007/s10626-006-0006-8.

[65] P. Wolper (2001): Constructing Automata from Temporal Logic Formulas: A Tutorial. In: Lectures onformal methods and performance analysis, Lecture Notes in Computer Science 2090, Springer-Verlag NewYork, Inc., pp. 261–277, doi:10.1007/3-540-44667-2 7.

24

An introduction to timed automata

Patricia BouyerLSV, CNRS & ENS Cachan, France

[email protected]

Abstract

In this tutorial we will present basics of timed automata. After having defined the model, we willdiscuss the decidability of checking reachability properties in such systems, and then discuss morelanguage-theoretic properties (among which the undecidability of the inclusion problem). We willalso discuss implementation issues.

1 Introduction

The growing importance of computerized systems and their verification. In thirty years computer-ized systems have widely spread in our society, from ubiquitous electronic appliances (communicationdevices, automotive equipment, etc), to internet transactions (e-banking, e-business, etc), to new tech-nologies (like wireless communications), and to critical systems (medical devices, industrial plants, etc).Due to their rapid development, such systems have become more and more complex, and unfortunatelythis development has come with many bugs, from arithmetic overflow (which caused the crash of theAriane 5 rocket in 1996) to race conditions (which caused the lethal dysfunction of the Therac-25 ra-diotherapy machine in the late 80’s) or infinite loops (for instance the leap-year bug turning all ZuneMP3 devices off on 31 December 2008). Many of those bugs could have been avoided if implementedsoftwares had been formally verified prior to their use. The need for formal methods for verifying andcertifying computer-driven systems is therefore blatant.

The model-checking approach to verification. As part of the effort that has been made for the devel-opment of reliable computerized systems, several verification approaches have been developed, amongwhich the so-called model-checking technique. Model-checking is a model-based approach to verifica-tion, which goes back to the late 70’s [44, 24, 47]. It has been successfully applied to numerous industrialcases, see the webpages of tools like SPIN [51], PRISM [45] or UPPAAL [54]. This approach to verifica-tion has been distinguished by two Turing awards: Amir Pnueli received the award in 1996 for “seminalwork introducing temporal logic into computing science and for outstanding contributions to programand system verification”,1 and Edmund M. Clarke, E. Allen Emerson and Joseph Sifakis jointly receivedthe award in 2007 for making model-checking “a highly effective verification technology”.2

Given a system S and a property P, the model-checking approach consists in constructing a mathe-matical model MS for the system and a mathematical model ϕP for the property, for which we will beable to automatically check that MS satisfies ϕP. If the models MS and ϕP are accurate enough withrespect to S and P respectively, we will deduce with confidence that the system S satisfies the property

1http://awards.acm.org/citation.cfm?id=4725172&srt=year&year=1996&aw=140&ao=AMTURING&yr=19962http://www.acm.org/press-room/news-releases/turing-award-07/

25

2 P. Bouyer

P. This approach requires the development of expressive modelling formalisms (to increase faithfulnessof models) and efficient algorithms.

There are several books on model-checking: [23, 50, 1, 10].

Expressive classes of models. One characteristic of modern computerized systems is that they have tomeet numerous quantitative constraints, like resource constraints (power consumption, memory usage,costs, bandwidth, etc), timing constraints (response time, propagation delays, etc), and constraints onthe environment in which they operate (signal sensors, interactions with a (possibly continuous) envi-ronment, etc). Another important characteristic of embedded systems is that they have to be powerful,performant, and reliable. Those characteristics make formal verification challenging, and require specificand complex developments.

Basic models for verification are finite-state systems. Those might not be expressive enough. Theselast twenty years a huge effort has been made to design expressive models for representing computerizedsystems. As part of this effort the model of timed automata has been proposed in the early nineties [5]by Alur and Dill, as a suitable model for representing systems with real-time constraints.3 Numerousworks have focused on that model, and it has received an important tool support, with for instance thedevelopment of tools like UPPAAL [54], KRONOS [39], RED [48] or IF [38]. The success of timed-automata-based technology is witnessed not only by numerous success stories but also by the awardgiven in 20084 by the computer-aided verification community to Alur and Dill for their “fundamentalcontributions to the theory of real-time systems verification”.

Given the success of the timed-automata-based technology for verifying real-time systems tremen-dously many extensions have been proposed, with the aim of representing the systems more faithfully.They include timed games, which can model control problems, priced timed automata, which can e.g.model energy consumption, stochastic extensions of timed automata, which can model randomized as-pects of systems and uncertainties.

Content of the tutorial. In this tutorial we will present the basics of timed automata [4, 5]. We willdiscuss in particular the decidability of the reachability problem and present the region abstraction. Thisconstruction, due to Alur and Dill, is probably the most fundamental and important development whichhas made the success of the timed-automaton model. We will also present symbolic algorithms that canbe used to verify timed automata.

We will discuss timed regular languages, that is classes of languages accepted by timed automata,and show that unfortunately the class of timed regular languages is not closed under complement, andeven that the inclusion problem is undecidable.

These notes are excerpted from my Master lecture notes which can be downloaded at the followingaddress:

http://www.lsv.ens-cachan.fr/~bouyer/lecture-notes/

3Time naturally appears in real systems (autonomous systems, GPS, communication protocols, processors, schedulers, etc)and in properties (e.g. bounded-response time).

4http://www.princeton.edu/cav2008/cav_award_announce.html

26

Timed automata 3

2 The timed automaton model

2.1 Preliminary notations

If Z is a set, let Z∗ be the set of finite sequences of elements in Z. We consider as time domain T the setQ+ of non-negative rationals or the set R+ of non-negative reals and Σ as a finite set of actions. A timesequence over T is a finite non-decreasing sequence τ = (ti)1≤i≤p ∈ T∗. A timed word w = (ai, ti)1≤i≤p

is an element of (Σ×T)∗, also written as a pair w = (σ ,τ), where σ = (ai)1≤i≤p is a word in Σ∗ andτ = (ti)1≤i≤p a time sequence in T∗ of same length. In the following, we denote by Untime(w) the finiteword σ over the alphabet Σ.

2.1.1 Clock valuations, operations on clocks.

We consider a finite set X of variables, called clocks. A (clock) valuation over X is a mapping v : X → Twhich assigns to each clock a time value. The set of all clock valuations over X is denoted TX , and 0X

denotes the valuation assigning 0 to every clock x ∈ X .Let v ∈ TX be a valuation and t ∈ T, the valuation v + t is defined by (v + t)(x) = v(x) + t for

every x ∈ X . For a subset Y of X , we denote by [Y ← 0]v the valuation such that for every x ∈ Y ,([Y ← 0]v)(x) = 0 and for every x ∈ X \Y , ([Y ← 0]v)(x) = v(x).

2.1.2 Clock constraints.

Given a finite set of clocks X , we introduce two sets of clock constraints over X . The most general one,denoted C (X), is defined by the grammar:

g ::= x ./ c | x− y ./ c | g∧g | true

where x,y ∈ X , c ∈ Z and ./ ∈ <,≤,=,≥,>.

Remark 1. We could allow rational constants in clock constraints (i.e., have c ∈ Q in the above gram-mar), everything that follows would still hold, but developments would then be a bit more technical.

A clock constraint of the form x− y ./ c is said diagonal. Next we also use the proper subset ofdiagonal-free clock constraints where the diagonal constraints are not allowed.

If v ∈ TX is a clock valuation, we write v |= g when v satisfies the clock constraint g, and we say thatv satisfies x ./ c (resp. x−y ./ c) whenever v(x) ./ c (resp. v(x)−v(y) ./ c). If g is a clock constraint, wewrite JgKX the set of clock valuations v ∈ TX | v |= g.

2.2 The model of timed automata

A timed automaton over T is a tuple A = (L,L0,LF ,X ,Σ,T ), where L is a finite set of locations, L0 ⊆ Lis the set of initial locations, LF ⊆ L is the set of final locations, X is a finite set of clocks, Σ is a finitealphabet of actions, and T ⊆ L×C (X)× Σ× 2X × L is a finite set of transitions.5 If all constraintsappearing in A are diagonal-free (i.e. are in Cdf(X)), we say that A is a diagonal-free timed automaton.

For modelling purpose some definitions assume invariants in the model. Invariants are clock con-straints assigned to locations which have to be satisfied while the system is in the location: they re-strict time elapsing and may enforce the system be live. A timed automaton with invariants is a tuple

5For more readability, a transition will often be written as `g,a,Y−−−→ `′ or even as `

g,a,Y :=0−−−−−→ `′ instead of simply the tuple(`,g,a,Y, `′).

27

4 P. Bouyer

A = (L,L0,LF ,X ,Σ,T, Inv) where (L,L0,LF ,X ,Σ,T ) is a timed automaton in the previous sense, andInv : L→ Cdf(X), the invariant, assigns a clock constraint to every location. A timed automaton as de-fined initially is a special case of a timed automaton with invariants where the invariant assigns trueto every location. In the sequel when we speak of timed automata we will equivalently mean timedautomata with or without invariants.

Several semantics can be given to timed automata. We first give an operational semantics to timedautomata, and then give a language-based semantics.

2.2.1 Semantics as a timed transition system.

We first give an operational semantics as a timed transition system. Let A = (L,L0,LF ,X ,Σ,T, Inv) be atimed automaton. Its operational semantics is given as the timed transition system TA = (S,S0,SF ,→)over alphabet Σ, where the set of states is S = (`,v) ∈ L×TX | v |= Inv(`), the set of initial states isS0 = (`0,0X) ∈ S | `0 ∈ L0, the set of final states is SF = S∩ (LF ×TX),6 and→⊆ S× (T∪Σ)×S isthe set of moves defined as follows:

• delay moves: if (`,v) ∈ S and d ∈ T, there is a move (`,v) d−→ (`,v+ d) whenever for every 0 ≤d′ ≤ d, (`,v+d′) ∈ S (i.e. v+d′ |= Inv(`));

• action moves: if (`g,a,Y−−−→ `′) ∈ T and (`,v) ∈ S, there is a move (`,v) a−→ (`′, [Y ← 0]v) whenever

v |= g and ([Y ← 0]v) |= Inv(`′). In that case we say that the action move is associated with the

transition `g,a,Y−−−→ `′.

Next it will be more convenient to consider mixed moves, and hence to consider the timed transitionsystem T m

A = (S,S0,→) where S and S0 are defined as in TA , and →⊆ S× (T×Σ)× S. In that case

a move is composed of a delay move directly followed by an action move: (`,v)d,a−→ (`′,v′) is a mixed

move if (`,v) d−→ (`,v+d) is a delay move and (`,v+d) a−→ (`′,v′) is an action move.

2.2.2 Semantics as a timed language.

We now give a language-based semantics to a timed automaton. Let A = (L,L0,LF ,X ,Σ,T, Inv) be atimed automaton. A path in A is a finite sequence of consecutive transitions:

P = `0g1,a1,Y1−−−−→ `1

g2,a2,Y2−−−−→ . . . `p−1gp,ap,Yp−−−−→ `p

where ì−1gi,ai,Yi−−−→ ì ∈ T for every 1 ≤ i ≤ p. The path is said to be accepting if it starts in an initial

location (`0 ∈ L0) and ends in a final location (`p ∈ LF ). A run of the automaton along the path P is asequence of the form:

ρ = (`0,v0)d1,a1−−−→ (`1,v1)

d2,a2−−−→ . . . (`p−1,vp−1)dp,ap−−−→ (`p,vp)

where v0 |= Inv(`0), and for each 1≤ i≤ p, (ì−1,vi−1)di,ai−−→ (ì,vi) is a mixed move of the timed transi-

tion system T mA (see Section 2.2.1) associated with the transition ì−1

gi,ai,Yi−−−→ ì. The run is accepting ifthe underlying path is accepting and if v0 = 0X .

6Note that SF is optional, but it will be useful to have it later.

28

Timed automata 5

The label of the run ρ is the timed word w = (a1, t1) . . .(ap, tp) where for each 1≤ i≤ p, ti =i∑

j=1d j

is the absolute time at which the i-th action ai occurs (we also say that run ρ reads the timed word w).If the run ρ is accepting then the timed word w is said to be accepted by A . The set of all timed wordsaccepted by A is denoted L(A ) and is the timed language accepted (or equivalently recognized) by A .

Remark 2. In these notes, we mostly consider finite paths, finite runs and finite timed words, but asfor classical finite automata, one could consider infinite timed words and ω-regular accepting conditions(Buchi, Muller, etc...), see [5].

2.3 An example of a timed automaton

We consider the (diagonal-free) timed automaton in Figure 1 with two clocks x and y and over the alpha-bet problem,delayed,repair,done. It has four locations (‘safe’, ‘alarm’, ‘failsafe’, ‘repairing’),and location ‘safe’ is both initial and final. Transitions are depicted in a standard way as labelled edgesbetween locations. The transition between ‘alarm’ and ‘repairing’ has constraint x < 15, action labelrepair and resets clock y. A state of this automaton is a location, and a valuation for the two clocks x

safe alarm

(x≤16)

repairing

failsafe

problem, xx<15, re

pair

, y

delayed, y

15≤x≤16

2≤y∧x≤56

repair, y

22≤y≤25, done, /0

Fig. 1: An example of a timed automaton

and y. The following is a sequence of delay and action moves in the timed transition system of the abovetimed automaton (we write a state vertically, with the name of the location on top, then the value of clockx and the value of clock y at the bottom):

safe23−→ safe

problem−−−−−→ alarm15.6−−→ alarm

delayed−−−−−→ failsafe2.3−→ failsafe

repair−−−−→ repairing22.1−−→ repairing

done−−−→ safe

x 0 23 0 15.6 15.6 17.9 17.9 40 40

y 0 23 23 38.6 0 2.3 0 22.1 22.1

It corresponds to the following accepting run of the timed automaton (with the same convention for therepresentation of states):

safe23,problem−−−−−−→ alarm

15.6,delayed−−−−−−−→ failsafe2.3,repair−−−−−−→ repairing

22.1,done−−−−−→ safe

x 0 0 15.6 17.9 40

y 0 23 0 0 22.1

29

6 P. Bouyer

This run reads (and accepts) the timed word

(problem,23)(delayed,38.6)(repair,40.9),(done,63)

3 The emptiness problem, why and how?

For verification purposes, the most fundamental properties that one should be able to verify on a modelare reachability properties: basic safety properties (like ‘avoid some bad states of the system’) can beexpressed as (non-)reachability properties. Usually a class of models is said decidable whenever check-ing reachability properties in this class is decidable. Otherwise this class is said undecidable. For timedautomata we will focus on (location) reachability properties of the form: “Is the set of final locations of atimed automaton A reachable from an initial state?” I.e., “is there a run starting in an initial state leadingto some final location `?” There is no requirement as for the values of the clocks when reaching location` (note however that any clock constraint could be added as a requirement). This problem is equivalent tothe so-called emptiness problem (from a language-theoretical perspective), where the question is whetherthe language accepted by a timed automaton is empty or not.

Several classes of systems are known to be decidable, and the simplest such class of systems is thatof finite automata, whose emptiness problem is known to be NLOGSPACE-complete [37]. The case oftimed automata is much harder as there are potentially infinitely many states (recall that a state is a pair(`,v) where ` is a location and v is a valuation). Techniques used for finite automata can thus not beapplied to timed automata, and specific symbolic techniques and abstractions have to be developed.

In the next section we present the basic technics for solving the decidability of the emptiness problemin timed automata. The idea will be to build a finite abstraction of the timed automaton (actually a finiteautomaton), which preserves time-abstract properties (and in particular reachability properties).

4 The region abstraction: a key for decidability

The region automaton construction is due to Rajeev Alur and David Dill [4, 5]. It is an abstraction ofa timed automaton into a finite automaton which preserves many interesting properties of the system.In this section we present a more abstract version of this construction, which has been introduced ina wider context in [19]. This approach decouples the main arguments from the technicalities. As wefocus on reachability properties we assume w.l.o.g. that timed automata have no invariants (they can betransferred to constraints on incoming and outgoing transitions while preserving reachability properties).

4.1 A tool: time-abstract bisimulation

Viewing the semantics of timed automata as timed transition systems allows to define behavioural equiv-alence relations (or pre-orders).

Standard bisimulation on finite transition systems. We first recall the notion of bisimulation. LetT = (S,S0,SF ,→) and T ′ = (S′,S′0,S

′F ,→′) be two finite transition systems (corresponding eg to finite

automata) over the same alphabet Σ (meaning that→⊆ S×Σ×S and→′ ⊆ S′×Σ×S′). Let R⊆ S×S′

be a relation. It is a bisimulation relation whenever the following condition holds:

• if s1a−→ s2 and (s1,s′1) ∈R, then there exists s′2 ∈ S′ such that s′1

a−→′ s′2 and (s2,s′2) ∈R;

30

Timed automata 7

• if s′1a−→′ s′2 and (s1,s′1) ∈R, then there exists s2 ∈ S such that s1

a−→ s2 and (s2,s′2) ∈R.

Such a relation respects the final states whenever (s,s′) ∈R implies (s ∈ SF iff s′ ∈ S′F ).We say that the two transition systems T and T ′ are bisimilar whenever there exists a bisimulation

relation R such that for every s0 ∈ S0 there exists s′0 ∈ S′0 with (s0,s′0) ∈R, and vice-versa.

Lemma 3. If R is a bisimulation relation which respects the final states, such that for every s0 ∈ S0,there exists s′0 ∈ S′0 with (s0,s′0) ∈R and vice-versa, then L(T ) = L(T ′).

Strong timed bisimulation. We extend the previous notion in an obvious way to timed transitionsystems. We choose to define it with mixed moves. Let T = (S,S0,SF ,→) and T ′ = (S′,S′0,S

′F ,→′)

be two timed transition systems with mixed moves over the same alphabet Σ. A relation R⊆ S×S′ is astrong timed bisimulation whenever the following properties hold:

• if (s1,s′1) ∈R and s1d,a−→ s2 for some d ∈ T and some a ∈ Σ, then s′1

d,a−→′s′2 and (s2,s′2) ∈R;

• vice-versa (swap mixed moves in T and in T ′).

This equivalence is really strong and will seldom be used.

Time-abstract bisimulation. Let T = (S,S0,SF ,→) and T ′ = (S′,S′0,S′F ,→′) be two timed transition

systems with mixed moves over the same alphabet Σ. A relation R⊆ S×S′ is a time-abstract bisimulationwhenever the following properties hold:

• if (s1,s′1) ∈R and s1d1,a−−→ s2 for some d ∈ T and some a ∈ Σ, then there exists d′ ∈ T such that

s′1d′,a−−→

′s′2 and (s2,s′2) ∈R;

• vice-versa (swap mixed moves in T and in T ′).

This relation is called time-abstract because it existentially quantifies over possible delays.Unlike bisimulation, time-abstract bisimulation does not preserve languages, but it does preserve

emptiness of languages.

Lemma 4. If R is a time-abstract bisimulation relation which respects final states, such that for everys0 ∈ S0, there exists s′0 ∈ S′0 with (s0,s′0) ∈R and vice-versa, then L(T ) = /0 iff L(T ′) = /0.

4.2 The region automaton construction

The aim of this construction is to finitely abstract behaviours of timed automata, so that checking a reach-ability property in a timed automaton reduces to checking a reachability property in a finite automaton.The construction relies on the definition of an equivalence relation over the set of valuations, which hasfinite index, and is called the region equivalence.

4.2.1 The region equivalence.

We fix a finite set of clocks X , and we let C be a finite set of constraints over X . Let R be a partition ofthe set of (clock) valuations TX . We define three compatibility conditions as follows:

À R is compatible with the set of constraints C if for every constraint g in C , for every R in R,either R⊆ JgKX or JgKX ∩R = /0;

Á R is compatible with the elapsing of time if for all R and R′ in R, if there exists some v ∈ R andt ∈ T such that v+ t ∈ R′, then for every v′ ∈ R, there exists some t ′ ∈ T such that v′+ t ′ ∈ R′;

31

8 P. Bouyer

Â R is compatible with the resets whenever for all R and R′ in R, for every subset Y ⊆ X , if([Y ← 0]R)∩R′ 6= /0, then ([Y ← 0]R)⊆ R′.7

If R is finite and satisfies these three conditions, we say that R is a set of regions for the set of clocks Xand the set of constraints C or simply a set of regions (if X and C are clear in the context). An elementR ∈ R is then called a region. The set R defines in a natural way an equivalence relation ≡R overvaluations:

v≡R v′ iff (for each region R of R, v ∈ R⇔ v′ ∈ R)

If v is a valuation we note [v]R the (unique) region to which v belongs.

The intuition behind these conditions is the following: we want to finitely abstract behaviours oftimed automata. To that aim, we finitely abstract the (infinite) set of valuations (or equivalently thestate space of the system): a valuation v will be abstracted into the region [v]R (and a state (`,v) will beabstracted into the pair (`, [v]R)). In order for the abstraction to preserve (at least) reachability properties,it must be the case that if two states are equivalent, then future behaviours from those states should bemore or less the same. The three conditions above express this property: condition À says that twoequivalent valuations satisfy the same clock constraints, condition Á says that time elapsing does notdistinguish between two equivalent valuations, whereas condition Â says that resetting clocks does notdistinguish between two equivalent valuations. Note that condition Á is a time-abstract property: theprecise values of delays needs not be the same from two equivalent valuations. This ‘abstraction of time’is the main reason which will make the region equivalence finite index for timed automata.

Example 5. Let us consider the partition of Rx,y+ made of five pieces

R = R0,R1,R2,R3,R4

which are defined by the following constraints:

R0Çx≥ 0y = 0

åR1Ö

0≤ x < 10≤ y≤ 1

x < y

è R2Öx≥ 0

0 < y≤ 1x≥ y

è R3Öx > 1y > 1x≥ y

è R4Öx≥ 0y > 1x < y

è

This partition is represented below:

0 1

1R1

R3

R2

R4

R0

y

x

x = y

y = 1

It is easy to verify that R is a set of regions for the set of clocks x,y and for the set of constraintsy≤ 1,y > 1,x≥ y,x < y. y

7[Y ← 0]R is the set of valuations [Y ← 0]v | v ∈ R.

32

Timed automata 9

The main property of the region equivalence is the following:

Proposition 6. Let A = (L,L0,LF ,X ,Σ,T ) be a timed automaton with set of constraints C . Assume thatR is a set of regions for X and C . Then the equivalence relation ∼=R defined on configurations of A by:

(`,v)∼=R (`′,v′) iff `= `′ and v≡R v′

is a time-abstract bisimulation, which is called the region equivalence.

This property of the region equivalence will be used to construct a finite automaton, which willsomehow be the quotient of the original timed automaton with the region equivalence. We start byconstructing the region graph, which represents the (abstract) evolution of time and clock valuations.Then we construct the region automaton, which is a finite automaton, representing (in an abstract way)the behaviours of the timed automaton.

4.2.2 The region graph.

From a set of regions R as characterized in the previous paragraph, one can define the so-called regiongraph, which represents the possible time evolutions of the system: the region graph is a finite automatonwhose set of states is R and whose transitions are:

R ε−→ R′ if R′ is a time successor of R, 8

R Y−→ R′ if [Y ← 0]R⊆ R′.

Intuitively, the region graph records possible evolutions of time in the system: there is a transition R ε−→ R′

if, from some (or equivalently every, by condition Á) valuation of region R, it is possible to let some timeelapse and reach region R′. There is a transition R Y−→ R′ if, from region R, the region R′ can be reachedby resetting clocks in Y . Note that this graph is closed by reflexivity and transitivity for ε-transitions,i.e., R ε−→ R, and if R ε−→ R′ and R′ ε−→ R′′, then R ε−→ R′′.

Example 7. The region graph associated with the set of regions R mentioned in Example 5 is representedon Figure 2. Plain edges are ε−→ transitions of the region graph, whereas dashed (resp. dotted) edges arex−−→ (resp.

y−−→) transitions. We have omitted transitionsx,y−−−→ (that reset both clocks) for readability

reasons: there should be such a transition from any state to region R0. y

4.2.3 The region automaton.

Let A = (L,L0,LF ,X ,Σ,T ) be a timed automaton, and assume that the set of constraints occurring inA is C . Let R be a finite set of regions for X and C (i.e., a partition of TX satisfying conditions À, Á

and Â). The region automaton ΓR(A ) is the finite automaton (Q,Q0,QF ,Σ,T ′) where Q = L×R is theset of states, Q0 = L0×[0X ]R is the set of initial states, QF = LF ×R is the set of final states, Σ isthe same alphabet as that of A , and T ′ is the set of transitions defined as follows: there is a transition(`,R) a−→ (`′,R′) in T ′ whenever there exists some region R′′ ∈ R and some transition `

g,a,Y−−−→ `′ in Asuch that

R ε−→ R′′ is a transition in the region graph,R′′ ⊆ JgKX ,R′′ Y−→ R′ is a transition in the region graph.

7R′ is a time successor of R whenever there is some v ∈ R and some t ∈ T such that v+ t ∈ R′. Note that, due to thecompatibility condition Á, if R′ is a time successor of R, then for every v ∈ R, there is some t ∈ T such that v+ t ∈ R′.

33

10 P. Bouyer

R0

x≥0y=0

R1

0≤x<10≤y≤1

x<y

R2

x≥00<y≤1

x≥y

R3

x>1y>1x≥y

R4

x≥0y>1x<y

time elapsingreset of clock xreset of clock y

Fig. 2: A simple example of a region graph

A transition of the region automaton abstracts a delay followed by an action in the original timed au-tomaton. More precisely, whenever in A we can delay some time and make an a, then in ΓR(A ), wecan make some a, and vice-versa. The region automaton construction safely captures the behaviours ofthe timed automaton:

Proposition 8. Let A be a timed automaton with set of clocks X and set of constraints C . We assumewe can construct a set of regions R for X and C . Then,

Untime(L(A )) = L(ΓR(A ))

where L(ΓR(A )) is the (untimed) language accepted by the finite automaton ΓR(A ) and Untime((a1, t1) . . .(ap, tp))=a1 . . .ap assigns to a timed word (and by extension to a timed language) a finite word (and by extensiona classical language).

Remark 9. In terms of behavioural equivalence, the finite automaton ΓR(A ) is the quotient of the timedtransition system T m

A w.r.t. the time-abstract bisimulation ∼=R .

Example 10. We consider the following small timed automaton, and we would like to know whetherlocation `4 is reachable from the initial state (`0,0x,y).

`0 `1 `2

`4 `3

y>1,a,x:=0 y>1,b

x<y∧y≤1,e c,y:=0d

A possible set of regions for that automaton has been given in Example 5, and the corresponding regionautomaton is the following finite automaton.

34

Timed automata 11

`0,R0 `1,R4

`1,R3

`1,R2

`1,R0

`2,R4

`2,R3

`3,R0

`4,R1

a b

c

d

d d

b

b

b

Applying Proposition 8, we have that location `4 is reachable in the original timed automaton iff the state(`4,R1) is reachable in the region automaton (actually it should be iff any of the (`4,Ri) is reachable, butdue to the constraint labelling the transition from `1 to `4, we can focus on (`4,R1)). We see that it is notthe case, and hence that there is no run which starts in the initial state (`0,0x,y) and ends in `4. y

For every timed automaton A for which we can effectively construct a finite set of regions R (satis-fying conditions À, Á and Â), we can transfer the checking of reachability properties in A to the finiteautomaton ΓR(A ). It remains to see how we can effectively build sets of regions for timed automata.

4.3 Effective construction of sets of regions

In the previous section, we have presented an abstract construction which allows to reduce for instancethe model-checking of reachability properties in timed automata to the model-checking of reachabilityproperties in finite automata (under the condition that there is a finite set of regions for the set of con-straints used in the timed automaton). However, we did not explain how we construct a set of regions fortimed automata, which is the basis to the whole construction.

In this section, we fix a finite set of clocks X .

4.3.1 Regions for sets of diagonal-free constraints.

Let M ∈ N be an integer. We define a set of regions for X and the set of M-bounded diagonal-free clockconstraints C M

df (X). A natural partition would be to take the partition induced by the set of constraintsitself, see Figure 3(a) for an illustration with two clocks. But this is actually not fine enough becausecompatibility condition Â is not satisfied (as illustrated on the figure by the two gray valuations). Acorrect partition is then the one of Figure 3(b).

We formalize this idea and we define the equivalence relation ≡X ,Mdf over TX as follows. Let v and v′

be two valuations of TX , we say that v≡X ,Mdf v′ if all three following conditions are satisfied:

(a) v(x)> M iff v′(x)> M for each x ∈ X ,

(b) if v(x)≤M, then bv(x)c= bv′(x)c and(v(x)= 0 iff v′(x)= 0

)for each x ∈ X ,9 and

(c) if v(x)≤M and v(y)≤M, then v(x) ≤ v(y) iff v′(x) ≤ v′(y) for all x, y ∈ X .

The relation ≡X ,Md f is an equivalence relation of finite index, and it naturally induces a finite partition

RMdf (X) of TX (defined as the set of equivalence classes of TX

/≡X ,Mdf

). The construction for two clocks is

precisely that illustrated on Figure 3(b).The following lemma states the correctness of the above partition.

9b·c (resp. ·) represents the integral (resp. fractional) part.

35

12 P. Bouyer

00

1

1

2

2

1

1

2

2

clock y

clock x0

0

(a) Partition compatible with the 2-bounded clock constraints and the resets(conditions À and Â), but not with timeelapsing (condition Á): the two gray pointsare not equivalent

00

1

1

2

2

1

1

2

2

clock y

clock x0

0

(b) Partition R2df(x,y) satisfying all

the compatibility constraints À, Á and Â

for the set of constraints C 2df(x,y)

Fig. 3: Region construction for set of diagonal-free constraints C 2df(x,y)

Proposition 11. The partition RMdf (X) is a finite set of regions for clocks X and M-bounded diagonal-free

clock constraints C Mdf (X).

Using some combinatorics, one can show that the cardinal of RMdf (X) is bounded by (2M+2)|X |.|X |!.2|X |.

4.3.2 Regions for sets of general constraints.

Let M ∈ N be an integer. The aim is to define a set of regions for X and the set of M-bounded clockconstraints C M(X). The partition we have defined in the previous paragraph is no more compatible withthe set of constraints C M(X), we thus need to refine it.

We define an equivalence relation ≡X ,M over TX as follows: let v and v′ be two valuations of TX , wesay that v≡X ,M v′ if all two following conditions hold:

• v≡X ,Mdf v′, and

• v |= (x− y∼ c) iff v′ |= (x− y∼ c) for every (x− y∼ c) ∈ C M(X).

This equivalence relation refines ≡X ,Mdf in that two equivalent valuations satisfy in addition the same

diagonal constraints (bounded by M). This new partition is denoted RM(X) and is illustrated for twoclocks on Figure 4.

00

1

1

2

2

1

1

2

2

clock y

clock x0

0

Fig. 4: Set of regions R2(X) for 2-bounded clock constraints with two clocks

We omit the proof of the following proposition, which states the correctness of the refinement.

36

Timed automata 13

Proposition 12. The partition RM(X) is a set of regions for X and the set of M-bounded clock constraintsC M(X).

An upper bound for the cardinal of RM(X) is (4M+3)(|X |+1)2.

4.4 An example of region automaton [5]

The region automaton construction is illustrated on Figure 5.

s0 s1

s2

s3x>0,a

y:=0

y=1,b x<1,cx<1,c

y<1,a,y:=0

x>1,d

(a) A timed automaton

y

x

(b) Its region partition

s0

x=y=0

s1

0=y<x<1

s1

y=0,x=1

s1

y=0,x>1

s2

1=y<x

s3

0<y<x<1

s3

0<y<1<x

s3

1=y<x

s3

x>1,y>1

a a a b

b b

c aa a

d

d

d

d

d

d

d

da

(c) Its region automaton

Fig. 5: A timed automaton and its corresponding region automaton

4.5 Applications of the region automaton construction

The reachability problem. Let A be a timed automaton with set of clocks X . Let M be the maximalconstant involved in one of the constraints of A , the set RM(X) (or even RM

df (X) in case A is a diagonal-free timed automaton) is a set of regions for A . Hence the region abstraction and all the developmentsmade in the previous section can be used. The following result, due to Alur and Dill [4, 5], is the core ofthe verification of timed systems.

Theorem 13. The reachability problem is decidable for timed automata. It is a PSPACE-completeproblem (for both diagonal-free and general timed automata).

37

14 P. Bouyer

Further applications of the region automaton abstraction. The region automaton abstraction issound for verifying reachability properties. This is due to the time-abstract bisimulation property whichlinks the region automaton and the original timed automaton. As a consequence, the region automatonabstraction can be used to verify all properties that are invariant by time-abstract bisimulation. This isfor instance the case of safety properties, of ω-regular properties, or of untimed properties expressed inLTL [44] or in CTL [25]. However, this construction cannot be directly used to verify properties ex-pressed in a timed temporal logic like TCTL [2, 3] because a property like “reaching a state in exactly 5units of time” is not invariant by time-abstract bisimulation. For these properties a refined constructionis required, which uses an extra clock for the formula, and then construct a region automaton taking intoaccount this additional clock. We do not develop this construction here but better refer to original articleson the subject [2, 3].

5 The language-theoretic perspective

In the previous section we have presented the region automaton abstraction, which can be used to model-check several kinds of simple properties, like reachability properties. From a language perspective, thismeans that the emptiness problem is decidable for timed automata. In this section we study furtherlanguage-theoretic properties of timed languages accepted by timed automata, and show in particularsome negative results.

5.1 Boolean operations

Closure under Boolean operations is a basic property which is interesting for modelling and verificationreasons.

Proposition 14. The class of timed languages accepted by timed automata is closed under finite unionand finite intersection.

The following proposition is on the contrary rather bad news.

Proposition 15. The class of timed languages accepted by timed automata is not closed under comple-mentation.

The most well-known timed automaton, already given in [5], which cannot be complemented is givenin Figure 6. This automaton, over the single-letter alphabet a, recognizes the timed language:

`0 `1 `2a,x := 0 x = 1,a

a a a

Fig. 6: A non-complementable timed automaton

(a, t1)(a, t2) . . .(a, tn) | n ∈ N, n≥ 2 and there exist 1≤ i < j ≤ n with t j− ti = 1

Intuitively, to be recognized by a timed automaton, the complement of this timed language would requirean unbounded number of clocks, because for any action a, we need to check that there is no a-action one

38

Timed automata 15

time unit later, so a fresh clock is intuitively required. However the complete proof is rather technicaland harassing [17], and we do not provide it here.

An alternative and elegant proof of the above proposition has been proposed in [8], and this is theone we will present in the tutorial.

5.2 The universality and inclusion problems

The universality problem asks, given a timed automaton A , whether A accepts all (finite) timed words.The inclusion problem asks, given two timed automata A and B, whether all timed words acceptedby B are also accepted by A , that is whether L(B) ⊆ L(A ). Note that the universality problem is aspecial instance of the inclusion problem, where B is universal, i.e. accepts all (finite) timed words. Thefollowing result is bad news in the verification context.

Theorem 16 ([4, 5]). The universality problem is undecidable for timed automata.

The following is a straightforward corollary of the initial observation that the universality problem isa special instance of the inclusion problem.

Corollary 17. The inclusion problem is undecidable for timed automata.

5.3 Timed automata and determinism

In the context of formal languages, determinism is a standard and central notion which expresses that fora word there is at most one execution which reads that word. For regular languages determinism doesnot restrict recognition of languages, but for context-free languages this is not the case [36]. We discussin this section the issue of determinism in the context of timed automata, which gives some explanationto the previous negative results.

5.3.1 The class of deterministic timed automata.

We give a syntactical definition of determinism in timed automata (with no invariants, for simplicity). Atimed automaton A = (L,L0,LF ,X ,Σ,T ) is deterministic whenever L0 is a singleton, and for every `∈ L,for every a ∈ Σ, (`,g1,a,Y1, `1) ∈ T and (`,g2,a,Y2, `2) ∈ T imply Jg1∧g2KX = /0. This notion extends ina natural way the standard notion of determinism in finite automata. In a deterministic timed automaton,for every timed word, there is at most one run that reads that timed word from a given configuration.

Deterministic timed automata form a strict subclass of timed automata.10 Using a product construc-tion, as done in the proof of Proposition 14 for the intersection, it is easy to get convinced that thissubclass is closed under finite union and finite intersection. On the other hand the timed automaton wehave given to illustrate the non-closure under complementation of the class of standard timed automata(Proposition 15) is not deterministic. And actually it is not very hard to get convinced that the class of de-terministic timed automata is closed under complementation: add a sink location, add transitions to thatsink from every location, with constraints complementing the union of all the constraints labelling theoutgoing transitions from that location, and finally swap final and non-final locations. As a consequence,this is not possible to construct a deterministic timed automaton which accepts the same language as thetimed automaton of Figure 6. And it is even possible to prove that this is not possible to decide whethera timed automaton is determinizable or not [53, 34].

10The strictness is obvious at the syntactical level, and also holds at the semantical level, as will be argued later: there existsa timed automaton such that no deterministic timed automata accepts the same timed language.

39

16 P. Bouyer

Finally it is interesting to mention that the reduction to prove the undecidability of the universalityproblem (proof of Theorem 16) builds a non deterministic timed automaton. And indeed the universal-ity problem (and the inclusion problem) is decidable for the class of deterministic timed automata: tocheck for the universality of a given deterministic timed automaton A , first build a (deterministic) timedautomaton which accepts the complement of L(A ), and then check for emptiness of this automaton.

5.3.2 Determinizable classes of timed automata.

As mentioned in the previous paragraph, not all timed automata can be determinized (i.e. there existtimed automata that accept timed languages which cannot be recognized by any deterministic timedautomaton). However, deterministic (and hence effectively determinizable) timed automata enjoy niceclosure (complementation) and decidability (universality, inclusion) properties. Verification can thusbenefit of such properties.

One of the first determinizable classes of timed automata which have been investigated is the class ofevent-clock timed automata [6]. In such an automaton every letter of the alphabet is associated twoclocks, one which measures delays since the last occurrence of this action (those are called event-recording clock), and one which measures delays to the next occurrence of this action (those are calledevent-predicting clock). In the syntax of event-clock timed automata. resets of clocks are ommitted asthey are implicitely given by actions.Example 18. In Figure 7 we give two event-clock timed automata (we take the convention that xa isthe event-recording clock associated with a whereas yb is the event-predicting clock associated with b).In the first automaton, the time between the last b and the unique initial a is precisely one time unit

`0 `1 `2a xa = 1,b

b

xa: event-recording clock for a

`0 `1 `2yb = 1,a b

a

yb: event-predicting clock for b

Fig. 7: Two event-clock timed automata

(specified with the constraint on the last transition xa = 1): when we do the last b, we know that the last awas precisely one time unit earlier. In the second automaton, the time between the first a and the uniquefinal b is precisely one time unit as well (specified with the constraint on the first transition yb = 1): whenthe first a is done, we know that the next b has to be one time unit later.

We give the intuition why an event-clock timed automaton with only event-recording clocks can bedeterminized (the case of event-predicting clocks is more involved and we refer the reader to [6] for moredetails). The reason is that the timed behaviour of those automata is input-determined: given a timedword, the value of the clocks after each prefix of the timed word is determined by that prefix (and not bythe run followed in the timed automaton). For that reason a subset construction can be done. This kindof arguments has later been used for more complex classes of timed systems [33].

Recently more determinizable classes of timed automata have been investigated [11, 42], amongwhich we can find the class of so-called strongly non-Zeno timed automata (we omit the definition ofthis class here, but basically it enforces time elapsing in a rather strong way) or more dedicated classes,e.g. corresponding to logical formalisms [43] or to simpler classes of timed systems [52].

40

Timed automata 17

6 Implementation and data structures

In the original work by Alur and Dill, the so-called region automaton construction is an abstractionwhich proves the decidability of the model. However, whereas well-suited for establishing decidabilityof problems related to timed automata, the region automaton is highly impractical from a tool imple-mentation point-of-view. Instead, most real-time verification tools (like CMC [26], KRONOS [39], andUPPAAL [54]) apply abstractions based on so-called zones, which in practice provide much coarserabstractions.

In this section, we describe methods that can be used for analysing reachability (or equivalentlysimple safety) properties in timed automata.

6.1 Checking reachability properties: two general methods

There are two main approaches for checking reachability (or safety) properties in systems (not only timedsystems, but all kinds of systems). We describe these two approaches shortly and apply them to timedautomata.

• Forward analysis. The general idea is to compute configurations which are reachable from theinitial configuration within 1 step, 2 steps, etc. until final (or goal) configurations are computed, oruntil the computation terminates. The forward analysis computation can be schematized as below.

Init

Final

• Backward analysis. The general idea is to compute configurations from which we can reach finalconfigurations within 1 step, 2 steps, etc. until the initial configuration is computed, or until thecomputation terminates. The backward analysis computation can be represented as below.

Final

Init

41

18 P. Bouyer

These two generic approaches are used in many contexts, including the analysis of models like countermachines, hybrid systems, etc. Of course, given a class of systems, specific techniques (eg. abstractions,widening operations, etc.) can be used for improving the computations. We will now focus on timedautomata and explain how these two approaches can be implemented in that framework.

6.2 Reachability analysis in timed automata: the zone symbolic representation

Timed automata have infinitely (and even uncountably) many configurations, it is thus necessary to usesymbolic representations for doing the computations. For the discussion which follows we fix a timedautomaton A = (L,L0,LF ,X ,Σ,T ). Given an edge e = (`,g,a,Y, `′) ∈ T of A , we need to be able tocompute its effect on a set of valuations. More precisely, if W is a set of valuations, we define the twofollowing sets of valuations:

Poste(W ) = v′ ∈ TX | ∃v ∈W ∃t ∈ T such that v+ t |= gand v′ = [Y ← 0](v+ t)

Pree(W ) = v ∈ TX | ∃v′ ∈W ∃t ∈ T such that v+ t |= gand [Y ← 0](v+ t) = v′

A valuation v′ is in Poste(W ) whenever there exists some valuation v ∈W and some t ∈ R≥0 such that(`,v)

t,e−→ (`′,v′) is a mixed move in TA . Similarly a valuation v is in Pree(W ) whenever there existssome valuation v′ ∈W and some t ∈ R≥0 such that (`,v)

t,e−→ (`′,v′) is a mixed move in TA .It is worth noticing that if W is a zone, i.e., a set of valuations defined by a general clock constraint,

then for every transition e of A , Poste(W ) and Pree(W ) are both zones. For analysing timed automata,zones are the most basic and commonly used symbolic representation.

In the following, we will need to decompose the computation of Poste and Pree in several simplersteps, hence we define the following operations on zones (or more generally on sets of valuations):

• Future of W :−→W = v+ t | v ∈W and t ∈ R≥0

• Past of W :←−W = v− t | v ∈W and t ∈ R≥0

• Intersection of W and W ′: W ∩W ′ = v | v ∈W and v ∈W ′• Reset to zero of W with respect to the set of clocks Y :

[Y ← 0]W = [Y ← 0]v | v ∈W• Inverse reset to zero of W with respect to the set of clocks Y :

[Y ← 0]−1W = v | [Y ← 0]v ∈WThese operations allow to express the Poste and Pree operators:

Poste(W ) = [Ye← 0](−→W ∩ JgeK)

Pree(W ) =←−−−−−−−−−−−−−−−−−−−−−−[Ye← 0]−1(W ∩ JYe = 0K)∩ JgeK

6.3 The DBM data structure

The most common data structure for representing zones is the so-called DBM data structure. This datastructure has been first introduced in [16] and then set in the framework of timed automata in [32].Several presentations of this data structure can be found in the literature, for example in [23, 15, 18].

42

Timed automata 19

A difference bound matrix, we shall write DBM for short, for a set X = x1, . . . ,xn of n clocks is an(n+1)-square matrix of pairs

(≺,m) ∈ V= (<,≤×Z)∪(<,∞).

A DBM M = (≺i, j,mi, j)0≤i, j≤n defines the following subset of RX≥0 (if v ∈ RX

≥0, v is the ‘canonical’valuation over X ∪ x0 — where x0 is a fresh clock — such that v(x) = v(x) for every x ∈ X , andv(x0) = 0; In the following we may write v instead of v):

v : X → R≥0 | ∀ 0≤ i, j ≤ n, v(xi)− v(x j)≺i, j mi, j

where γ < ∞ simply means that γ ∈ R≥0 (without any constraint on γ). This subset of RX≥0 is a zone and

will be denoted by JMK. To simplify the notations, we now assume that all constraints are non-strict, sothat coefficients of DBMs will simply be elements of Z∪∞.Example 19. We consider the zone over the set of clocks X = x1,x2 defined by the general clockconstraint

(x1 ≥ 3) ∧ (x2 ≤ 5) ∧ (x1− x2 ≤ 4).

This zone, depicted on the next picture on the right, can be represented by the DBM on the left.

x0 x1 x2

x0x1x2

Ö∞ −3 ∞∞ ∞ 45 ∞ ∞

è

x2

x13

5

x1−x2=4

yA zone can have several representations using DBMs. For example, the zone of the previous example

can equivalently be represented by the DBM

x0 x1 x2

x0x1x2

Ö0 −3 09 0 45 2 0

è

Normal forms of DBMs. We define a total order on V in the following way: if (≺,m),(≺′,m′) ∈ V,then

(≺,m)≤ (≺′,m′)⇔

m < m′

orm = m′ and either ≺ = ≺′ or ≺′ = ≤ .

Of course, for each m ∈ Z, we have m < ∞. We define >, ≥ and < in a natural way. These orders areextended to DBMs M = (≺i, j,mi, j)i, j=0...n and M′ = (≺′i, j,m′i, j)i, j=0...n by

M ≤M′⇔ for every i, j = 0 . . .n, (≺i, j,mi, j)≤ (≺′i, j,m′i, j).

43

20 P. Bouyer

We also define an addition on the set V as follows:

(≺,m)+(≺′,m′) = (≺′′,m′′)where m′′ = m+m′ and ≺′′ is ≤ if both ≺ and ≺′ are ≤ and ≺′′ is < otherwise.

Let M be a DBM. We write GM for the graph corresponding to that DBM. Then the followingproperty follows:Property 20 (Emptiness checking).

JMK = /0 iff there is a cycle with weight strictly smaller than (≤,0) in GM

We apply the Floyd-Warshall algorithm to DBM M (seen as the adjacency matrix of GM), yieldingthe DBM φ(M). The DBM φ(M) is the normal form of M, which will be justified later. Notice thatφ(φ(M)) = φ(M) if JMK is not empty.

We can now state some (very useful) properties of normal forms of DBMs.Property 21. If M and M′ are DBMs, then:

(i) JMK = Jφ(M)K and φ(M)≤M,

(ii) JMK⊆ JM′K⇔ φ(M)≤M′⇔ φ(M)≤ φ(M′).The last point expresses the fact that the test for inclusion of zones can be checked syntactically on

the normal forms of the DBMs (representing the zones).Normal forms of DBMs can be characterized in a natural way.

Property 22. If M = (≺i, j,mi, j)i, j=0...n is a DBM such that JMK 6= /0, then the two following propertiesare equivalent:

(i) M is in normal form,

(ii) for every i, j = 0 . . .n, for every real−m j,i ≺ j,i r≺i, j mi, j, there exists a valuation v∈ JMKsuch that v(x j)− v(xi) = r (still assuming that v(x0) = 0).

This property expresses the fact that if a DBM is in normal form, then no constraint of this DBM canbe tightened using Floyd algorithm.

6.3.1 Computation of some operations on DBMs.

As we argued at the beginning of the section, the data structure used to represent zones must also beappropriate to compute several operations.

Intersection. Let M = (≺i, j,mi, j;)i, j=1...n and M′ = (≺′i, j,m′i, j)i, j=1...n be two DBMs and define M′′ =(≺′′i, j,m′′i, j)i, j=1...n by

(≺′′i, j,m′′i, j) = min((≺i, j,mi, j),(≺′i, j,m′i, j)) for all indices i, j = 1 . . .n.

Then JM′′K = JMK∩ JM′K. Note that it can be the case that M′′ is not in normal form, even if M and M′

are in normal form.

Future. Assume that M = (≺i, j,mi, j)i, j=1...n is a DBM in normal form. Define the DBM−→M = (≺′i, j

,m′i, j)i, j=1...n by: ®(≺′i, j,m′i, j) = (≺i, j,mi, j) if j 6= 0(≺′i,0,m′i,0) = (<,∞)

.

Then J−→MK =−−→JMK and the DBM−→M is in normal form.

44

Timed automata 21

Past. Assume that M = (≺i, j,mi, j)i, j=1...n is a DBM in normal form. Define the DBM←−M = (≺′i, j

,m′i, j)i, j=1...n by: ®(≺′i, j,m′i, j) = (≺i, j,mi, j) if i 6= 0(≺′0, j,m′0, j) = (≤,0) .

Then J←−MK =←−−JMK and the DBM←−M is in normal form.

Image by resets. Assume that M = (≺i, j,mi, j)i, j=1...n is a DBM in normal form and define the DBMMxk:=0 = (≺′i, j,m′i, j)i, j=1...n by:

(≺′i, j,m′i, j) = (≺i, j,mi, j) if i, j 6= k(≺′k,k,m′k,k) = (≺′k,0,m′k,0) = (≺′0,k,m′0,k) = (≤,0)(≺′i,k,m′i,k) = (≺i,0,mi,0) if i 6= k(≺′k,i,m′k,i) = (≺0,i,m0,i) if i 6= k

Then JMxk:=0K = [xk← 0]JMK and the DBM Mxk:=0 is in normal form.Let us just mention that the DBM data structure is the most basic data structure which is used for

analysing timed systems, some more involved BDD-like data structures can also be used, for exampleCDDs (which stands for ‘Clock Difference Diagrams’) [40], or more recently federations [28, 27].

6.4 Backward analysis

We first focus on the backward analysis computation, which will surprisingly turn out to be the simplestto analyse. We fix a timed automaton A = (L,L0,LF ,X ,Σ,T ).

6.4.1 Backward symbolic transition system.

The backward symbolic transition system associated with A is denoted by ‘⇐’ and is defined inductivelyas follows:

e =Å`1

g,a,Y−−−→ `2

ã∈ E W1 = Pree(W2)

(`2,W2)⇐ (`1,W1)

Obviously, if we write⇐∗ for the reflexive and transitive closure of⇐, we have that (`′,W ′)⇐∗ (`,W )if and only if for every v ∈W , there exists v′ ∈W ′ and a run in A from (`,v) to (`′,v′).

The backward analysis algorithm then consists in computing iteratively the following sets of sym-bolic configurations:

S b0 = (`,RX

≥0) | ` ∈ LFS b

1 = S b0 ∪ (`,W ) | ∃(`′,W ′) ∈S b

0 such that (`′,W ′)⇐ (`,W )...

S bp+1 = S b

p ∪ (`,W ) | ∃(`′,W ′) ∈S bp such that (`′,W ′)⇐ (`′,W ′)

...

until either (i) the computation stabilizes, or (ii) a symbolic state is computed, which contains the initialconfiguration of A . To help event (i) happen, it is possible to add the following inclusion check: if

45

22 P. Bouyer

(`,W ) ∈S bp+1 and if there exists (`,W ′) ∈S b

p such that W ⊆W ′ (or even if there exist (`,Wi) ∈S bp for

finitely many i’s such that W ⊆⋃iWi), then do not include (`,W ) in S bp+1. The procedure answers ‘Yes’

in case (ii) and ‘No’ in case (i)∧¬(ii).

6.4.2 Termination and correctness.

The backward analysis computation enjoys the following nice property, which can be seen as a conse-quence of the correctness of the backward analysis algorithm for TCTL [35]. However, we will givebelow a simple and direct proof of that result.Theorem 23. The backward computation terminates and is correct with respect to reachability proper-ties.11

Backward analysis may appear as an accurate method for analysing timed automata, but in practice,some tools (like Uppaal) prefer using a forward analysis computation. One of the reasons comes from theuse of (bounded) integer variables that are really helpful for modelling real systems. Backward analysisis then not suitable for dealing with arithmetical operations: for example if we know in which intervallies the variable i and if we know that i is assigned the value j.k + `.m, it is not easy to compute thepossible values of variables j, k, `, m (apart from listing all possible tuples of values). For this kind ofoperations, forward analysis is much more suitable.

6.5 Forward analysis

In this section we focus on the forward analysis computation, which will require the development of ab-stractions, and more effort for proving its correctness. We fix a timed automaton A = (L,L0,LF ,X ,Σ,T ).

6.5.1 Forward symbolic transition system.

The forward symbolic transition system associated with A is denoted by ‘⇒’ and is defined inductivelyas follows:

e =Å`1

g,a,Y :=0−−−−−→ `2

ã∈ E W2 = Poste(W1)

(`1,W1)⇒ (`2,W2)

Obviously, if we write⇒∗ for the reflexive and transitive closure of⇒, we have that (`,W )⇒∗ (`′,W ′)if and only if for every v′ ∈W ′, there exists v ∈W and a run in A from (`,v) to (`′,v′).

The forward analysis computation then consists in computing iteratively the following sets of sym-bolic configurations:

S f0 = (`0,0X)

S f1 = S f

0 ∪ (`′,W ′) | ∃(`,W ) ∈S f0 such that (`,W )⇒ (`′,W ′)

...

S fp+1 = S f

p ∪ (`′,W ′) | ∃(`,W ) ∈S fp such that (`,W )⇒ (`′,W ′)

...

until either (i) the computation stabilizes, or (ii) a symbolic state is computed, which contains a finalconfiguration of the timed automaton (i.e., a configuration of the form (` f ,v) with ` f ∈ LF ). To help

11I.e. LF is reachable if and only if it is declared as reachable by the backward computation.

46

Timed automata 23

event (i) happen, it is possible to add an inclusion check, as in the backward analysis computation. Theprocedure answers ‘Yes’ in case (ii) and ‘No’ in case (i)∧¬(ii).

6.5.2 Discussion on the termination and correctness.

The forward analysis gives a correct answer, but it may not terminate. An example of automaton in whichthe forward computation does not terminate is given below. The zones that are computed by the aboveprocedure are represented on the right part of the figure, and it is easy to check that the computation willnever terminate.

`

(y≤1)

x≥1∧y=1,a,y:=0 y

x1 2 3 4 5 6

1···

To overcome this problem, it is necessary to use some abstraction operators. Several have been proposedin [29]: for instance, if Z and Z′ are computed for the location `, they are replaced by the smallestzone containing both Z and Z′; this approximation is called the convex-hull abstraction12, it does notensure termination and is only semi-correct, in the sense that a location announced as reachable mightnot be reachable (the convex-hull abstraction is an over-approximation). The most interesting abstractionstudied in this paper is the extrapolation operator. We will present it now, but we first need to formalize alittle more the forward analysis procedure. We follow the lines of [12, 13] and define (abstract) symbolictransition systems.

6.5.3 Abstract forward symbolic transition systems.

Let a be an abstraction operator (possibly partially) defined on the sets of valuations (a associates to setsof valuations sets of valuations). We define the abstract forward symbolic transition system ‘⇒a’ in thefollowing way:

(`,W )⇒ (`′,W ′) W = a(W )

(`,W )⇒a (`′,a(W ′))

This transition system gives naturally rise to the following forward computation in A .

S f,a0 = (`0,a(0X))

S f,a1 = S f,a

0 ∪ (`′,W ′) | ∃(`,W ) ∈S f,a0 such that (`,W )⇒a (`

′,W ′)...

S f,ap+1 = S f,a

p ∪ (`′,W ′) | ∃(`,W ) ∈S f,ap such that (`,W )⇒a (`

′,W ′)...

with the same halting conditions (and inclusion checks) as previously.

12It is a language abuse, because it is not really the convex hull of the two zones, but it is the smallest zone containing theconvex-hull of the two zones.

47

24 P. Bouyer

6.5.4 Soundness criteria.

The abstraction operator a is said correct with respect to reachability properties in A whenever thefollowing holds:

if (`0,a(0X))⇒∗a (`,W ) then there exists a run(`0,0X)→∗ (`,v) with v ∈W in A

The abstraction operator a is said complete with respect to reachability properties whenever thefollowing holds in A :

if (`0,0X)→∗ (`,v) is a run in A then (`0,a(0X))⇒∗a (`,W )for some W with v ∈W

Remark 24. Note that these two notions could be generalized to more general properties than reacha-bility properties, but we follow our lines and concentrate on reachability properties.

y

Our aim is to define abstraction operators a such that the four following properties hold:

(Finiteness) a(W ) | a defined on W is finite(this ensures termination of the “abstract” forward computation)

(Correctness) a is correct with respect to reachability

(Completeness) a is complete with respect to reachability

(Effectiveness) a is “effective”

The three first properties are properly defined, the last one is more informal. The effectiveness criterionexpresses that the abstraction has to be easily computable. In timed automata literature this is most ofthe time interpreted as “a has to be defined for all zones and a(Z) has to be a zone when Z is a zone”.Note that other effectiveness criteria could be proposed, but that is the one we choose here.

6.5.5 The extrapolation operator.

The abstraction operator which is commonly used is called extrapolation, and sometimes normaliza-tion [15] or approximation [18]. We will note it here ApproxK , it is defined up to a constant K as follows:if Z is a zone, ApproxK(Z) is the smallest K-bounded zone13 which contains Z. This operation is well-defined on DBMs: if M is a DBM in normal form representing Z, a DBM representing ApproxK(Z) isobtained from M where each coefficient (≺;m) with m <−K is replaced by (<;−K) and all coefficients(≺;m) with m > K is replaced by (<;∞), all other coefficients are unchanged. We write ApproxK(M)for this transformed DBM: it holds that JApproxK(M)K = ApproxK(JMK).Example 25. Consider again the zone introduced in example 19. As we have already mentioned, it canbe represented by the DBM in normal form on the left and its 2-extrapolation is the DBM on the right(where we again do not mention the comparison operators):

M =

Ö0 −3 09 0 45 2 0

è

and Approx2(M) =

Ö0 −2 0+∞ 0 +∞+∞ 2 0

è

They are both represented on the picture below.

13A K-bounded zone is a zone defined by a K-bounded clock constraint.

48

Timed automata 25

3

x2

x1

5

2

2

JMK

JApprox2(M)K

yObviously,• ApproxK is a finite abstraction operator because there are finitely many DBMs whose coefficients

are either (<;∞) or some (≺;m) with ≺ ∈ <;≤ and −K ≤ m≤ K;

• the computation of ApproxK is effective and can easily be done using DBMs;

• ApproxK is a complete abstraction with respect to reachability because for every zone Z, Z ⊆ApproxK(Z).

The only point that needs to be carefully studied is the correctness of ApproxK : of course, not all constantsK yield correctness, but we have to choose such a constant K carefully, so that the abstraction operatorbe correct with respect to reachability properties. We now discuss in details this important aspect.

6.5.6 Correctness of the extrapolation operator.

The correctness only holds for diagonal-free timed automata. And the result does not extend to timedautomata with general clock constraints: there does exist a timed automaton for which no extrapolationis correct.Theorem 26 ([18]). Let A be a diagonal-free timed automaton. Take K the maximal constant appearingin the constraints of A . Then ApproxK is a correct abstraction with respect to reachability properties inA .Remark 27. Several improvements on that extrapolation operator have been made, like distinguish lo-cations, distinguish lower- and upper-bounds.

7 Conclusion and current developments

We have presented the model of timed automata and its fundamental properties. We have also discussedimplementation issues, which are in the core of some of today’s tools, even though many optimizationshave been implemented. In the tutorial we will also mention several extensions of timed automata, liketimed games [9, 22] or weighted timed automata [7, 14, 20], which are suitable for modelling someaspects of computerized systems.

Another important issue is that of implementability and robustness. Timed automata are an idealizedmathematical model which assumes perfect and infinitely precise clocks, instantaneous communication,etc. Those assumptions are unfortunately not realistic, and the correctness of systems proven on modelscan often not be transferred to real systems. This has naturally led to the question of the implementabilityof timed systems (‘can a correct system be implemented on a processor?’) [31] and to the development ofrobust timed systems [46, 30, 49]. A robust timed system is such that it is correct, even though the clockbehaviour of the system is not perfect. There are lots of recent developments on that subject, and severalsurveys are available [41, 21]. The talk by Pierre-Alain Reynier will discuss the issue of robustness.

49

26 P. Bouyer

References[1] L. Aceto, A. Ingolfsdottir, K. G. Larsen, and J. Srba, editors. Reactive Systems: Modelling, Specifica-

tion and Verification. Cambridge University Press, 1008. http://www.cambridge.org/uk/catalogue/catalogue.asp?isbn=9780521875462.

[2] R. Alur, C. Courcoubetis, and D. L. Dill. Model-checking for real-time systems. In Proc. 5th AnnualSymposium on Logic in Computer Science (LICS’90), pages 414–425. IEEE Computer Society Press, 1990.

[3] R. Alur, C. Courcoubetis, and D. L. Dill. Model-checking in dense real-time. Information and Computation,104(1):2–34, 1993.

[4] R. Alur and D. L. Dill. Automata for modeling real-time systems. In Proc. 17th International Colloquiumon Automata, Languages and Programming (ICALP’90), volume 443 of Lecture Notes in Computer Science,pages 322–335. Springer, 1990.

[5] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994.

[6] R. Alur, L. Fix, and Th. A. Henzinger. A determinizable class of timed automata. In Proc. 6th InternationalConference on Computer Aided Verification (CAV’94), volume 818 of Lecture Notes in Computer Science,pages 1–13. Springer, 1994.

[7] R. Alur, S. La Torre, and G. J. Pappas. Optimal paths in weighted timed automata. In Proc. 4th Interna-tional Workshop on Hybrid Systems: Computation and Control (HSCC’01), volume 2034 of Lecture Notesin Computer Science, pages 49–62. Springer, 2001.

[8] R. Alur and P. Madhusudan. Decision problems for timed automata: A survey. In Proc. 4th InternationalSchool on Formal Methods for the Design of Computer, Communication and Software Systems: Real Time(SFM-04:RT), volume 3185 of Lecture Notes in Computer Science, pages 122–133. Springer, 2004.

[9] E. Asarin, O. Maler, A. Pnueli, and J. Sifakis. Controller synthesis for timed automata. In Proc. IFACSymposium on System Structure and Control, pages 469–474. Elsevier Science, 1998.

[10] C. Baier and J.-P. Katoen. Principles of Model Checking. MIT Press, 2008. http://mitpress.mit.edu/catalog/item/default.asp?ttype=2&tid=11481.

[11] Ch. Baier, N. Bertrand, P. Bouyer, and Th. Brihaye. When are timed automata determinizable? In Proc. 36thInternational Colloquium on Automata, Languages and Programming (ICALP’09), volume 5556 of LectureNotes in Computer Science, pages 43–54. Springer, 2009.

[12] G. Behrmann, P. Bouyer, E. Fleury, and K. G. Larsen. Static guard analysis in timed automata verification.In Proc. 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems(TACAS’03), volume 2619 of Lecture Notes in Computer Science, pages 254–277. Springer, 2003.

[13] G. Behrmann, P. Bouyer, K. G. Larsen, and R. Pelanek. Lower and upper bounds in zone based abstractionsof timed automata. In Proc. 10th International Conference on Tools and Algorithms for the Constructionand Analysis of Systems (TACAS’04), volume 2988 of Lecture Notes in Computer Science, pages 312–326.Springer, 2004.

[14] G. Behrmann, A. Fehnker, Th. Hune, K. G. Larsen, P. Pettersson, J. Romijn, and F. Vaandrager. Minimum-cost reachability for priced timed automata. In Proc. 4th International Workshop on Hybrid Systems: Compu-tation and Control (HSCC’01), volume 2034 of Lecture Notes in Computer Science, pages 147–161. Springer,2001.

[15] J. Bengtsson. Clocks, DBMs ans States in Timed Systems. PhD thesis, Department of Information Technology,Uppsala University, Uppsala, Sweden, 2002.

[16] B. Berthomieu and M. Menasche. An enumerative approach for analyzing time Petri nets. In Proc. IFIP 9thWorld Computer Congress, volume 83 of Information Processing, pages 41–46. North-Holland/ IFIP, 1983.

[17] P. Bouyer. Automates temporises et modularite. Master’s thesis, DEA Algorithmique, Paris, 1998.

[18] P. Bouyer. Forward analysis of updatable timed automata. Formal Methods in System Design, 24(3):281–320,2004.

50

Timed automata 27

[19] P. Bouyer, C. Dufourd, E. Fleury, and A. Petit. Updatable timed automata. Theoretical Computer Science,321(2–3):291–345, 2004.

[20] P. Bouyer, U. Fahrenberg, K. G. Larsen, and N. Markey. Quantitative analysis of real-time systems usingpriced timed automata. Communication of the ACM, 54(9):78–87, 2011.

[21] P. Bouyer, N. Markey, and O. Sankur. Robustness in timed automata. In Proc. 7th Workshop on ReachabilityProblems in Computational Models (RP’13), volume 8169 of Lecture Notes in Computer Science, pages1–18. Springer, 2013.

[22] F. Cassez, A. David, E. Fleury, K. G. Larsen, and D. Lime. Efficient on-the-fly algorithms for the analysis oftimed games. In Proc. 16th International Conference on Concurrency Theory (CONCUR’05), volume 3653of Lecture Notes in Computer Science, pages 66–80. Springer, 2005.

[23] E. Clarke, O. Grumberg, and D. Peled. Model-Checking. MIT Press, 1999.

[24] E. M. Clarke and E. A. Emersen. Using branching time temporal logic to synthesize synchronization skele-tons. Science of Computer Programming, 2(3):241–266, 1982.

[25] E. M. Clarke and E. A. Emerson. Design and synthesis of synchronous skeletons using branching-timetemporal logic. In Proc. 3rd Workshop on Logics of Programs (LOP’81), volume 131 of Lecture Notes inComputer Science, pages 52–71. Springer-Verlag, 1981.

[26] Webpage of cmc. http://www.lsv.ens-cachan.fr/~fl/cmcweb.html/.

[27] A. David. Merging DBMs efficiently. In Proc. 17th Nordic Workshop on Programming Theory (NWPT’05),2005. DIKU, University of Copenhagen.

[28] A. David, J. Hakansson, L. K. G., and P. Pettersson. Minimal DBM subtraction. In Proc. 16th NordicWorkshop on Programming Theory (NWPT’04), pages 17–20, 2004. Uppsala University IT Technical Report2004-041.

[29] C. Daws and S. Tripakis. Model-checking of real-time reachability properties using abstractions. In Proc. 4thInternational Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’98),volume 1384 of Lecture Notes in Computer Science, pages 313–329. Springer, 1998.

[30] M. De Wulf, L. Doyen, N. Markey, and J.-F. Raskin. Robust safety of timed automata. Formal Methods inSystem Design, 33(1–3):45–84, 2008.

[31] M. De Wulf, L. Doyen, and J.-F. Raskin. Almost ASAP semantics: From timed models to timed imple-mentations. In Proc. 7th International Workshop on Hybrid Systems: Computation and Control (HSCC’04),volume 2993 of Lecture Notes in Computer Science, pages 296–310. Springer, 2004.

[32] D. L. Dill. Timing assumptions and verification of finite-state concurrent systems. In Proc. of the Workshopon Automatic Verification Methods for Finite State Systems (1989), volume 407 of Lecture Notes in ComputerScience, pages 197–212. Springer, 1990.

[33] D. D’Souza and N. Tabareau. On timed automata with input-determined guards. In Proc. Joint Conferenceon Formal Modelling and Analysis of Timed Systems and Formal Techniques in Real-Time and Fault Tol-erant System (FORMATS+FTRTFT’04), volume 3253 of Lecture Notes in Computer Science, pages 68–83.Springer, 2004.

[34] O. Finkel. Undecidable problems about timed automata. In Proc. 4th International Conference on For-mal Modeling and Analysis of Timed Systems (FORMATS’06), volume 4202 of Lecture Notes in ComputerScience, pages 187–199. Springer, 2006.

[35] Th. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine. Symbolic model-checking for real-time systems.Information and Computation, 111(2):193–244, 1994.

[36] J. Hopcroft, R. Motwani, and J. Ullman. Introduction to Automata Theory, Languages and Computation (2ndedition). Addison-Wesley, 2001.

[37] J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages and Computation. Addison-Wesley, 1979.

[38] Webpage of if. http://www-if.imag.fr/.

51

28 P. Bouyer

[39] Webpage of kronos. http://www-verimag.imag.fr/TEMPORISE/kronos/.[40] K. G. Larsen, J. Pearson, C. Weise, and W. Yi. Clock difference diagrams. Nordic Journal of Computing,

6(3):271–298, 1999.[41] N. Markey. Robustness in real-time systems. In Proc. 6th IEEE International Symposium on Industrial

Embedded Systems (SIES’11), pages 28–34. IEEE Computer Society Press, 2011.[42] T. J. Nathalie Bertrand, Amelie Stainer and M. Krichen. A game approach to determinize timed automata.

In Proc. 14th International Conference on Foundations of Software Science and Computation Structures(FoSSaCS’11), volume 6604 of Lecture Notes in Computer Science, pages 245–259. Springer, 2011.

[43] D. Nickovic and N. Piterman. From MTL to deterministic timed automata. In Proc. 8th InternationalConference on Formal Modeling and Analysis of Timed Systems (FORMATS’10), Lecture Notes in ComputerScience. Springer, 2010. To appear.

[44] A. Pnueli. The temporal logic of programs. In Proc. 18th Annual Symposium on Foundations of ComputerScience (FOCS’77), pages 46–57. IEEE Computer Society Press, 1977.

[45] Webpage of PRISM. http://www.prismmodelchecker.org/.[46] A. Puri. Dynamical properties of timed automata. In Proc. 5th International Symposium on Formal Tech-

niques in Real-Time and Fault-Tolerant Systems (FTRTFT’98), volume 1486 of Lecture Notes in ComputerScience, pages 210–227. Springer, 1998.

[47] J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Proc. 5thInternational Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 337–351. Springer, 1982.

[48] Webpage of red. http://cc.ee.ntu.edu.tw/~farn/.[49] O. Sankur. Robustness in Timed Automata: Analysis, Synthesis, Implementation. PhD thesis, ENS Cachan,

France, 2013.[50] P. Schnoebelen, B. Berard, M. Bidoit, F. Laroussinie, and A. Petit. Systems and Software Verification - Model-

Checking Techniques and Tools. Springer, 2001. http://www.springer.com/computer/programming/book/978-3-540-41523-7.

[51] Webpage of SPIN. http://spinroot.com/.[52] P. V. Suman and P. K. Pandya. Determinization and expressiveness of integer reset timed automata with

silent transitions. In Proc. 3rd International Conference on Language and Automata Theory and Applications(LATA’09), volume 5457 of Lecture Notes in Computer Science, pages 728–739. Springer, 2009.

[53] S. Tripakis. Folk theorems on the determinization and minimization of timed automata. In Proc. 1st In-ternational Workshop on Formal Modeling and Analysis of Timed Systems (FORMATS’03), volume 2791 ofLecture Notes in Computer Science, pages 182–188. Springer, 2003.

[54] Webpage of UPPAAL. http://www.uppaal.org/.

52

Verification of security protocols:from confidentiality to privacy ∗

Stephanie DelauneLSV, ENS Cachan & CNRS & Inria Saclay Ile-de-France

[email protected]

Security protocols are widely used today to secure transactions that take place through public chan-nels like the Internet. Typical functionalities are the transfer of a credit card number or the authenticationof a user on a system. Because of their increasing ubiquity in many important applications (e.g. elec-tronic commerce, smartphone, government-issued ID . . . ), a very important research challenge consistsin developing methods and verification tools to increase our trust on security protocols, and so on the ap-plications that rely on them. For example, more than 12 billion Euros are spent each year using Internettransactions. Moreover, new types of applications (e.g. electronic voting, electronic money systems likeBitcoin, . . . ) are still emerging in order to face new technological and societal challenges.

A protocol can be seen as a list of rules that describes executions; these rules specify the emissionsand receptions of messages by the actors of the protocols called agents. They are designed to achievevarious security goals such as data privacy and data authenticity, even when the communication betweenparties takes place over channels controlled by an attacker. For instance, SSL is a protocol that is widelyused to provide authentication and encryption in order to send sensitive data such as credit card numbersto a vendor. Those protocols use cryptographic primitives as a building block. A wide variety of cryp-tographic protocols go beyond the traditional goals of data confidentiality, integrity, and authenticationand use more complex cryptographic primitives.

The goal of cryptanalysis is to find some weakness or insecurity in a cryptographic scheme, thuspermitting its subversion or evasion. Here, we will assume that primitives work perfectly, meaning that itis not possible to break them. This does not mean however that the protocols that rely on these primitivesare secure. There can still remain some logical attacks. A famous example is the Needham-Schroederprotocol [17] on which G. Lowe discovered a flaw 17 years after its publication [15]. More recently, aflaw has been discovered in the Single Sign On Protocols used in Google Apps [5]. It been shown that amalicious application could very easily access to any other application (e.g. Gmail or Google Calendar)of their users. This flaw has been found when analyzing the protocol using formal methods, abstractingmessages by a term algebra and using the Avispa platform [5]. Some privacy issues have also beendiscovered quite recently on the e-passport application [3], and in mobile telephony [4].

The formal verification of cryptographic protocols is a difficult problem that can be seen as a partic-ular model-checking problem in an hostile environment. Formal methods have proved their usefulnessfor precisely analyzing the security of protocols. They rely on symbolic models for protocols, wheremessages are represented by terms, an algebraic structure that abstracts away the underlying cryptog-raphy. Even if a basic property such as confidentiality is undecidable in general, many techniques andtools have been proposed. For example, secrecy preservation is co-NP-complete [1, 16, 18] for the caseof a bounded number of sessions (i.e. assuming the protocol is executed a finite number of times). Sev-

∗This work has been partially supported by the project JCJC VIP ANR-11-JS02-006.

53

2 S. Delaune

eral tools have also been developed to automatically find attacks or prove security, e.g. ProVerif [7], orAvispa [6].

Most of these results focus on trace properties, that is, statements that something bad never occurson any execution trace of a protocol. Secrecy and authentication are typical examples of trace properties:a data remains confidential if, for any execution, the attacker is not able to produce the data. But privacyproperties cannot be defined (or cannot be naturally defined) as trace properties. Indeed, consider forexample the simple case of anonymity: a user Alice does not want her identity to be revealed. A firstidea would be to request the confidentiality of the data “Alice”. This is however unrealistic: identitiesare usually known to the public. And actually, the confidential information is not the data “Alice” but thefact that Alice did take part in a particular communication. So anonymity is usually defined as the factthat an observer cannot distinguish the case where A is talking from the case where B is talking. Thisnotion of indistinguishability requires a notion of behavioural equivalence. Roughly, two processes Pand Q are equivalent (P≈Q) if no process O can observe any difference between the processes P and Q.The notion of behavioural equivalence is crucial when specifying properties like anonymity and moregenerally, any privacy-type property. Privacy related properties involved in electronic voting protocols(e.g. [14]) also use equivalence as a key notion and cannot be expressed in linear temporal logic. Forexample, ballot secrecy is typically defined by the fact that an observer should not observe when twovoters A and B swap their votes:

A(yes) | B(no)≈ A(no) | B(yes).

Other examples of privacy properties are untraceability in the context of RFID protocols [8] or confiden-tiality for cloud computing conference management systems [2]. All these properties are again modeledusing behavioural equivalences.

In this talk, we will see how the analysis of confidentiality for security protocols reduces to solvingconstraint systems for which several decision procedures already exist and have been implemented invarious tools. Then, we will see how to lift this approach to deal with privacy-type security proper-ties [11, 12, 9, 20]. This line of research is more recent but some prototypes already exist (APTE [10],AKISS [13], SPEC [19]).

References

[1] R. Amadio, D. Lugiez, and V. Vanackere. On the symbolic reduction of processes with cryptographic func-tions. Theoretical Computer Science, 290:695–740, 2002.

[2] M. Arapinis, S. Bursuc, and M. Ryan. Privacy supporting cloud computing: Confichair, a case study. InProc. 1st Conference on Principles of Security and Trust (POST’12), 2012.

[3] M. Arapinis, T. Chothia, E. Ritter, and M. Ryan. Analysing unlinkability and anonymity using the applied picalculus. In Proc. 23rd IEEE Computer Security Foundations Symposium (CSF’10). IEEE Computer SocietyPress, 2010.

[4] M. Arapinis, L. I. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon, and R. Borgaonkar. New privacy issuesin mobile telephony: fix and verification. In ACM Conference on Computer and Communications Security,pages 205–216, 2012.

[5] A. Armando, R. Carbone, L. Compagna, J. Cuellar, and M. L. Tobarra. Formal analysis of SAML 2.0 webbrowser single sign-on: breaking the SAML-based single sign-on for google apps. In Proc. of the 6th ACMWorkshop on Formal Methods in Security Engineering (FMSE 2008), pages 1–10, 2008.

54

Verification of security protocols 3

[6] A. Armando et al. The AVISPA Tool for the automated validation of internet security protocols and applica-tions. In Proc. 17th Int. Conference on Computer Aided Verification (CAV’05), volume 3576 of LNCS, pages281–285. Springer, 2005.

[7] B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In Proc. 14th ComputerSecurity Foundations Workshop (CSFW’01), pages 82–96. IEEE Comp. Soc. Press, 2001.

[8] M. Bruso, K. Chatzikokolakis, and J. den Hartog. Formal verification of privacy for RFID systems. In Proc.23rd IEEE Computer Security Foundations Symposium (CSF’10). IEEE Computer Society Press, 2010.

[9] R. Chadha, S. Ciobaca, and S. Kremer. Automated verification of equivalence properties of cryptographicprotocols. In Proc. 21th European Symposium on Programming (ESOP’12), LNCS. Springer, 2012.

[10] V. Cheval. APTE: http://projects.lsv.ens-cachan.fr/APTE/, 2011.[11] V. Cheval, H. Comon-Lundh, and S. Delaune. Trace equivalence decision: Negative tests and non-

determinism. In Proc. 18th ACM Conference on Computer and Communications Security (CCS’11), pages321–330, Chicago, Illinois, USA, Oct. 2011. ACM Press.

[12] Y. Chevalier and M. Rusinowitch. Decidability of symbolic equivalence of derivations. Journal of AutomatedReasoning, 2012.

[13] Stefan Ciobaca. AKISS: http://www.lsv.ens-cachan.fr/~ciobaca/akiss/, 2012.[14] S. Delaune, S. Kremer, and M. D. Ryan. Verifying privacy-type properties of electronic voting protocols.

Journal of Computer Security, (4):435–487, July 2008.[15] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proc. 2nd Interna-

tional Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96), LNCS.Springer-Verlag, 1996.

[16] J. Millen and V. Shmatikov. Constraint solving for bounded-process cryptographic protocol analysis. In Proc.8th ACM Conference on Computer and Communications Security (CCS’01). ACM Press, 2001.

[17] R. Needham and M. Schroeder. Using encryption for authentification in large networks of computers. Com-munications of the ACM, 21(12):993–999, 1978.

[18] M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of sessions is NP-complete. In Proc.14th Computer Security Foundations Workshop (CSFW’01), pages 174–190. IEEE Comp. Soc. Press, 2001.

[19] A. Tiu. Spec: http://users.cecs.anu.edu.au/~tiu/spec/, 2010.[20] A. Tiu and J. E. Dawson. Automating open bisimulation checking for the spi calculus. In Proc. 23rd IEEE

Computer Security Foundations Symposium (CSF’10), pages 307–321. IEEE Computer Society Press, 2010.

55

Hybrid Systems

Marco FaellaElectrical Engineering and Information Technologies

Universita di Napoli “Federico II”Italy

[email protected]

Abstract

This document summarizes the contents of the MOVEP 2014 tutorial on Hybrid Systems.

The term hybrid system refers to a dynamic system exhibiting both discrete transitions, similar tothose of a finite automaton, and continuous dynamics, similar to a classical dynamic system. Introducedin computer science in the 90s as a natural generalization of timed automata, hybrid systems are attractingnew interest under the label of cyber-physical systems, as they are suited to represent the interactionbetween a digital device and a set of physical sensors and actuators. Moreover, they provide a rareopportunity to work at the boundary of several disciplines with very different origins and techniques, suchas computer science, game theory, the theory of dynamic systems, and control theory and engineering.This tutorial will provide an introduction to the theory of automatic analysis and controller synthesis forhybrid automata (HAs), the most common syntactic form of hybrid systems which is used in computerscience.

First, we will familiarize with hybrid automata by considering some classical examples of real-worldsystems that can be represented by them. Then, we will formally introduce several classes of hybridautomata, discussing their expressive power and the decidability status of their reachability problem [8].We will consider models sitting on both sides of the decidability threshold but close to it, such as:rectangular HA [7], linear HA [2], o-minimal HA [6], and the recently proposed multi-mode systems [1].We will mention symbolic analysis techniques belonging to three different categories:

1. Exact algorithms based on finite-state abstractions; these techniques compute a finite-state systemthat is bisimilar to the the given HA, analogously to the region construction for timed automata.

2. Exact, possibly non-terminating algorithms based on finitary abstractions. When a finite-stateabstraction for the whole system does not exist, it may still be possible to establish a finite rep-resentation (such as polyhedra) for infinite sets of configurations and then exactly compute theeffect of the passage of time and the occurrence of discrete transitions. This type of technique isalso called symbolic simulation (or execution). If symbolic simulation reaches a fixed point andterminates, it provides an exact characterization of the set of reachable configurations.

3. Approximate, possibly non-terminating algorithms based on finitary abstractions. Similar to Cate-gory 2, except that computation of the timed successors is approximate, usually due to the complexdynamics of the given HA.

In the last part of the tutorial we will introduce hybrid games, i.e., HAs whose transitions are par-titioned into controllable and uncontrollable, and concern ourselves with the problem of synthesizing aswitching controller that achieves a given safety [5] or reachability goal [4]. A switching controller is

56

2 M. Faella

a control strategy that chooses if and when controllable transitions should be taken, whereas it cannotdirectly influence the continuous dynamics of the system.

The tutorial assumes only basic knowledge of automata theory and calculus. Some knowledge ofdynamic systems and timed automata would be beneficial. A wide perspective on the area is provided bytwo recent books [9, 11]. Other suggested readings include [10] and [3].

References[1] R. Alur, V. Forejt, S. Moarref, and A. Trivedi. Safe schedulability of bounded-rate multi-mode systems. In

HSCC, pages 243–252, 2013.[2] R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic symbolic verification of embedded systems. IEEE Trans.

Softw. Eng., 22:181–201, March 1996.[3] Rajeev Alur. Can we verify cyber-physical systems?: technical perspective. Commun. ACM, 56(10):96,

2013.[4] M. Benerecetti, M. Faella, and S. Minopoli. Reachability games for linear hybrid systems. In HSCC 12:

Hybrid Systems Computation and Control. 15th Int. Conf., pages 65–74. ACM, 2012.[5] M. Benerecetti, M. Faella, and S. Minopoli. Automatic synthesis of switching controllers for linear hybrid

systems: Safety control. Theoretical Computer Science, 493:116–138, 2013.[6] T. Brihaye and C. Michaux. On the expressiveness and decidability of o-minimal hybrid systems. J. Complex.,

21(4):447–478, August 2005. Supplemented by a Corrigendum in vol.22.[7] T.A. Henzinger, B. Horowitz, and R. Majumdar. Rectangular hybrid games. In CONCUR 99: Concurrency

Theory. 10th Int. Conf., volume 1664 of Lect. Notes in Comp. Sci., pages 320–335. Springer, 1999.[8] T.A. Henzinger, P.W. Kopke, A. Puri, and P. Varaiya. What’s decidable about hybrid automata? J. of

Computer and System Sciences, 57(1):94 – 124, 1998.[9] J. Lunze and F. Lamnabhi-Lagarrigue. Handbook of Hybrid Systems Control – Theory, Tools, Applications.

Cambridge University Press, Cambridge, UK, 2009.[10] O. Maler. Control from computer science. Annual Reviews in Control, 26(2):175–187, 2002.[11] P. Tabuada. Verification and Control of Hybrid Systems - A Symbolic Approach. Springer, 2009.

57

Specification and Evaluation of Markov Models

Holger HermannsSaarland University – Computer Science

Saarbrucken, Germany

AbstractCompositional model construction and model checking are two aspects of a modern strategy to

guarantee correctness of system design. In the era of power-aware, wireless and distributed systems,correctness guarantees for such systems must become quantifiable. Instead of guaranteeing that asystem is performing the expected tasks, we are ultimately interested in guaranteeing that the systemperforms its task within a given time bound and with (energy) costs within a given limit. Or better:that the probability thereof is above a given threshold. In this tutorial I paint the landscape of be-havioural models for probability, time, and cost, with a mild focus on concurrent Markov models andprocess calculi. I discuss foundational and practical aspects of compositional modelling and modelchecking such systems.

The tutorial is divided into three principal parts.• The first part discusses compositional construction of probabilistic models. We start off with a

review of modelling principles for concurrent systems based on labelled transition systems (LTS).We then discuss how to add simple probabilistic experiments to this model, and learn about twopossible options: (Discrete-time) Markov chains change the nature of the LTS model, while prob-abilistic automata provide a conservative extension of LTS and the underlying compositional the-ory. We then turn our attention to probabilistic experiments in continous time, as they appear incontinuos-time Markov chains. Again, we discuss two possible options: Changing the nature ofthe LTS model, or extending it in a conservative fashion. The latter gives rise to the model ofinteractive Markov chains.

• The second part discusses algorithmic aspects of model checking for probabilistic extensions of thetemporal logic CTL, for the four models introduced above. We first look at discrete-time Markovchains, then probabilistic automata, focussing on the logic PCTL. We then turn our attention toCSL model checking of continuous-time Markov chains and interactive Markov chains.

• In the third part we will learn about extensions of the principal models, and about a selection ofinteresting applications. We first look at extensions with costs or rewards enabling us to reasonabout consumption of energy or other ressources. We also discuss what can be gained by addingthe notion of clocks, as in timed automata, to probabilistic automata. We further address the statusof basic and advanced tool support for the entire modelling spectrum presented.

The principal background literature for this tutorial is [1], available here with some typos corrected.

References[1] H. Hermanns and L. Zhang. From Concurrency Models to Numbers – Performance and Dependability. In

M. Broy, C. Leuxner, and T. Hoare, editors, Software and Systems Safety - Specification and Verification,volume 30 of NATO Science for Peace and Security Series - D: Information and Communication Security,pages 182–210. IOS Press, 2011.

58

Logic and Verification

Joost-Pieter Katoen

Software Modelling and Verification, RWTH Aachen University, GermanyFormal Methods and Tools, University of Twente, The Netherlands

In this lecture, we will present the basic model-checking algorithms for linear temporal logic (LTL)and computation tree logic (CTL). We start with some elementary ingredients such as automata on infinitewords and the basics of temporal logic, and present the automaton-based LTL model checking algorithmby Wolper and Vardi. This algorithm is based on a product construction of a transition system – thesystem under consideration – and a Buchi automaton for the negated property to be checked. LTLmodel checking then reduces to checking persistence properties on this product. It is shown how anested depth-first search algorithm can be exploited to check persistence properties with a linear-timecomplexity. The number of states in the Buchi automaton can be exponential in the size of the LTL-formula. This exponential blow-up cannot be avoided as LTL model checking is PSPACE-complete. ForCTL model checking, we present the polynomial-time algorithm by Clarke and Emerson that is based ona fixed-point characterisation for CTL. This algorithm is a simple recursive descent over the parse treeof the CTL formula. If possible, we will show how CTL and LTL model checking can be extended withfairness constraints and how this affects the time complexity.

59

Concurrent Systems

Maciej KoutnySchool of Computing Science, Newcastle University

Newcastle upon Tyne, United [email protected]

AbstractConcurrent systems are a focus of investigation in nearly all areas of computer science research.

Examples include operating systems, multi-threaded software, asynchronous VLSI hardware, dis-tributed systems, multi-core processors, network protocols, and biological systems. A common fea-ture of such systems is the presence of several simultaneously executed interacting computationalprocesses. As a result, the number of possible execution paths as well as reachable states generatedby the system can be huge — the phenomenon usually referred to as the combinatorial state-spaceexplosion — making the reasoning about their behavioural properties extremely hard. To addressthis problem, a number of formal models have been proposed aimed at capturing the fundamentalfeatures of concurrent systems, starting with the seminal work on Petri Nets published by Carl AdamPetri in 1962. In the years that followed, a wide range of formalisms, semantics, and techniques havebeen developed aimed at the modelling and analysis of concurrent system, including process algebrasand temporal logics.

This tutorial will discuss different system and execution models using which concurrent systemsfound in typical application domains can be described, and compare their essential features. Thepresentation will also outline some basic methods which can be used to reason about concurrentsystems and cope with the state-space explosion, and an effective technique which can be employedto construct concurrent systems from their behavioural specifications.

60

Probabilistic Real-time Systems

David ParkerSchool of Computer Science, University of Birmingham

[email protected]

AbstractProbabilistic model checking is a formal verification technique for systems that exhibit stochastic

behaviour. It has been used to analyse a wide range of systems, including communication protocols,such as Bluetooth and FireWire, randomised security protocols, e.g. for anonymity and contractsigning, and many others. Often, it is also important to consider real-time aspects of the behaviourof such systems. This talk will give an introduction to verification techniques for probabilistic real-time systems, which can be modelled as probabilistic timed automata (PTAs). The talk will outlinesome of the underlying theory, introduce a variety of practical verification techniques for PTAs, andillustrate these ideas with a selection of case studies of probabilistic real-time systems that have beenanalysed with the probabilistic model checker PRISM.

Background Reading

• For a survey/tutorial on verification of probabilistic timed automata, see [4].

• For tutorial papers on verification techniques for other classes of probabilistic models, see forexample [2], which focuses on (discrete- and continuous-time) Markov chains, and [1], whichfocuses on Markov decision processes and probabilistic automata.

• For a short overview of PRISM, see [3]. For downloads, tutorials, case studies and more, seehttp://www.prismmodelchecker.org/.

References[1] V. Forejt, M. Kwiatkowska, G. Norman, and D. Parker. Automated verification techniques for probabilistic

systems. In M. Bernardo and V. Issarny, editors, Formal Methods for Eternal Networked Software Systems(SFM’11), volume 6659 of LNCS, pages 53–113. Springer, 2011.http://www.prismmodelchecker.org/bibitem.php?key=FKNP11.

[2] M. Kwiatkowska, G. Norman, and D. Parker. Stochastic model checking. In M. Bernardo and J. Hillston,editors, Formal Methods for the Design of Computer, Communication and Software Systems: PerformanceEvaluation (SFM’07), volume 4486 of LNCS (Tutorial Volume), pages 220–270. Springer, 2007.http://www.prismmodelchecker.org/bibitem.php?key=KNP07a.

[3] M. Kwiatkowska, G. Norman, and D. Parker. PRISM 4.0: Verification of probabilistic real-time systems. InG. Gopalakrishnan and S. Qadeer, editors, Proc. 23rd International Conference on Computer Aided Verifica-tion (CAV’11), volume 6806 of LNCS, pages 585–591. Springer, 2011.http://www.prismmodelchecker.org/bibitem.php?key=KNP11.

[4] Gethin Norman, David Parker, and Jeremy Sproston. Model checking for probabilistic timed automata. FormalMethods in System Design, 43(2):164–190, 2013.http://www.prismmodelchecker.org/bibitem.php?key=NPS13.

61

Quantitative Games

Jean-Francois RaskinUniversite Libre de Bruxelles, Belgium

1 Content of the talk

In the first half of this talk, I will present mean-payoff games [6] and energy games [1] that are twoclassical zero-sum two-player quantitative games played on weighted graphs. I will show that thosegames are determined using elementary arguments and that energy games and mean-payoff games areinter-reductiable. Then I will present a fixpoint algorithm to solve energy games [2], the complexityof this algorithm is pseudo-polynomial. Starting from properties of this algorithm, I will develop anargument that establishes that energy and mean-payoff games can be played optimally with memorylessstrategies by both players. This implies that those two games are decidable in NP∩ coNP.

In the second half of this talk, I will present several extensions of energy and mean-payoff games:

• first, I will study mean-payoff and energy games extended with a parity condition [5, 3]. To playoptimally in those games the protagonist needs infinite memory in the case of mean-payoff paritygames and pseudo-polynomial memory in the case of energy parity games. Despite the need formemory full strategies, those games can also be decided in NP∩ coNP.

• second, I will study generalised energy and mean-payoff games that are multi-dimensional exten-sions of classical mean-payoff and energy games [4, 8]. I will show that players need memoryto play optimally in those games. I will characterise the complexity of decision problems forthose games and show how to generalise the fixpoint algorithm for energy games to the multi-dimensional case.

• finally, I will present results about interval mean-payoff games [7]. While in a classical mean-payoff games, one player tries to maximise the mean-payoff of the weight of edges traversed duringthe game, in interval mean-payoff games we consider the more general problem of determining ifa player can attain a mean value in a finite union of arbitrary intervals (while the adversary tries toobtain a value outside of these intervals).

References

[1] Patricia Bouyer, Ulrich Fahrenberg, Kim Guldstrand Larsen, Nicolas Markey, and Jirı Srba. Infinite runs inweighted timed automata with energy constraints. In FORMATS, volume 5215 of Lecture Notes in ComputerScience. Springer, 2008.

[2] Lubos Brim, Jakub Chaloupka, Laurent Doyen, Raffaella Gentilini, and Jean-Francois Raskin. Faster algo-rithms for mean-payoff games. Formal Methods in System Design, 38(2):97–118, 2011.

[3] K. Chatterjee and L. Doyen. Energy parity games. In Proc. of ICALP, volume 6199 of LNCS, pages 599–610.Springer, 2010.

62

2 Please define \authorrunning

[4] Krishnendu Chatterjee, Laurent Doyen, Thomas A. Henzinger, and Jean-Francois Raskin. Generalized mean-payoff and energy games. In FSTTCS, volume 8 of LIPIcs. Schloss Dagstuhl - Leibniz-Zentrum fuer Infor-matik, 2010.

[5] Krishnendu Chatterjee, Thomas A. Henzinger, and Marcin Jurdzinski. Mean-payoff parity games. In LICS.IEEE Computer Society, 2005.

[6] A. Ehrenfeucht and J. Mycielski. Positional strategies for mean payoff games. Int. Journal of Game Theory,8(2):109–113, 1979.

[7] Paul Hunter and Jean-Francois Raskin. Quantitative games with interval objectives. CoRR, abs/1404.4856,2014.

[8] Yaron Velner, Krishnendu Chatterjee, Laurent Doyen, Thomas A. Henzinger, Alexander Rabinovich, andJean-Francois Raskin. The complexity of multi-mean-payoff and multi-energy games. CoRR, abs/1209.3234,2012.

63

Robustness of Timed Systems

Pierre-Alain ReynierLIF, Universite d’Aix-Marseille & CNRS, France

[email protected]

AbstractFormalisms used to model real-time systems include (networks of) timed automata and timed

extensions of Petri nets. Timing perturbations are inherent in real-time systems, and can be due tomeasuring errors, imprecise clocks, non-instantaneous communications... They result in unexpectedshorter or longer execution times. A real-time system robustly satisfies a property whenever thisproperty holds in presence of small enough timing perturbations.

Above mentioned formalisms are mathematical idealizations in which these timing perturbationsare completely ignored. To take them into account, we will focus on the perturbation model of guardenlargment. This model allows to ensure the existence of a correct implementation of the system,thus bridging the gap between the mathematical idealization and the finite-precision hardware. Wewill present several recent results, including robust model-checking and robust controller synthesis,both for timed automata and time Petri nets.

1 Motivations

Timed automata [4] and time Petri nets [17] are widely used for modelling real-time systems. Theseformalisms extend discrete-time models with dense-time variables, and algorithms and tools exist formodel-checking these models against temporal logics.

The semantics of these models involves continuous variables, and relies on mathematical idealiza-tions of the real-time systems. In particular, it assumes, for instance, perfect clocks for arbitrarily precisetime measures, and instantaneous actions. The correctness of a model may thus depend on these unre-alistic assumptions. As a consequence, given a model whose correctness has been proved w.r.t. someproperty, it may be impossible to build a concrete implementation which satisfies the desired property.Similarly, a synthesized controller may not be realisable on a real hardware, for instance if it should takedecisions faster and faster.

In order to bridge the gap between mathematical formalisms and real implementations of them, dif-ferent approaches have been proposed which study robustness oftimed systems,i.e. their tolerance toinfinitesimal timing perturbations. In this paper, we will focus on the model of guard enlargement [20],which is theoretically appealing and allows to ensure the implementability of the model.Initially consid-ered for timed automata, we will first describe these results, and then present results obtained for othermodels, such as time Petri nets.

2 Timed automata

We start with a short (and incomplete) presentation of timed automata. Due to lackof space, we do notgive a detailed presentation of the semantics of timed automata, and refer the reader to [5] for instance.

This work was partly supported by ANR projects ECSPER (ANR-2009-JCJC-0069) and ImpRo (ANR-2010-BLAN-0317)and by the European project Cassting (FP7-ICT-601148).

64

ℓ0 ℓ1

a,x≤ 1

a,x≥ 1

(a)

ℓ0 ℓ1 ℓ2

a,x≥ 1

a,x≥ 1

a,x≥ 1

(b)

Figure 1: On the left, a timed automaton exhibiting so-called Zeno behaviours. On the right, a timedautomaton from [20] in which, for any positive timing perturbations, locationℓ2 is reachable.

A timed automatonA over some alphabetΣ is a tuple(L ,C , ℓ0,E), whereL is a finite set of locations,C is a finite set of clocks,ℓ0 ∈ L is the initial location andE is a finite set of edges. Formally, an edgee= (ℓ,g,a,R, ℓ′) ∈ E is given by a source and a target locationℓ andℓ′, a labela∈ Σ, a set of clocksRthat should be reset to zero when the edge is taken, and a clock constraint g, given as a conjunction ofupper and lower bounds on elements ofC .

To illustrate the robustness issues in timed automata, we consider two examples, depicted on Figure 1.On the left, the objective is to check whether or not it is possible to stay forever in the left location.Actually, considering infinite executions and as clockx is never reset, this is possible if and only if aninfinitely manya’s are executed within one time unit. Such behaviours, often called Zeno behaviours, arewell-known unexpected behaviours of mathematical formalisms. More involved examples do exist, asone presented in [10], which has finitely many actions in any finite amount of time, but requires that thedelays between two actions converge towards zero when global time diverges, which is another exampleof behaviour that any real device is unable to implement.

Several works have considered robustness issues for timed automata. Our aim is not to give anexhaustive list, but to survey the main directions that have been considered:

• In [14], Henzinger et al consider a topological definition whose aim wasto obtain decidability oflanguage inclusion, but this problem remains undecidable.

• The present paper studies a parametric semantics based on guard enlargement. The first work onthis semantics is due to Puri [20], which studied a related parametric semantics based on drifts ofclocks. More details will be given in the rest of the paper.

• Other works are related to discretization of timed automata [15, 18] or study thesemantics underan unknown sampling rate [10, 1]. The goal here is to synthesize a samplingparameter underwhich some property holds, this is related to the implementability using digital clocks,but notdirectly to tolerance against imprecisions.

• An approach based on modelization is proposed in [3]. The issues of implementability are ex-pressed directly in the model, resulting in larger models.

3 Robustness analysis using guard enlargement

Given a timed automatonA , we denote byAδ the timed automaton obtained by enlarging its guardsby the parameterδ , i.e. replacing every upper boundx≤ b (resp. lower bounda≤ x) by the constraintx≤ b+δ (resp.a−δ ≤ x). Considering only non-negative values forδ , it is obvious that every behaviourin A also exists inAδ .

We consider in the sequel linear-time properties which can be anyω-regular properties, or even timedproperties such as those expressed in the logic MTL.

265

Definition 1 (Robust Model-Checking). Given a linear-time propertyϕ and a timed automatonA , de-cide whether there existsδ0 > 0 such that all executions inAδ0

satisfy propertyϕ . If this holds, then wesay thatA robustly satisfiesϕ , and thatδ0 is a witness of this satisfaction.

It is easy to observe that given two valueδ1 ≤ δ2, the set of runs ofAδ1is included in that ofAδ2

. Asa consequence, ifA robustly satisfiesϕ and ifδ0 is a witness, then, for everyδ ′

0 ∈ [0,δ0], it holds that allthe executions inAδ ′

0satisfy propertyϕ . This property can be understood as a “faster is better” property.

Relation to implementability The objective of robustness analysis is to guarantee the existence ofa correct implementation of the model. In [13], it is shown that wheneverA robustly satisfies somepropertyϕ , then this ensures the implementability ofA . In addition, two real characteristics of theplatform of execution, namely the precision of the digital clocks and the speed of the processor, aredirectly related to the witnessδ0 of the robust satisfaction ofA w.r.t. ϕ . The faster-is-better propertystates here that whenever the execution ofA is correct with some resources (precision, speed), then itwill remain correct for higher resources.

As a consequence, the following road map can be considered for the development of correct imple-mentations of real-time systems:

1. Perform the robust model-checking ofA againstϕ

2. Identify some witnessδ0

3. ImplementA , with constraints on the resources of the execution platform depending onδ0

Note that for many kind of properties, points 1. and 2. are obtained simultaneously. We will presentexisting results in the next section.

4 Existing results for timed automata

Robust Model-Checking Verifying that Aδ0satisfies some property for some fixedδ0 is a standard

model-checking problem. The robust model-checking problem we have presented is related to parametrictimed automata, which are known to be undecidable. In our context, the particular introduction of theparameter, and the monotonicity it induces in the model, allows one to preserve decidability.

We recap in the following theorem the main results known concerning the robustness analysis. Wesay that a timed automaton has progress cycles whenever all cycles reseteach clock at least once.

Theorem 2 ([12, 6, 8, 7]). Robust model-checking of safety, Buchi, LTL properties for closed timedautomata is PSPACE-complete. Robust model-checking of coFlatMTL (a fragment of MTL) for closedtimed automata with progress cycles is EXPSPACE-complete.

For all those results, a witnessδ0 can be derived. The natural problem of the computation of thelargest value ofδ for which the result holds has been considered in [16] for the class of flat timedautomata w.r.t. safety objectives.

Shrinkability Another approach has been proposed in [22]. It consists in deciding asufficient con-dition for the implementability of a timed automatonA . It can intuitively be stated as follows: is itpossible to shrink the guards ofA while preserving the behaviours of the timed automaton ?

If such a shrinking exists, then one can prove that it can be implemented in such a way that thisimplementation is non-blocking and preserves all time-abstract behaviours of A .

The operation of shrinking is the dual of that of enlarging guards.

366

Theorem 3 ([22]). For closed non-blocking timed automata, non-blocking-shrinkability is decidable inPSPACE.

In addition, this approach is supported by a tool [21] called Shrinktech which is available online.Some benchmarks are given in [21].

Robust Controller Synthesis In order to model controller synthesis problems for real-time systems,a two-player game is often defined on timed automata. Controller suggests delays and actions, and theenvironment answers by resolving the non-determinism associated with actions, and sometimes may alsochoose to execute some uncontrollable action. This game formulation is well-known and has been widelystudied in the “exact” framework. There has been recently important progress done to handle robustnessissues in this context.

In order to lift the game formulation to the context of robustness, we will allow the environment tomodify the delay proposed by the controller using some perturbation chosenin the interval[−δ ,δ ]. Fora fixed value ofδ , this defines a two player game, denotedGδ (A ). The resulting robust game consistsin deciding the existence of a positive value ofδ for which controller wins the gameGδ (A ). Intuitively,the strategy of the controller should thus be tolerant to some imprecisions, which exactly corresponds tothe desired property of being robust.

The gameGδ (A ) has been studied for a fixed value ofδ in [11]. The parametric case has beensolved for deterministic timed automata in [23] and more recently for the full classof timed automata:

Theorem 4([19]). For timed automata, the robust controller synthesis is EXPTIME-complete.

An alternative semantics has been considered in [9] which imposes less restrictions on the actionsproposed by the controller. On the other hand, only reachability objectives are studied in this work.

5 Robustness of time Petri nets

Most of real-time systems are distributed by nature. Thus, in practice, systems are often modelled usingnetworks of timed automata. An alternative formalism is that of time Petri nets. Whilebounded timedPetri nets can be translated into timed automata, this does not hold for generaltime Petri nets. In addition,the clock mechanism of time Petri nets is quite different from that of timed automata.

We have considered robustness issues in time Petri nets in [2], and studiedto what extent resultsknown for timed automata can be transferred to this model. The robust model checking of the mostsimple properties (preservation of the set of reachable markings) is undecidable in general. On the otherhand, we have identified decidable subclasses for which different properties have a decidable robustsatisfaction.

6 Perspectives

The most relevant theoretical perspectives concern robust controller synthesis. In this setting, it wouldbe very interesting to extend our results to the presence of uncontrollable actions, and to the setting ofconcurrent timed games.

One can observe that the theoretical complexities of the problems presentedcoincide with those ofthe corresponding “non-robust” problems. However, while symbolic andefficient algorithms have beenproposed in the “exact” setting, there is an important lack of such approaches for robust model checkingand robust controller synthesis. It is thus a major challenge to make progress in this direction in order todevelop the practical impact of robustness.

467

References

[1] Parosh Abdulla, Pavel Krcal, and Wang Yi. Sampled semantics of timed automata.Logical Methods inComputer Science, 6(3:14), 2010.

[2] S. Akshay, Loic Helouet, Claude Jard, and Pierre-Alain Reynier.Robustness of time petri nets under guard enlargement. InRP’12, LNCS 7550, p. 92–106. Springer,2012.

[3] Karine Altisen and Stavros Tripakis. Implementation oftimed automata: An issue of semantics or modeling?In FORMATS’05, LNCS 3829, p. 273–288. Springer, 2005.

[4] Rajeev Alur and David L. Dill. A theory of timed automata.Theoretical Computer Science, 126(2):183–235,1994.

[5] Patricia Bouyer and Franois Laroussinie.Modeling and Verification of Real-Time Systems, chapter Model-Checking Timed Automata, p. 111–140. ISTE Ltd - John Wiley and Sons Ltd, 2008.

[6] Patricia Bouyer, Nicolas Markey, and Pierre-Alain Reynier. Robust model-checking of linear-time propertiesin timed automata. In LATIN’06, LNCS 3887, p. 238–249. Springer, 2006.

[7] Patricia Bouyer, Nicolas Markey, and Pierre-Alain Reynier. Robust analysis of timed automata via channelmachines. In FoSSaCS’08, LNCS 4962, p. 157–171. Springer, 2008.

[8] Patricia Bouyer, Nicolas Markey, and Ocan Sankur. Robust model-checking of timed automata via pumpingin channel machines. In FORMATS’11, LNCS 6919, p. 97–112. Springer, September 2011.

[9] Patricia Bouyer, Nicolas Markey, and Ocan Sankur. Robust reachability in timed automata: A game-basedapproach. In ICALP’12, LNCS 7392, p. 128–140. Springer, 2012.

[10] Franck Cassez, Thomas A. Henzinger, and Jean-Francois Raskin. A comparison of control problems fortimed and hybrid systems. In HSCC’02, LNCS 2289, p. 134–148.Springer, 2002.

[11] Krishnendu Chatterjee, Thomas A. Henzinger, and Vinayak S. Prabhu. Timed parity games: Complexity androbustness.Logical Methods in Computer Science, 7(4), 2011.

[12] Martin De Wulf, Laurent Doyen, Nicolas Markey, and Jean-Francois Raskin. Robust safety of timed automata.Formal Methods in System Design, 33(1-3):45–84, 2008.

[13] Martin De Wulf, Laurent Doyen, and Jean-Francois Raskin. Almost ASAP semantics: From timed modelsto timed implementations.Formal Aspects of Computing, 17(3):319–341, 2005.

[14] Vineet Gupta, Thomas A. Henzinger, and Radha Jagadeesan. Robust timed automata. In HART’97, LNCS1201, p. 331–345. Springer, 1997.

[15] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? InICALP’92, LNCS, number 623in LNCS, p. 545–558. Springer, 1992.

[16] Remi Jaubert and Pierre-Alain Reynier. Quantitative robustness analysis of flat timed automata. In FOS-SACS’11, LNCS 6604, p. 229–244. Springer, 2011.

[17] Philip M. Merlin. A Study of the Recoverability of Computing Systems. PhD thesis, University of California,Irvine, CA, USA, 1974.

[18] Joel Ouaknine and James Worrell. Revisiting digitization, robustness, and decidability for timed automata.In LICS’03, p. 198–207. IEEE Comp. Soc. Press, June 2003.

[19] Youssouf Oualhadj, Pierre-Alain Reynier, and Ocan Sankur. Probabilistic robust timed games. InCON-CUR’14, LNCS, LNCS. Springer, 2014. To appear.

[20] Anuj Puri. Dynamical properties of timed automata.Discrete Event Dynamic Systems, 10(1-2):87–113, 2000.

[21] Ocan Sankur. Shrinktech: A tool for the robustness analysis of timed automata. InCAV’13, LNCS 8044, p.1006–1012. Springer, 2013.

[22] Ocan Sankur, Patricia Bouyer, and Nicolas Markey. Shrinking timed automata. In FSTTCS’11, LIPIcs 13, p.375–386. Leibniz-Zentrum fur Informatik, 2011.

[23] Ocan Sankur, Patricia Bouyer, Nicolas Markey, and Pierre-Alain Reynier. Robust controller synthesis intimed automata. In CONCUR’13, LNCS 8052, p. 546–560. Springer, 2013.

568

Beautiful games you cannot stop playing

Sven ScheweUniversity of Liverpool

Liverpool, [email protected]

AbstractThe presentation has two main parts: a first part, beautiful games you cannot stop playing, in

which we will enjoy the world of finite two player games of infinite duration, and a second part onsynthesis.

Beautiful games you cannot stop playing. Parity games are simple two player games played ona finite arena that have all that it takes to attract the attention of researchers: it is a simple problemwhich is hard to analyse – a pocket version of P vs. NP. Parity games are known to be in UP, CoUP,and some weirder classes besides, but whether or not they are in P has proven to be a rather elusivequestion. What is more, when you work with them, you will have the constant feeling that there is apolynomial time solution just around the corner, although it dissolves into nothingness when you lookmore closely. This talk is about the beauty of these games, the relevant algorithmic approaches andtheir complexity and development over time. But be careful: they are addictive, don’t get hooked!

Synthesis. In this part, we will look how to exploit these beautiful games for the laziest way ofcreating a programme – by pressing a button.

1 Beautiful games you cannot stop playing

Parity games have many applications in model checking [Koz83, EJS93, dAHM01, AHK02, Wil01,KV97a] and synthesis [Wil01, Koz83, Var98, SF06a, Pit07, Sch09, SF06b]. In particular, modal andalternating-time µ-calculus model checking [Wil01, AHK02], synthesis [SF06b, Pit07, Sch09] and sat-isfiability checking [Wil01, Koz83, Var98, SF06a] for reactive systems, module checking [KV97a], andATL* model checking [dAHM01, AHK02] can be reduced to solving parity games. This relevance ofparity games led to a series of different approaches to solving them [McN93, EL86, Lud95, Pur95, ZP96,BCJ+97, Zie98, Jur98, Jur00, VJ00, Obd03, Lan05, BDHK06, BV07, JPZ08, FS13].

The complexity of solving parity games is still an open problem. All current deterministic algorithmshave complexity bounds which are (at least) exponential in the number of colours [McN93, EL86, ZP96,BCJ+97, Zie98, Jur00, BV07] (nO(c)), or in the square-root of the number of game positions [Lud95,JPZ08, BV07] (approximately nO(

√n)).

We look at the development of the complexity, starting with reachability and safety, Buchi, andCoBuchi games for a warm up, and turn then to the elegant first algorithm in nO(c), [McN93, EL86,Zie98], which follows the iterated fixed point structure induced by the parity condition. The iterated

fixed point construction leads to a time complexity of O(

m(

nc +1

)c−1)for parity games with m edges,

c colours, and n game positions.The upper complexity bound for solving parity games was first reduced by Browne et al. [BCJ+97]

to O(

m(

2nc

)d0.5ce+1), and slightly further by Jurdzinski [Jur00] to O

(cm( n

b0.5cc)b0.5cc).

69

The weakness of recursive algorithms that follow the iterated fixed point structure [McN93, EL86,Zie98] is the potentially incremental update achieved by each recursive call. We take a de-tour through aclever big-step approach [JPZ08] that reduces the complexity of McNaughton’s algorithm for games witha high number of colours (c ∈ ω(

√n)) to the bound nO(

√n) known from randomized algorithms [Lud95,

BV07], and then look at the fusion of all of these techniques [Sch07, Sch08b] that roughly provides ann

13 c bound.

From a practical point of view, strategy improvement algorithms are an interesting alternative,and there was some belief that they might be polynomial, until Friedmann shattered this belief[Fri11a, Fri11b, Fri13]. If time allows, we can look at one or two of them [Lud95, Pur95, VJ00, BV07,Sch08a, Fea10], and maybe on Friedmann’s hardness proofs.

It is also interesting to note, that these games become simple when other parameters, like tree width,DAG width, or entanglement are bounded [Obd03, BDHK06, BG04, FS13]. In case of tree width, theyare even in NC2 [FS13], which unfortunately seems to be a good broad hint that this is not the directionto look at in the quest for polynomial time algorithms.

2 Games in Synthesis

Synthesis of reactive systems is a research direction inspired by Church’s realisability problem [Chu63].It focuses on systems that receive a constant stream of inputs from an environment, and must, for eachinput, produce some output. Specifically, we are given a logical specification that dictates how the systemmust react to the inputs, and we must construct a system that satisfies the specification for all possibleinputs that the environment could provide.

While the verification problem [CCG+02, Hol97] (the validation or refutation of the correctnessof such a system) has gained many algorithmic solutions and various successful tools, the synthesisproblem [Ehl11, FJR09, GJTV11, PPS06, SLTB+06] has had fewer results.

We focus on the classical approach by Pnueli and Rosner [PR89a, KV99], which links synthesisto emptiness games of automata and the treatment of incomplete information [PR89b, PR90, KV97b,KV01, MT01, WM03, FS05, SF06b, LV09].

We will discuss why these approaches require determinisation [Saf88, MS95, Pit07, Sch09, SV12,SV14] and how the resulting automata can be simplified [KV05, FS12] with respect to their acceptancemechanism. For pleasure, we might look into a connection between complexity classes and the existenceof succinct control strategies [FPS12].

References

[AHK02] Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman. Alternating-time temporal logic. Journalof the ACM, 49(5):672–713, 2002.

[BCJ+97] A. Browne, E. M. Clarke, S. Jha, D. E. Long, and W. Marrero. An improved algorithm for theevaluation of fixpoint expressions. Theoretical Computer Science, 178(1–2):237–255, 1997.

[BDHK06] Dietmar Berwanger, Anuj Dawar, Paul Hunter, and Stephan Kreutzer. Dag-width and parity games.In Proc. STACS, pages 524–436. Springer-Verlag, 2006.

[BG04] Dietmar Berwanger and Erich Gradel. Entanglement - a measure for the complexity of directed graphswith applications to logic and games. In Proc. of LPAR, pages 209–223. Springer, 2004.

[BV07] Henrik Bjorklund and Sergei Vorobyov. A combinatorial strongly subexponential strategy improve-ment algorithm for mean payoff games. Discrete Appl. Math., 155(2):210–229, 2007.

2

70

[CCG+02] Alessandro Cimatti, Edmund M. Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore,Marco Roveri, Roberto Sebastiani, and Armando Tacchella. Nusmv 2: An opensource tool for sym-bolic model checking. In Proc. of CAV, volume 2404 of Lecture Notes in Computer Science, pages359–364. Springer, 2002.

[Chu63] Alonzo Church. Logic, arithmetic and automata. In Proc. 1962 Intl. Congr. Math., pages 23–25,Upsala, 1963.

[dAHM01] Luca de Alfaro, Thomas A. Henzinger, and Rupak Majumdar. From verification to control: Dynamicprograms for omega-regular objectives. In Proc. LICS, pages 279–290. IEEE Computer Society Press,June 2001.

[Ehl11] Rudiger Ehlers. Unbeast: Symbolic bounded synthesis. In Proceedings of the 17th InternationalConference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume6605 of Lecture Notes in Computer Science, pages 272–275. Springer-Verlag, 2011.

[EJS93] E. Allen Emerson, Charanjit S. Jutla, and A. Prasad Sistla. On model-checking for fragments ofµ-calculus. In CAV, pages 385–396, 1993.

[EL86] E. Allen Emerson and C. Lei. Efcient model checking in fragments of the propositional µ-calculus.In Proc. LICS, pages 267–278. IEEE Computer Society Press, 1986.

[Fea10] John Fearnley. Non-oblivious strategy improvement. In Proc. of LPAR, Lecture Notes in ComputerScience, pages 212–230, 2010.

[FJR09] Emmanuel Filiot, Naiyong Jin, and Jean-Francois Raskin. An antichain algorithm for LTL realiz-ability. In Proceedings of the 21st International Conference on Computer Aided Verification (CAV2009), June 26–July 2, Grenoble, France, volume 5643 of Lecture Notes in Computer Science, pages263–277. Springer-Verlag, 2009.

[FPS12] John Fearnley, Doron Peled, and Sven Schewe. Synthesis of succinct systems. In Proc. of ATVA,pages 208–222, 2012.

[Fri11a] Oliver Friedmann. An exponential lower bound for the latest deterministic strategy iteration algo-rithms. Logical Methods in Computer Science, 7(3), 2011.

[Fri11b] Oliver Friedmann. A subexponential lower bound for zadeh’s pivoting rule for solving linear programsand games. In Proc. of IPCO, Lecture Notes in Computer Science, pages 192–206, 2011.

[Fri13] Oliver Friedmann. A superpolynomial lower bound for strategy iteration based on snare memoriza-tion. Discrete Applied Mathematics, 161(10-11):1317–1337, 2013.

[FS05] Bernd Finkbeiner and Sven Schewe. Uniform distributed synthesis. In Proceedings of the 20th AnnualIEEE Symposium on Logic in Computer Science (LICS 2005), 26–29 June, Chicago, Illinois, USA,pages 321–330. IEEE Computer Society Press, 2005.

[FS12] Bernd Finkbeiner and Sven Schewe. Bounded synthesis. International Journal on Software Tools forTechnology Transfer, 15(5-6):519–539, 2012.

[FS13] John Fearnley and Sven Schewe. Time and parallelizability results for parity games with boundedtree and DAG width. Logical Methods in Computer Science, 2(6):1–31, 2013.

[GJTV11] Sumit Gulwani, Susmit Jha, Ashish Tiwari, and Ramarathnam Venkatesan. Synthesis of loop-freeprograms. In Proc. of PLDI, pages 62–73, 2011.

[Hol97] Gerard J. Holzmann. The model checker SPIN. Software Engineering, 23(5):279–295, 1997.[JPZ08] Marcin Jurdzinski, Mike Paterson, and Uri Zwick. A deterministic subexponential algorithm for

solving parity games. volume 38, pages 1519–1532, 2008.[Jur98] Marcin Jurdzinski. Deciding the winner in parity games is in UP ∩ co-UP. Information Processing

Letters, 68(3):119–124, November 1998.[Jur00] Marcin Jurdzinski. Small progress measures for solving parity games. volume 1770 of Lecture Notes

in Computer Science, pages 290–301. Springer, 2000.[Koz83] Dexter Kozen. Results on the propositional µ-calculus. Theor. Comput. Sci., 27:333–354, 1983.

3

71

[KV97a] O. Kupferman and M.Y. Vardi. Module checking revisited. In Proc. CAV, volume 1254 of LectureNotes in Computer Science, pages 36–47. Springer-Verlag, 1997.

[KV97b] Orna Kupferman and Moshe Y. Vardi. Synthesis with incomplete informatio. In Proc. ICTL, pages91–106, Manchester, July 1997.

[KV99] Orna Kupferman and Moshe Y. Vardi. Church’s problem revisited. The bulletin of Symbolic Logic,5(2):245–263, June 1999.

[KV01] Orna Kupferman and Moshe Y. Vardi. Synthesizing distributed systems. In Proceedings of the 16thAnnual IEEE Symposium on Logic in Computer Science (LICS 2001), 16–19 June, Boston, Mas-sachusetts, USA, pages 389–398. IEEE Computer Society Press, 2001.

[KV05] Orna Kupferman and Moshe Y. Vardi. Safraless decision procedures. In Proceedings 46th IEEESymposium on Foundations of Computer Science (FOCS 2005), 23–25 October, Pittsburgh, PA, USA,pages 531–540, 2005.

[Lan05] Martin Lange. Solving parity games by a reduction to SAT. In Proc. Int. Workshop on Games inDesign and Verification, 2005.

[Lud95] Walter Ludwig. A subexponential randomized algorithm for the simple stochastic game problem. Inf.Comput., 117(1):151–155, 1995.

[LV09] Yoad Lustig and Moshe Y. Vardi. Synthesis from component libraries. In Proceedings of the TwelfthInternational Conference on Foundations of Software Science and Computation Structures (FoSSaCS2009), 22–29 March, York, England, UK, volume 5504 of Lecture Notes in Computer Science, pages167–181. Springer-Verlag, 2009.

[McN93] Robert McNaughton. Infinite games played on finite graphs. Ann. Pure Appl. Logic, 65(2):149–184,1993.

[MS95] David E. Muller and Paul E. Schupp. Simulating alternating tree automata by nondeterministic au-tomata: new results and new proofs of the theorems of Rabin, McNaughton and Safra. TheoreticalComputer Science, 141(1-2):69–107, 1995.

[MT01] P. Madhusudan and P. S. Thiagarajan. Distributed controller synthesis for local specifications. In Pro-ceedings of the 28th International Colloquium on Automata, Languages and Programming (ICALP2001), 8–12 July, Crete, Greece, Lecture Notes in Computer Science, pages 396–407. Springer-Verlag, 2001.

[Obd03] J. Obdrzalek. Fast mu-calculus model checking when tree-width is bounded. In Proc. CAV, pages80–92. Springer-Verlag, 2003.

[Pit07] Nir Piterman. From nondeterministic Buchi and Streett automata to deterministic parity automata.Journal of Logical Methods in Computer Science, 3(3:5), 2007.

[PPS06] Nir Piterman, Amir Pnueli, and Yaniv Sa’ar. Synthesis of reactive(1) designs. In Proc. of VMCAI,pages 364–380, 2006.

[PR89a] Amir Pnueli and Roni Rosner. On the synthesis of a reactive module. In Proc. POPL, pages 179–190,New York, NY, USA, 1989. ACM Press.

[PR89b] Amir Pnueli and Roni Rosner. On the synthesis of an asynchronous reactive module. In Proceedingsof the 16th International Colloquium on Automata, Languages and Programming (ICALP 1998), 11–15 July, Stresa, Italy, volume 372 of Lecture Notes in Computer Science, pages 652–671. Springer-Verlag, 1989.

[PR90] Amir Pnueli and Roni Rosner. Distributed reactive systems are hard to synthesize. In Proceedings ofthe 31st Annual Symposium on Foundations of Computer Science (FOCS 1990), 22–24 October, St.Louis, Missouri, USA, pages 746–757. IEEE Computer Society Press, 1990.

[Pur95] Anuj Puri. Theory of hybrid systems and discrete event systems. PhD thesis, Computer ScienceDepartment, University of California, Berkeley, 1995.

4

72

[Saf88] Shmuel Safra. On the complexity of the ω-automata. In Proceedings of the 29th Annual Symposiumon Foundations of Computer Science (FOCS 1988), 24–26 October, White Plains, New York, USA,pages 319–327. IEEE Computer Society Press, 1988.

[Sch07] Sven Schewe. Solving parity games in big steps. In Proceedings of the 27th Conference on Founda-tions of Software Technology and Theoretical Computer Science (FSTTCS 2007), 12–14 December,New Delhi, India, volume 4805 of Lecture Notes in Computer Science, pages 449–460. Springer-Verlag, 2007.

[Sch08a] Sven Schewe. An optimal strategy improvement algorithm for solving parity and payoff games. InProceedings of the 17th Annual Conference of the European Association for Computer Science Logic(CSL 2008), 15–19 September, Bertinoro, Italy, volume 5213 of Lecture Notes in Computer Science,pages 368–383. Springer-Verlag, 2008.

[Sch08b] Sven Schewe. Synthesis of Distributed Systems. PhD thesis, Universitat des Saarlandes, 2008.[Sch09] Sven Schewe. Tighter bounds for the determinisation of Buchi automata. In Proceedings of the Twelfth

International Conference on Foundations of Software Science and Computation Structures (FoSSaCS2009), 22–29 March, York, England, UK, volume 5504 of Lecture Notes in Computer Science, pages167–181. Springer-Verlag, 2009.

[SF06a] Sven Schewe and Bernd Finkbeiner. Satisfiability and finite model property for the alternating-timeµ-calculus. In Proceedings of the 15th Annual Conference of the European Association for ComputerScience Logic (CSL 2006), 25–29 September, Szeged, Hungary, volume 4207 of Lecture Notes inComputer Science, pages 591–605. Springer-Verlag, 2006.

[SF06b] Sven Schewe and Bernd Finkbeiner. Synthesis of asynchronous systems. In Proceedings of the16th International Symposium on Logic-Based Program Synthesis and Transformation (LOPSTR2006), 12–14 July, Venice, Italy, volume 4407 of Lecture Notes in Computer Science, pages 127–142. Springer-Verlag, 2006.

[SLTB+06] Armando Solar-Lezama, Liviu Tancau, Rastislav Bodık, Sanjit A. Seshia, and Vijay A. Saraswat.Combinatorial sketching for finite programs. In Proc. of ASPLOS, pages 404–415, 2006.

[SV12] Sven Schewe and Thomas Varghese. Tight bounds for the determinisation and complementationof generalised Buchi automata. In Proceedings of the 10th International Symposium on AutomatedTechnology for Verification and Analysis (ATVA 2012), 3–6 October, Thiruvananthapuram, Kerala,India, volume 7561 of Lecture Notes in Computer Science, pages 42–56. Springer-Verlag, 2012.

[SV14] Sven Schewe and Thomas Varghese. Determinising parity automata. CoRR, abs/1401.5394, 2014.[Var98] Moshe Y. Vardi. Reasoning about the past with two-way automata. In Proc. ICALP, pages 628–641.

Springer-Verlag, 1998.[VJ00] Jens Voge and Marcin Jurdzinski. A discrete strategy improvement algorithm for solving parity games

(Extended abstract). In Proc. CAV, pages 202–215. Springer-Verlag, July 2000.[Wil01] Thomas Wilke. Alternating tree automata, parity games, and modal µ-calculus. Bull. Soc. Math.

Belg., 8(2), May 2001.[WM03] Igor Walukiewicz and Swarup Mohalik. Distributed games. In Proceedings of the 23rd Conference

on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2003), 15–17December, Bombay, Mumbai, India, volume 2914 of Lecture Notes in Computer Science, pages 338–351. Springer-Verlag, 2003.

[Zie98] Wieslaw Zielonka. Infinite games on finitely coloured graphs with applications to automata on infinitetrees. Theor. Comput. Sci., 200(1-2):135–183, 1998.

[ZP96] Uri Zwick and Mike Paterson. The complexity of mean payoff games on graphs. Theoretical Com-puter Science, 158(1–2):343–359, 1996.

5

73

74

Student sessions

75

Deadlock-freedom of component-based approach forscientific applications

Abderrahim Ait Wakrime∗

Univ. Orleans, INSA Centre Val de Loire,LIFO, EA 4022, F-45067, Orleans, France

[email protected]

AbstractComponent-based approaches are a programming paradigm well-suited to design complex appli-

cations. In particular, because of the separation of concerns they promote, they allow the building ofapplications made of very heterogeneous codes.

With this paradigm, developing an application consists in assembling many different componentswhich is a difficult task. Thus, it is important to design efficient tools to help the user to conceive hisapplication and to verify some properties as deadlock-freedom or liveness.

In this paper, we present ComSA a component-based approach for scientific applications and itsformalization in a particular class of FIFO nets called strict colored FIFO nets (sCFN). We presentalso our toolbox based on sCFN and in particular the analysis tools to detect deadlock and to constructa start condition of the ComSA applications.

1 Introduction

Nowadays, component-based approaches help to construct large-scale applications in many different do-mains [3, 10]. Scientific computing, including scientific visualization, is a domain which can benefitfrom component-based approaches since it requires applications that integrate very specific and sophisti-cated codes from different fields. In this sense, scientific workflows (e.g. [6]) are often component-basedapproaches.

The work presented in this paper takes place in the domain of interactive scientific visualization, i.e.scientific applications that include a simulation coupled with a real-time visualization as well as inter-action means allowing the user to interact with the simulation or the visualization. Such applicationsare made from different kinds of modules. They can be parallel codes for shared or distributed memorysystems or they can be sequential codes. Thus, modules can have very different behaviors: some can bevery slow, others can be very fast. Finally, the interactivity introduces performance constraints since theresult of an interaction should be quickly visible to the user so that he can understand what he does. Acomponent-based approach can help to resolve these constraints thanks to exogenous coordination. Inthis case, some connectors, which express very specific communication policies, are used to coordinatethe components when assembling them in an application [7]. For example, coupling a parallel simula-tion with a visualization can generate buffer overflows on the visualization. But it may be unnecessaryto render all the simulation results thus a connector based on a greedy policy can solve the problem.That is why the exogenous coordination needs to be precisely defined with connectors able to specifysynchronization policies taking into account the application specificity.∗This work is supported by the ANR project Exa-scalable visual analysis for life and materials sciences:

http://exaviz.simlab.ibpc.fr

76

2 A. Ait Wakrime

The ComSA component model, subject of this paper tends to meet the needs of interactive scientificvisualization applications. It can be implemented in frameworks like FlowVR [1] which is specificallydesigned to provide exogenous coordination that fits the constraints of such applications [4].

Building a ComSA application can be a difficult task especially for users who are not computerexperts. In addition, the assembly may contain deadlocks that prevent the proper application execution.

In this context, our goal is to provide a set of tools that helps to build the application and to analyzeit in order to detect deadlocks and to construct a correct start condition.

Petri nets are extensively used as formal models for concurrent systems. For the component-basedapproaches they are also frequently utilized because of their ability to analyze and verify properties,as in [2, 11] where the application behavior analysis and refinement are based on colored Petri nets.Moreover, they offer a simple graphical representation that can be used for simulation purposes.

In this paper, we present the ComSA component model for scientific applications. A formal seman-tics for ComSA is presented in terms of strict colored FIFO nets (sCFN) that are particular FIFO nets [5].sCFN can capture precisely the behavioral semantics of our model and they are used to verify some prop-erties of applications like liveness. Indeed, we are espacially interested in ensuring that applications donot contain deadlocks. This can be done by studying the place-liveness of sCFNs. The results we obtainallow us to define a start condition that ensure the liveness of a ComSA application.

2 ComSA Model

Our component model aims to design and develop interactive scientific visualization applications. Thisdomain imposes some particular constraints on applications such that high performance to ensure inter-activity.

2.1 Components

A component is a black-box that can be reused without access to the source code. It is composed of inputports and output ports which are the interfaces between it and the outside.Definition 1. A component is a quadruple C = (Id, pIn∪s, pOut ∪e,RI), where Id is its uniqueidentifier, pIn a set of typed input data ports, s an input triggering port, pOut a set of typed output dataports, e an output signal port and RI a subset of P(pIn)×P(pOut) called incidence relations.

For a component C, IdC, pInC, pOutC and RIC denotes respectively its identifier, input ports, outputports and its incidence relations. The component behavior is described by the incidence relations. Eachof them represents an operational mode of the component and can be likened to a specific service pro-vided by the component. An incidence relation is a couple r = 〈RIin,RIout〉 s.t. RIin ⊆ pInC is the set ofinput ports of r and RIout ⊆ pOutC the set of output ports of r. To specify that some incidence relationsneed to be triggered at the same time in an application, they are said bound. The Figure 1(a) representsan example of a component and its incidence relations r1, r2 and r3. The behavior of a component Cnamed wait-get-put is the following:• wait until at least one of its incidence relation is satisfied,

• get the data stored in the input ports of all satisfied incidence relations of C,

• put new data to the output ports of all satisfied incidence relations of C and emit a signal on theport e.

It is important to remark that at each iteration, all the satisfied incidence relations are triggered andall the corresponding results are produced.

77

Deadlock-freedom of component-based approach for scientific applications 3

(a) Example of a component andits incidence relations.

(b) The trigger connectors.

Figure 1: Incidence relations and connectors

2.2 Connectors and links

Assembling components to realize an application, consists in defining a communication schema allowingthe exchanges of data between the components. This schema is based on communication connectors incharge of the communication policy and on links.

Definition 2. A connector is a quadruple c = (Id,i,s,o, t) where Id is the identifier of c, i is aninput port, s a triggering input port, o an output port and t the type of the connector.

For a connector c, the notations Idc, pInc, pOutc and tc stand respectively for the identifier, the set ofinput ports, the set of output ports and the type of c. The behavior of a connector depends on its type.We defined three types of connectors. The first type is: sFIFO connector is a plain FIFO connection.To prevent overflows, the sender waits for a triggering signal on its s port usually sent by the receiver.The second type is: bBuffer and nbBuffer connectors keep their incoming messages and dispatch theoldest one when they receive a triggering signal on their s port. nbBuffer is the non-blocking variantof bBuffer i.e. it generates an empty message to the receiver when triggered while it has no messagewaiting. The last type is: bGreedy and nbGreedy connectors keep only the last message provided by thesender and send it when they receive a triggering signal on their s port. nbGreedy is the non-blockingvariant of the bGreedy connector.

Definition 3. A link is a pair 〈xp,yq〉 where x,y are components or connectors, p ∈ pOutx and q ∈ pIny.When, p 6= e, q 6= s and either x or y is a connector the link 〈xp,yq〉 is called a data link. When, p = e,q = s and x is a component, the link 〈xp,yq〉 is called a trigger link.

The links are used to connect components and connectors via their ports as shown in Figure 1(b).

2.3 Application graph

An application is described by a graph that connects the output ports to the input ports of components andconnectors. Thus, its vertices are the components and the connectors. Its edges are the links. Formally,an application App is defined by a graph (Comp

⋃Conn,Dl

⋃T l) where Comp is a set of components,

Conn a set of connectors, Dl a set of pairwise compatible data links and T l a set of trigger links. Foreach r ∈ RIC is said active if ∀p ∈ RIin(r)∃ l ∈ Dl and c ∈Conn s.t. l = 〈ci,Cp〉. If for each C ∈Comp∃r ∈ RIC s.t. r is active then the application App is said well-formed.

The Figure 2(a) illustrates an application graph for the scientific visualization of a molecular dy-namics simulation which is a small example extracted from the ExaviZ project involving more complexapplications. The illustrated application consists of several components and connectors. Thus Simulation

78

4 A. Ait Wakrime

G1

SimuF

Pos En

s

e

InteractionEvt

s

e

G2 B1

ForceGeneratorPos Evt

F Av

s

e

G3 G4 G5 G6

VisuAv F Pos En s

e

(a) Application graph example (only twotrigger links are represented for reasonsof clarity).

ts Pes

1

te

1

Ps1

Pe

1

tEvt

W=1

11

PF

Pit

xit +1 xit

tPos,Evt

W=2

1 1

xit +1xit〈xit ,mAv〉

PEvt

〈xEvt ,mEvt〉

〈xEvt ,mEvt〉

PPos

〈xPos,mPos〉

PAv

〈xit ,mAv〉

〈xit ,mF〉

(b) sCFN(ForceGenerator) of figure 2(a)

Figure 2: An example of application graph and a sCFN of ForceGenerator component.

component has two behaviors. Without inputs on its F port, it delivers only atom positions. But when itreceives a force on its F input port, the outputs are the atom positions and the atom system energy. Its in-cidence relations are RIS = 〈 /0,Pos〉,〈F,Pos,En〉. The ForceGenerator has also two behaviors.When all its input ports are fed it delivers results on all its output ports. But it is also capable to proceedto an iteration if only its Evt input port is fed and in this case it provides only the avatar position onits Av output port. Its incidence relations are RIF = 〈Pos,Evt,Av,F〉,〈Evt,Av〉. Interactioncomponent connected to a device that emits avatar position and button state (pressed or released). We usea Buffer connector for not losing the data sent from Interaction to ForceGenerator, for example mouseclick. Greedy connector is used between Simulation and Visualization components, because, the Simu-lation can be very slow but the user must be able to navigate fluently in the Visualization even withoutnew data.

3 Semantics based on sCFN and Deadlock-freedom of ComSA

In this section, we give the basic ideas of the modeling of ComSA applications by means of sCFNs. Also,we show how to use a sufficient condition for place-liveness to build deadlock-freedom applications.

3.1 Strict colored FIFO nets

Definition 4. A strict colored FIFO net is a tuple 〈P,T,A,M〉 where P is a finite set of places, T is a finiteset of transitions (with P∩T = /0), A a set of arcs either of the form 〈p, t,e〉 or of the form 〈t, p,e〉 wherep ∈ P, t ∈ T and e is an expression over tokens. Finally M is a function which associates a FIFO to eachplace. Note that transitions have a weight that is a positive integer denoted by W (t).

The sCFN places are FIFO queues to ensure that messages leave a place the order they entered thisplace. The messages are represented as tokens to simulate the data stream. Each token has attacheda type called the color. The colors can be investigated and modified by the occurring transitions. Wehave not enough space to detail sCFN transformation but the idea is: the component/connector ports arerepresented by sCFN places and sCFN transitions model the different behaviors of component/connector.

79

Deadlock-freedom of component-based approach for scientific applications 5

We also obtain the sCFN of an application graph by substituting a data/trigger link by a transition. TheFigure 2(b) represents sCFN transformation of ForceGenerator component. To understand the way offunctioning of the sCFN, remember that the sets of input and output places of transition t are definedrespectively as follows: •t = p ∈ P such as (p, t) ∈ A and t•= p ∈ P such as (t, p) ∈ A. The sets ofinput and output transitions of place p are defined respectively as follows: •p= t ∈ T such as (t, p)∈Aand p• = t ∈ T such as (p, t) ∈ A. Thus, a transition t ∈ T is enabled at a marking M if ∀p ∈ •tM(p)> 0. If t is enabled at M, it may fire. Firing an enabled transition consists in consuming the oldesttoken of the FIFO queue in each of its input places and adding one token in the FIFO queue of its outputplaces t•, then, ∀p ∈ t• M(p) > 0. In Figure 2(b), the transition tEvt can be fired since M(PEvt) > 0and M(Ps)> 0. But, if also M(PPos)> 0 we have a conflict between tEvt and tPos,Evt. In this case, thetransition with strictly greater weight is fired. In our example, W (tPos,Evt)>W (tEvt) thus tPos,Evt isfired. As a result one new token is produced in its output places PF , PAV and Ps.

3.2 Deadlock-freedom of ComSA

The deadlock-freedom of our applications is based on a place-liveness property of sCFNs. This propertyexpresses that all the component ports in the application graph eventually receive data during the appli-cation running. The general idea consists in simulating sCFNs by asymmetric choice net (ACN) whichis a subclass of ordinary Petri nets (OPN) in such way places containing tokens in the sCFNs are thesame as the corresponding ones in the OPN. Thus, we can use the Commoner theorem to demonstrateour liveness. Let 〈P,T,A〉 be an OPN and E and E ′ two sets of places such as E ⊆ P and E ′ ⊆ P, then Eis a siphon if •E ⊆ E• and E ′ is a trap if E ′• ⊆ •E ′. If E is unmarked for a marking M then it remainsunmarked for every marking M′ reachable from M. Symmetrically if E ′ is marked for a marking M thenit remains marked for every marking M′ reachable from M. In fact, to ensure the deadlock-freedom wecan apply these three main steps to start a ComSA application:

ACN condition. The first step consists in verifying that the set of active incidence relations of theapplication respect the ACN condition. If it is not the case, it is proposed to the user to lock severalbehaviors of involved components which is equivalent to replace two relations 〈I1,O1〉 and 〈I2,O2〉 bythe relation 〈I1∪ I2,O1∪O2〉. This way non asymmetric incidence relations are eliminated. The conse-quence is that the application would not exploit all the asynchrony allowed by the component but it isthe price to pay to avoid deadlocks.

Siphon-trap condition. The second stage consists in verifying that all the siphons of the sCFN ofthe application contain a trap. Indeed, if it is not the case the application cannot be live. If some siphonsdo not contain a trap, the cycles they form in the application are highlighted so that the user can modifythe application to make it deadlock free.

Start configuration. Finally, when all the siphons contain a trap, we can put one token in each ofthese traps. Practically, each trap contains at least one blocking connector which is randomly chosen todeliver a first empty message.

By implementing the method described above, we developed a toolbox to help users to verify that itsapplications do not contain the deadlocks.

4 Conclusion and future work

Reliability and performance are very important constraints for ComSA applications. This paper ensuresthose constraints by modeling different parts for each application and their composition by using com-

80

6 A. Ait Wakrime

ponents and connectors. Likewise, formal semantic model is proposed to represent components andconnectors behaviors and to check application liveness. We developed a toolbox to design and buildComSA applications. Furthermore, we analyze and detect the deadlocks by using the method describedin [8] which consists in transforming the sCFN structure into a SAT problem. The open-source SATsolver [9] has used to solve the problem. Last, we can construct a correct start condition for applicationwithout deadlocks. Currently, we are expanding our model and our toolkit with methods to design theComSA applications dynamic reconfiguration by allowing their architecture to change at runtime. Forexample, inserting a new analysis step on the running simulation (visual analytics). So we will study howto dynamically insert or remove components in a running application without stopping the full applica-tion for not stopping all available services. To ensure such reconfiguration, the idea is just to stop onlythe components that are affected by this modification i.e. how to avoid overflow if a component con-tinues to transmit data to other components without being able to start a new iteration. Also, to ensurethe availability of services for unaffected parts. There are still some issues which need to be addressedin the future. In particular, how to obtain composite components to facilitate the application descriptionand to substitute a set of components with a single hierarchical component. This should facilitate theverification of several properties such as liveness.

References[1] J. Allard, V. Gouranton, L. Lecointre, S. Limet, E. Melin, B. Raffin, and S. Robert. Flowvr: a middleware

for large scale virtual reality applications. In Proc. of Euro-par 2004, volume 3149 of LNCS, pages 497–505.Springer, 2004.

[2] R. Bastide and E. Barboni. Software components: a formal semantics based on coloured petri nets. ElectronicNotes in Theoretical Computer Science, 160(0):57 – 73, 2006.

[3] G. Coulson, G. Blair, P. Grace, F. Taiani, A. Joolia, K. Lee, J. Ueyama, and T. Sivaharan. A generic compo-nent model for building systems software. ACM Trans. Comput. Syst., 26(1):1–42, 2008.

[4] M. Dreher, M. Piuzzi, A. Turki, M. Chavent, M. Baaden, N. Ferey, S. Limet, B. Raffin, and S. Robert.Interactive Molecular Dynamics: Scaling up to Large Systems. In ICCS, volume 18 of Procedia ComputerScience, pages 20–29. Elsevier, 2013.

[5] A. Finkel and G. Memmi. FIFO nets: A new model of parallel computation. In Theoretical ComputerScience, volume 145 of LNCS, pages 111–121. Springer, 1982.

[6] T. Goodale, G. Allen, G. Lanfermann, J. Masso, T. Radke, E. Seidel, and J. Shalf. The cactus framework andtoolkit: design and applications. In Proceedings of the 5th international conference on High performancecomputing for computational science, VECPAR’02, pages 197–227. Springer, 2003.

[7] K.K. Lau, L. Safie, P. Stepan, and C. M. Tran. A component model that is both control-driven and data-driven.In CBSE, pages 41–50, 2011.

[8] O. Oanea, H. Wimmel, and K. Wolf. New algorithms for deciding the siphon-trap property. In Proceedingsof the 31st Int. Conf. on Applications and Theory of Petri Nets, LNCS, pages 267–286. Springer, 2010.

[9] N. Sorensson and N. Een. Open-source SAT solver. http://minisat.se/, 2008.[10] J. White, D. Schmidt, and A. Gokhale. Simplifying autonomic enterprise java bean applications via model-

driven engineering and simulation. Software and Systems Modeling, 7(1):3–23, 2008.[11] Y. Yu, T. Li, Q. Liu, and F. Dai. Approach to modeling components in software architecture. JSW,

6(11):2196–2200, 2011.

81

Exhaustive search of dynamical properties in Process Hittingusing Answer Set Programming

Emna Ben AbdallahLUNAM Université, École Centrale de Nantes, IRCCyN UMR CNRS 6597

(Institut de Recherche en Communications et Cybernétique de Nantes),1 rue de la Noë, 44321 Nantes, France.

[email protected]

Joint work with: Maxime Folschette, Olivier Roux, Morgan Magnin

Abstract

The Process Hitting is a recently introduced framework to model concurrent processes. It isnotably suitable to model biological regulatory networks with partial knowledge of co- operations bydefining the most permissive dynamics. In this paper, we explain the methods we developped withASP to find the fixed points, states in which it is not possible any more to have evolutions of themodel. We also aim at solving the problem of reachability that consists of deciding if, starting froma given initial state, it is possible to reach a given local state. Finally, we illustrate the merits of ourmethods by applying them to a biological example.

1 Introduction

As regulatory phenomena play a crucial role in biological systems, they need to be studied accurately.Biological Regulatory Networks (BRNs) consist in sets of either positive or negative mutual effectsbetween the components. With the purpose of analyzing these systems, they are often modeled as graphswhich make it possible to determine the possible evolutions of all the interacting components of thesystem. Indeed, in order to address the formal checking of dynamical properties within very large BRNs,we recently use a new formalism, named the “Process Hitting” (PH) [3], to model concurrent systemshaving components with a few qualitative levels. A PH describes, in an atomic manner, the possibleevolutions of a “process” (representing one component at one level) triggered by the hit of at most oneother “process” in the system. This particular structure makes the formal analysis of BRNs with hundredsof components tractable. PH is suitable, according to the precision of this information, to model BRNswith different levels of abstraction by capturing the most general dynamics. The objectives of the workpresented in this paper are the following.

Firstly, we show that starting from one PH model, it is possible to find all possible stable states (fixedpoints [4]). We perform an exhaustive search of the possible states, combination processes, one processfrom each sort and then check if it is a fixed point.

The second phase of our work consists in computing the dynamics. It consists in determining from aknown initial state the possible next states of the PH model. Finally we verify if we can reach a specificstate of one or several component (gene or protein). The results are ensured to respect the PH dynamics.

Our contribution is from the results that allowed to determine the stable states, we propose to evaluatethe benefits of the Answer Set Programming (ASP) [1] to compute them. ASP has been proven efficientto tackle models with a large number of components and parameters. Our aim here is to assess its

82

2 E. Ben Abdallah, M. Folschette, O. Roux, M. Magnin

potential w.r.t. the computation of some dynamical properties of the PH model. In this paper, we showthat ASP turns out to be effective for these enumerative searches which justifies its use. The benefit ofour approach is that it makes possible to get the minimal paths to reach our goal(s) also we can verify ifit is possible after a given number of steps.

2 Frameworks

2.1 The Process Hitting

Definition 1 introduces the Process Hitting (PH) [3] which allows to model a finite number of local levels,called processes, grouped into a finite set of components, called sorts. A process is noted ai, where a isthe sort’s name, and i is the process identifier within sort a. At any time, exactly one process of each sortis active, and the set of active processes is called a state.

The concurrent interactions between processes are defined by a set of actions. Actions describe thereplacement of a process by another of the same sort conditioned by the presence of at most one otherprocess in the current state. An action is denoted by ai→ b j bk, which is read as “ai hits b j to make itbounce to bk”, where ai,b j,bk are processes of sorts a and b, called respectively hitter, target and bounceof the action. We also call a self-hit any action whose hitter and target sorts are the same, that is, of theform: ai→ ai ak.

Definition 1 (Process Hitting). A Process Hitting is a triple (Σ,L,H ):

• Σ = a,b, . . . is the finite set of sorts;

• L = ∏a∈Σ La is the set of states with La = a0, . . . ,ala the finite set of processes of sort a ∈ Σ andla a positive integer, with a 6= b⇒ La∩Lb = /0;

• H = ai→ b j bk ∈ La×L2b | (a,b) ∈ Σ2∧b j 6= bk∧a = b⇒ ai = b j is the finite set of actions.

Example. Figure 1 represents a PH (Σ,L,H ) with three sorts (Σ = a,b,c) and: La = a0,a1, Lb =b0,b1,b2, Lc = c0,c1.

c

0

1

b0 1 2

a

0 1

Figure 1: A PH model example with three sorts: a, b and c (a is either at level 0 or 1, c at either level0 or 1 and b at either level 0, 1 or 2). Circles represent the processes, boxes represent the sorts, and theactions are drawn by pairs of arrows in solid and dotted lines.The grayed processes stand for a possibleinitial state.

83

Exhaustive search of dynamical properties in PH using Answer Set Programming 3

2.2 Answer Set Programming

According to Baral [1], Answer Set Programming (ASP) programs which are written in the languageof AnsProlog*, are composed of a set of facts together with a set of rules from which other facts canbe derived. A set of consistent facts that can be derived from a program using the rules is known as ananswerset of the program. These rules are of the form below:

L0 ← Lk, ...,Lm, not Lm+1,..., not Ln.where each of the Li is a literal in the sense of classical logic. Intuitively, the above rule means that ifLk,...,Lm are true and if Lm+1,..., Ln can be safely assumed to be false then L0 is true.

Example. The below example explains that if a variable X lays eggs so it will be considered as a bird,else if it engenders a baby so it will be considered as a mammal. Then to verify if X can fly or not, itshould be a bird and not a mammal. For example we have the fact D for X = tweety, we can replace it inrule A so the result will be true for bird(tweety), but in rules B it will be unkown for mammal(tweety)than notbird(tweety) is true. Finally, C: f ly(tweety), will be true and the conclusion is: tweety can fly.

A: bird(X)← lays_egg(X). B: mammal(X)← engender(X).

C: f ly(X)← bird(X), not mammal(X). D: lays_egg(tweety).

In fact, ASP is able to process very complex problems, specifically NP ones. In addition, ASP tacklesthe inherent complexity of the models we use, allowing a fast execution of the formal tools defined inthis paper. Also it is convenient to enumerate a large set of possible answers, and it allows us to easilyconstrain the answers according to some properties. These advantages encouraged us to use and test ASPfor the biological networks with a big number of sorts.

There is now a variety of tools for solving ASP. Among them, we find the grounder GRINGO, thesolver CLASP, and their combinations within integrated systems CLINGO and ICLINGO.

Note that a numerical argument provided to either CLASP, CLINGO, or ICLINGO determines themaximum number of answer sets to be computed, where 0 stands for “compute all answer sets.” Bydefault, only one answer set is computed (if it exists).

According to [2] ICLINGO extends CLINGO by an incremental computation mode that incorporatesboth grounding and solving. Hence, its input language includes all constructs described in Section 3.1.In addition, ICLINGO deals with logic program declared in three parts: a static part, a part with an incre-mental step number and a part which is local to steps (all rules are dismissed before the next incrementalstep). In Section 4.2, we provide our program in which these conditions naturally hold.

3 Fixed point

The study of fixed points (or basins of attraction) provides an important understanding of the differentbehaviors of a BRN [4]. The fixed point is a stable state of the RRB in wich it is not possible any moreto have new changes. Let (Σ,L,H) be a Process Hitting . It has been shown that a state s ∈ L is a fixedpoint of the Process Hitting if and only if s is a |Σ|− clique of the hitless associated graph [3] i.e. a setof processes with exactly on process of each sort and every process have no hit with the others selectedones.

Example. Considering the last graph of Figure 1, we construct the corresponding hitless graph. So firstwe eliminate all processes with self-hit then we add the edges between all two processes which did nothave an action between them in the graph with-hit. Then we verify wether there exists an |Σ|− clique.So we deduce that we have two fixed points: < a_1,b_1,c_0 > and < a_0,b_2,c_0 >.

84


3.1 ASP Program

At the beginning, the idea was to try to implement an algorithm that checks the above definition, trans-forming the graph with hits (oriented) in a graph without-hit (non-oriented). So in this new graph firstlywe eliminate the processes with self-hit by the predicate ”hiddenProcess(A, I)”. Then, we construct thenew graph whose edges between two processes of different sorts correspond to the non existence of a hitbetween them in the graph of PH. In the ASP program these edges are called by ”noAction(B,J,A, I)”(r1) where A and B are sorts and I and J the indexes of processes.r1: noAction(B,J,A, I)← not hit(A, I,B,J), not hit(B,J,A, I),A!=B,showProcess(A, I),showProcess(B,J).

Then we have to browse this graph and extract all possible combinations of shown processes (withoutself-hit) by choosing a process from each sort.r2: 1selectProcess(A, I) : showProcess(A, I)1← sort(A).This special rule creates as many answer sets as necessary, with each one containing exactly one selectProcess(A, I)atom for each sort A. Now we have to find wich combinations verifies the characteristics of the fixedpoint, i.e., to check if the selected process from each sort is related with all the other selected processesof this combination. We present this relation with the predicate ”noHit”.r3: noExistFixPoint← X < N,getNumberNoHit(X),N = sort(_).r4: ← noExistFixPoint.

In (r3), sort(_) simply returns the total number of sorts. The rule (r4), is a contraint wich eliminatesall answers that verify the not N-clique property (r3) where N is the number of sorts of the network.Finally the combination of the selected processes verifying all conditions constitute the fix point.r5: f ixProcess(A, I)← selectProcess(A, I).

Example. If we apply the method above to the PH of Figure 1 , if we try to find the solution of the phmodel, our ASP program will return the below answers:Answer 1: fixProcess(a,1), fixProcess(b,1), fixProcess(c,0).Answer 2: fixProcess(a,0), fixProcess(b,2), fixProcess(c,0).

In a biological network, there are sometimes thousands of sorts, so it will be better if the programruns faster. That is why the idea was to try to optimize this ASP script by having less number ofpredicates. Subsequently, the first improvement is to eliminate the predicates ”noHit(A, I,B,J)” and”getNumberNoHits(X)” which computes the number of the predicate ”noHit” (edge between 2 selectedprocesses), as a result also the predicate ”noExistFixPoint” (r3 and r4). These predicates have been re-placed by only one constraint:r6:← 1hit(A, I,B,J),selectProcess(A, I),selectProcess(B,J),A! = B.We note that the predicate ”hit(A, I,B,J)” is true when there is an action, within the network, which hitterprocess (A, I) and target process (B,J) are active. In fact, this above constraint shows that it is sufficientto have two selected processes verifing the predicate hit in the hitless to eliminate a solution.

3.2 Results on large networks

Note that both methods give the same result but the second is faster. The following table describes thecomparaison and proves that the 2nd method is almost faster than PINT (a library developed to parse andstudy PH models). The computation is done with a desktop computer (core i5 and 4GB RAM):

85


Model #sorts #procs #actions #states #fix-point PINT ASP mthd1 mthd2ERBB_G1 42 152 399 270 3 0.017s 0.220s 0.000stcrsig40 54 156 305 273 1 0.021s 0.220 0.020stcrsig94 133 488 1124 2194 0 0.027s 2.540 0.060segfr104 193 748 2356 2320 0 0.074s 8.220 0.140s

Figure 2: Excecution time of ASP metods applied for biological networks with a desktop computer

4 Network evolution

In this section, we will present firstly how to determine using ASP the possible evolution of a biologicalnetwork after a finite number of steps. Then what are the specific evolutions which the evolutions thatallow the achievement of goals (future active processes) from a known initial state?

4.1 Computing the dynamics

From an initial known state, a PH can evolve into several new states after a few steps. The predicate”time(0..n)” sets the number of steps we want to play. For example if the biologist wants to know whatstates are reachable (in the PH) after 10 stages, it has only to replace n by 10, and it will be ”time(0..10)”.For initializing, the active process state 0 was added the rule (e1) in the ASP script wich represent thePH networke1: init(activeProcess(”a”,0)). ; a is the name of the sort and 0 the index of process.According to the state of the network, specifically the processes that are active, it is possible to determinethe actions that can be played and evolve the network to a new state. As for moving from one state toanother it can play only one action then each step (T ) is characterized by a single change in a single sort.The rule (e2) offer a set of the possible changes ”activeFromTo(B,J,K,T )”. This predicate means thatin the sort B the active process change from number J to number K at time step T . This change is possibleonly if the action is playable at this step ”playableAction(A, I,B,J,K,T )” meaning that processes (A, I)and (B,J) are active at T ”instate(activeProcess(A, I),T )”. The rule is encoded with a count atom at itshead, which makes it a choice rule. Rule (e3) filters any answer with more than 1 change at the sametime T .e2: activeFromTo(B,J,K,T )← playableAction(A, I,B,J,K,T ), instate(activeProcess(A, I),T ),instate(activeProcess(B,J),T ),J! = K, time(T ).e3: ← 2activeFromTo(B,J,K,T ), time(T ).

In order to determinate the next active processes at T +1 we use the following rules :e4: instate(activeProcess(B,K),T +1)← activeFromTo(B,J,K,T ), time(T ).e5: instate(activeProcess(A, I),T +1)← instate(activeProcess(A, I),T ),activeFromTo(B,J,K,T ),A! = B, time(T ).

At the next step T +1 we find the new active process resulted from the predicate activeFromTo (e4)as well as all the unchanged processes that correspond to the other sorts (e5).

4.2 Reachability

In this section, we focus on the reachability of a process which corresponds to the question:“Is it possible, starting from a given initial state, to play a number of actions so that a given process isactive in the resulting state?”

86


Now we try to adapt the code of network evolution to resolve the reachability problem. First we definea predicate for the objective processes we call it ”goal”, we add a rule with this predicate to the scriptdefining the PH :c1: goal(activeProcess(”a”,1)).The rule c2 verifies if after the network evolution, its state satisfies the goals at step T. Else the answerwill be eliminated.c2: satis f iable(F,T )← goal(F), instate(F,T ).The limitation of this method is that the user has to choose the number of steps of the evolution. It is andisadvantage because a search in N steps will find no solution if the shortest path to solve the rechabilityrequires N+1 steps. The solution is to use the incremental computation mode ( ICLINGO [2]). So we havealmost the same program expect for incremental step numbers. In each step t, the program computes theplayable actions playableAction(A, I,B,J,K, t),the possible change activeFromTo(B,J,K, t−1) and thenew active processes for the next step instate(activeProcess(A, I), t + 1). Regarding the part of localsteps we use a special contraint (rule c4) that means that the program should continue to the next step ifit’s not satisfiable so that we eliminate responses that do not meet the goals.c3: notSatis f iable(t)← goal(F),notinstate(F, t).c4: ← notSatis f iable(t).

4.3 Results on real biological network

It should be noted that the only reachability analysis developed so far on the Process Hitting was imple-mented in the software Pint, and consists in an approximation: it is possible that it terminates but remainsinconclusive (although this is rare). Moreover, it currently does not give us the path to activate the goal.Example. In the example of Figure 1, at the beginning its state is <a_0, b_0, c_1> and we want to reachthe process b_2. So our goal will be written goal(activeProcess(”b”,2)). PINT will retur the response”True”, our ASP implementation, in addition to being satisfiable, returns the paths for two steps (0 and1):

Answer 1: activeFromTo("c",1,0,0) activeFromTo("b",0,2,1)In the example of ERBB_G with 42 sorts, if we initialise the sorts at levels that model biological

components then we fix the level for one sort to came our goal. The Table below describes the results:Model #sorts #procs #actions #states #steps PINT ASP ASP iterativeERBB_G 42 152 399 270 18 0.022s 10.620s 5.020s

5 Conclusion

We summarized in this paper a new developed dynamic analysis. This analysis is applicable to a classof models called Process Hitting and it aims at determining both the fixed points and if a condition onseveral components in the model can be attained from a given initial state. We think that this approachcan be used also with other models such as Petri Nets.

Results show that, compared with Pint, method for fixed points search is is effective too but forreachability, it is much less than expected. However at the same time it gives more search results (thepath) and it offers the possibility to ask more general questions covering several kinds of sorts.

Our perspective is to try to improve this method by eliminating the cycles in the iterative method(ICLINGO). Then we wish to extend the program to search for the attractors (a set of states from which itis not possible to get out).

87


References[1] C. Baral. Knowledge representation, reasoning and declarative problem solving. Cambridge university press,

2003.[2] M. Gebser, R. Kaminski, B. Kaufmann, M. Ostrowski, T. Schaub, and S. Thiele. A user’s guide to gringo,

clasp, clingo, and iclingo, 2008.[3] L. Paulevé. Modélisation, Simulation et Vérification des Grands Réseaux de Régulation Biologique. PhD

thesis, École centrale de nantes, 2011.[4] A. Wuensche. Genomic regulation modeled as a network with basins of attraction. In R. B. Altman, A. K.

Dunker, L. Hunter, and T. E. Klien, editors, Pacific Symposium on Biocomputing, volume 3, pages 89–102.World Scientific, 1998.

88

Chasing the Best Buchi Automata for NestedDepth-first Search Based Model Checking

Frantisek BlahoudekFaculty of Informatics

Masaryk UniversityBrno, Czech Republic

[email protected]

AbstractThe automata-based model checking uses a translation of formulae in Linear Temporal

Logic (LTL) into Buchi automata (BA). The performance of the model checkers can beheavily influenced by the BA used. In this paper we discuss several heuristics commonlyused to decide which BA should be used for given verification task, suggest a novel heuristicfor this problem and finally evaluate the heuristics using common LTL-to-BA translators,model checker Spin and benchmark of real verification tasks. Our evaluation shows thatheuristics based only on number of states of BA or the degree of determinism often givewrong answer or are unable to answer. On a concrete example we further demonstrate oursuggestion to exploit some partial knowledge about systems to improve our heuristic.

1 IntroductionIn the automata-theoretic approach to explicit model checking of Linear-time Temporal Logic(LTL) [14] the specification given as LTL formula ϕ is first negated into ¬ϕ, which is thentranslated into a Buchi automaton (BA) A¬ϕ that accepts all the executions of the systemviolating ϕ; the model checker then constructs the synchronous product S⊗A¬ϕ, where S is thestate space (automaton) for the system to be verified. The product is then checked for emptiness.If the language of S⊗A¬ϕ is non-empty, the witness of non-emptiness is the execution of S thatinvalidates ϕ, so called the counterexample. If the language of S ⊗A¬ϕ is empty, the systemsatisfies the specification ϕ.

There are many LTL-to-BA translators and they often produce different automata for thesame formula. For example, Figure 1 shows five automata for the LTL formula ¬(GFa→ GFb)produced by different translators. In this paper we discuss different methods to decide whichone of them should be used for the model checking to be efficient.

Usually both the state space S and the product S ⊗A¬ϕ are built on-the-fly and only thepart needed by the emptiness check is built. There are several emptiness check procedures usedin different model checkers. We decided to study the performance of widely used, open-sourcemodel checker Spin which uses a sequential emptiness check based on Nested Depth-First Search(NDFS) [9].

The choice of automaton used as A¬ϕ can influence both the size of S⊗A¬ϕ and the empti-ness check procedure. Among other aspects the choice of BA influences which part of S⊗A¬ϕ isbuilt in case the product contains some accepting cycle (counterexample). Namely, small changeof order of transitions used in the file describing A¬ϕ can have tremendous impact on running

89

2 F. Blahoudek

s0

s1

s2

(B1) LTL2BA

>

bab

bab

b

si

s0

s1

s2

s3

(B2) MoDeLLa

>

b

>

b

ab

abb

b

s0

s1

s2

(B3) LTL3BA

>

b

ab

bab

b

si

s0

s1

s2

(B4) LTL3BA (det)

> >

bab

abab

ab

s0

s1

s2

(B5) Spot

>

ab

ab

abab

ab

Figure 1: Automata for the formula ¬(GFa→GFb). Note that edges in the automata are labelledby Boolean formulae over atomic propositions, where a means ¬a, > stands for true, and ab usedlater means a∧¬b. Formally, an edge labelled with a formula ρ represents all the transitionsthat are labelled with a subset M of atomic propositions such that M |= ρ.

time of Spin. Similarly to [6] we did not find any conclusion about “good order”. Therefore weaddress here only cases without counterexample, where the whole product has to be built andexplored by the NDFS.

We assume the reader is familiar with LTL and Buchi automata.

2 Benchmarking Buchi AutomataThe authors of LTL-to-BA translators try to minimize the size [2, 5, 12, 7, 13] and/or the degreeof determinism of the automata produced [1, 11, 3]. We can use these values as heuristics toanswer the following question: Which of two given automata A1,A2 should be used as A¬ϕ forthe model checking to be faster? A benchmark of LTL-to-BA translators belongs usually to oneof the following categories:

Size: The size of an automaton is usually understood as the number of states (states(A)), orthe number of transitions (trans(A)).

Determinism: The degree of determinism is measured by the number of non-deterministicstates (nd-states(A)). A drawback of this heuristic is a fact that it does not quantify hownon-deterministic these states are.

Products with random state spaces: Popular LTL-to-BA benchmarking tools like lbtt andltlcross (from Spot library) perform following steps for each automaton: (1) build prod-ucts with a fixed set of random state spaces, (2) sum their sizes, and (3) compare theresults. This approach gives results depending on the random state spaces used.

2.1 Proposed heuristicFigure 1 shows five Buchi automata generated by some of available LTL-to-BA translators forthe formula ¬(GFa→GFb). The automata B1 and B3 have the same number of states, transitionsand non-deterministic states, but as Table 1 indicates, the amount of work performed by Spinmeasured in the number of visited transitions (and also the running time) differs substantiallyfor B1 and B3. This illustrates that the size and determinism of automata are not always a

90

Chasing the Best BA for NDFS Based Model Checking 3

Table 1: Statistics about generated automata and Spin’s run on the empty product betweenmodel peterson.4.pm and formula ¬(GFa→ GFb). The corresponding automata are shown inFig. 1.

automaton size statistics from Spin’s executionstates ndst edges trans stored states visited trans time

B1 LTL2BA 3 3 6 12 1577440 7684k 5.95sB2 MoDeLLa 5 2 8 18 1580893 7670k 6.13sB3 LTL3BA 3 3 6 12 2299250 15583k 12.10sB4 LTL3BA (det) 4 1 7 14 2297625 15561k 12.00sB5 Spot 3 1 6 9 848641 2853k 2.26s

relevant factor in the performance of the model checking process of Spin. For this reason wehave designed heuristics based on a product with universal model.

∅

a a,b

b

ab

ab

ab

ab

ab ab

ab ab

ab

abab

ab

ab

ab

ab

ab

Figure 2: The universal model Ua,b.

The universal model for a set of atomic propositionsAP is an automaton UAP = (2AP , δ,∅), where statesare formed by combinations of atomic propositions and(q,α,α) ∈ δ for each q,α ∈ 2AP . See Figure 2 for theuniversal model with two atomic propositions.

We improved the heuristic based on observation thatthe automata B2 and B4 contain redundant initial statessi which can appear only once in any product. Thesestates will not make any significant difference to theproduct size. In particular, only states that are reach-able from some cycle can make a significant increase in the number of states of S⊗A¬ϕ. Basedon this observation we trim the product with UAP to filter away redundant states. Henceforthwe refer to the trimmed product as T .

The number of states of T for the automata B1,B2,B3,B4, and B5 of Figure 1 are 7, 9, 8, 7,and 6 respectively. So this information helps us to distinguish between B1 and B3, moreover, itgives preference to B4 over B3 thanks to this trimming.

3 Heuristics BenchmarkIn this section, we present a comparison of the heuristic proposed in the previous section, withthe heuristics based on the size or determinism of automata. We examine how well they canestimate which of two given automata yields less work for Spin when no counterexample is found.We use the following software, hardware, benchmark and heuristics.

Software. We use the five LTL-to-BA translators listed in Table 2. Apart from the populartranslators, Spin and LTL2BA, we use MoDeLLa which was the first tool focusing on deter-minism, as well as LTL3BA and Spot which represent state-of-the-art translators. The last twotranslators are used in several settings: the settings denoted by LTL3BA (det) aim to producemore deterministic automata, while the setting called Spot (no jump) is an experimental settingwhich produces automata with longer cycles than usual. For model checking of the tasks weused Spin with its default settings and the maximum depth of search set to 100 000 000.

91

4 F. Blahoudek

Table 2: Reference of considered LTL-to-BA translators.

tool version translation commandSpin [4, 8] 6.2.5 spin -fLTL2BA [5] 1.1 ltl2ba -fMoDeLLa [11] 1.5.9 modella -s -g -r12 ltlfileLTL3BA [1] 1.0.2 ltl3ba -S -fLTL3BA (det) ltl3ba -S -M -fSpot [3] 1.2.4 ltl2tgba -sSpot (no jump) ltl2tgba -s -x degen-lskip=0

Hardware. All computations were performed on an HP DL980 G7 server with 8 eight-core64-bit processors Intel Xeon X7560 2.26GHz and 448 GiB DDR3 RAM. Each execution of Spinwas restricted to a 30 minute time-out and a memory limit of 20GiB.

Benchmark. The benchmark set of models and formulae is based on real model checkingtasks BEEM [10]. In addition to the original 735 pairs of a model in Promela and an LTL formula,we added two formulae to each instance of mutual exclusion protocols anderson, bakery, andpeterson (altogether 22 instances):

1. GF(P0@CS)→ GF(P0@NCS) meaning that if a process P0 spends infinite number of stepsin a critical section, then it also spends infinite number of steps in a non-critical section,

2. FG¬((P0@CS∧P1@CS)∨(P0@CS∧P2@CS)∨(P1@CS∧P2@CS)

)meaning that after finite

number of steps, it never happens that two of the processes P0, P1, and P2 are in a criticalsection at the same time.

We removed pairs where the formula contains the reserved keyword of Promela active ina name of some atomic proposition, because Spin fails to run these tasks (12 pairs), we alsoremoved pairs where for at least one translator Spin timeouted or ran out of memory (11 pairs).We further removed all the pairs where some counterexample was found (674 pairs). This leftus with 735 + 2 ·22−12−11−674 = 82 verification tasks without any counterexamples.

Each of the 82 verification tasks without counterexample was verified by Spin using LTL-to-BA translators of Table 2. The triplet (model,formula,translator) is called Spin instance. Wegathered the statistics about automata and product with the universal model using ltlcrossand also information about the number of transitions visited by Spin (Spin-trans) for each Spininstance.

To focus on only relevant differences in Spin performance, we selected for each verificationtask only the pairs of Spin instances (I1, I2), where the difference between Spin-trans(I1) andSpin-trans(I2) was at least 20% of the smaller value. We call such pairs of Spin instancesmatches. We ended up with 603 matches.

Heurisitics. We used several heuristics based on automata (A) statistics: states(A) answersthat out of two BA the one with lower number of states should be preferred and if the numbersare equal, it returns no answer, trans(A) is based on the number of transitions, nd-states(A) isbased on the number of non-deterministic states. We also used heuristics based on the trimmedproduct with universal model (T ). The combination of two heuristics, for example states(A);

92

Chasing the Best BA for NDFS Based Model Checking 5

heuristic correct incorrect no answer scorestates(T ); states(A) 495 57 51 438states(T ); trans(A) 511 84 8 427states(A); states(T ) 489 63 51 426states(T ) 471 48 84 423trans(T ) 495 83 25 412states(T ); trans(T ) 495 91 17 404states(A); nd-states(A) 487 90 26 397trans(A) 459 93 51 366states(A); trans(A) 456 96 51 360states(A) 371 39 193 332nd-states(A) 316 75 212 241

Table 3: Comparison of ten chosen heuristics on selected matches. The maximum possible scorewas 603.

trans(A), proceeds as follows: Answer as the first heuristic (states(A)) if it gives some answer;if the first heuristic gives no answer, use the result of the second heuristic (trans(A)).

3.1 ResultsFor each of the selected matches we compared the values of Spin-trans and then asked heuristicsto give its opinion which automaton should be preferred. The numbers of correct, incorrect andno answers have been accumulated for each heuristic and based on these values the score wascomputed as correct−incorrect. The obtained results can be found in Table 3, sorted by score.

Table 3 shows that states(T ) outperforms states(A) when compared by score, on the otherhand, states(A) gives the smallest number of wrong answers. A natural combination of thesetwo gives the best results.

4 Using Partial Knowledge about SystemWe can improve our proposed heuristic by adding some knowledge we have about the systemto be verified. For example, from the Promela description of the system peterson.4.pm we canderive following information: (1) Both atomic propositions a and b mean that the process P0is in some location, hence a and b can never hold together; (2) There are five locations in themodel, so we can assume that states without a are four times more frequent in the model thanstates with a (the same applies to b). We can modify the universal model accordingly to (1) bydeleting state a,b and accordingly to (2) by adding two copies of the state ∅.

The numbers of states of the trimmed product with the universal model modified as suggestedfor the automata B1−B5 are 11, 14, 13, 12, and 9 respectively. A heuristic based on these valueswould be, for the particular example of Table 1, the most precise from all heuristics presentedhere. To be more specific, the heuristic would give answer for all matches, and the answer willbe incorrect in only 3 out of 10 cases.

Algorithms for automatic extraction of useful information about model which could improveour heuristics are subject of future research, as well as new heuristics that can improve theprediction of the most suitable BA for given task and thus save time spent on verification.

93

6 F. Blahoudek

References[1] Tomas Babiak, Mojmır Kretınsky, Vojtech Reehak, and Jan Strejcek. LTL to Buchi automata

translation: Fast and more deterministic. In Proc. of the 18th Int. Conf. on Tools and Algorithmsfor the Construction and Analysis of Systems (TACAS’12), volume 7214 of LNCS, pages 95–109.Springer, 2012.

[2] Jean-Michel Couvreur. On-the-fly verification of temporal logic. In Jeannette M. Wing, Jim Wood-cock, and Jim Davies, editors, Proceedings of the World Congress on Formal Methods in the Devel-opment of Computing Systems (FM’99), volume 1708 of LNCS, pages 253–271, Toulouse, France,September 1999. Springer-Verlag.

[3] Alexandre Duret-Lutz. LTL translation improvements in Spot 1.0. International Journal on CriticalComputer-Based Systems, 5(1/2):31–54, March 2014.

[4] K. Etessami and G. J. Holzmann. Optimizing Buchi Automata. In CONCUR’00, volume 1877 ofLNCS, pages 153–167. Springer, 2000.

[5] Paul Gastin and Denis Oddoux. Fast LTL to Buchi automata translation. In G. Berry, H. Comon, andA. Finkel, editors, Proceedings of the 13th International Conference on Computer Aided Verification(CAV’01), volume 2102 of LNCS, pages 53–65, Paris, France, 2001. Springer-Verlag.

[6] Jaco Geldenhuys and Antti Valmari. More efficient on-the-fly LTL verification with Tarjan’s algo-rithm. Theoretical Computer Science, 345(1):60–82, November 2005.

[7] Dimitra Giannakopoulou and Flavio Lerda. From states to transitions: Improving translation of LTLformulæ to Buchi automata. In D.A. Peled and M.Y. Vardi, editors, Proceedings of the 22nd IFIPWG 6.1 International Conference on Formal Techniques for Networked and Distributed Systems(FORTE’02), volume 2529 of LNCS, pages 308–326, Houston, Texas, November 2002. Springer-Verlag.

[8] Gerard J. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley,2003.

[9] Gerard J. Holzmann, Doron A. Peled, and Mihalis Yannakakis. On nested depth first search. InJean-Charles Gregoire, Gerard J. Holzmann, and Doron A. Peled, editors, Proceedings of the 2ndSpin Workshop (SPIN’96), volume 32 of DIMACS: Series in Discrete Mathematics and TheoreticalComputer Science. American Mathematical Society, May 1996.

[10] Radek Pelanek. BEEM: benchmarks for explicit model checkers. In Proceedings of the 14th in-ternational SPIN conference on Model checking software (SPIN’07), volume 4595 of LNCS, pages263–267. Springer-Verlag, 2007.

[11] Roberto Sebastiani and Stefano Tonetta. ”More deterministic” vs. ”smaller” Buchi automata forefficient LTL model checking. In G. Goos, J. Hartmanis, and J. van Leeuwen, editors, Proceed-ings of the 12th Advanced Research Working Conference on Correct Hardware Design and Verifica-tion Methods (CHARME’03), volume 2860 of LNCS, pages 126–140, L’Aquila, Italy, October 2003.Springer-Verlag.

[12] Fabio Somenzi and Roderick Bloem. Efficient Buchi automata for LTL formulæ. In Proceedings ofthe 12th International Conference on Computer Aided Verification (CAV’00), volume 1855 of LNCS,pages 247–263, Chicago, Illinois, USA, 2000. Springer-Verlag.

[13] Xavier Thirioux. Simple and efficient translation from LTL formulas to Buchi automata. In RanceCleaveland and Hubert Garavel, editors, Proceedings of the 7th International ERCIM Workshop inFormal Methods for Industrial Critical Systems (FMICS’02), volume 66(2) of Electronic Notes inTheoretical Computer Science, Malaga, Spain, July 2002. Elsevier.

[14] Moshe Y. Vardi. An automata-theoretic approach to linear temporal logic. In Faron Moller andGraham M. Birtwistle, editors, Proceedings of the 8th Banff Higher Order Workshop (Banff’94),volume 1043 of LNCS, pages 238–266, Banff, Alberta, Canada, 1996. Springer-Verlag.

94

Safraless Synthesis for Epistemic Temporal Specifications∗

Extended Abstract

Rodica BozianuUniversite Paris Est, LACL

Creteil, France

[email protected]

Catalin DimaUniversite Paris Est, LACL

Creteil, France

[email protected]

Emmanuel FiliotUniversite Libre de Bruxelles,

Bruxelles Belgium

[email protected]

Abstract

In this paper we address the synthesis problem for specifications given in linear temporal single-agent epistemic logic, KLTL, over single-agent systems having imperfect information of the envi-ronment state. [17] have shown that this problem is 2Exptime complete. However, their procedurerelies on complex automata constructions that are notoriously resistant to efficient implementationsas they use Safra-like determinization.

We propose a ”Safraless” synthesis procedure for a large fragment of KLTL. The constructiontransforms first the synthesis problem into the problem of checking emptiness for universal co-Buchitree automata using an information-set construction. Then we build a safety game that can be solvedusing an antichain-based symbolic technique exploiting the structure of the underlying automata.The technique is implemented and applied to a couple of case studies. Full proofs and examples canbe found in [6].

1 IntroductionThe goal of system verification is to check that a system satisfies a given property. One of the majorachievements in system verification is the theory of model checking, that uses automata-based techniquesto check properties expressed in temporal logics, for systems modelled as transitions systems. Thesynthesis problem is more ambitious: given a specification of the system, the aim is to automaticallysynthesise a system that fulfils the constraints defined by the specification. Therefore, the constraintsdo not need to be checked a posteriori, and this allows the designer to focus on defining high-levelspecifications, rather than designing complex computational models of the systems.

Reactive systems are non-terminating systems that interact with some environment, e.g., hardware orsoftware that control transportations systems, or medical devices. One of the main challenge of synthesisof reactive systems is to cope with the uncontrollable behaviour of the environment, which usually leadsto computationally harder decision problems, compared to system verification. For instance, model-checking properties expressed in linear time temporal logic (LTL) is PSpace-c while LTL synthesisis 2Exptime-c [14]. Synthesis of reactive systems from temporal specifications gained a lot of interestrecently as several works have shown its practical feasibility [13, 4, 3, 12, 9]. These progresses weresupported by Kupferman and Vardi’s breakthrough in automata-based synthesis techniques [13]. Moreprecisely, they have shown that the complex Safra’s determinization operation, used in the classical LTLsynthesis algorithm [14], could be avoided by working directly with universal co-Buchi automata. Sincethen, several other “Safraless” procedures have been defined [13, 16, 10, 9]. In [16, 9], it is shown that

∗This contribution was accepted to be published in Proceedings of CAV’2014 International Conference, Vienna, Austria

95

2 R .Bozianu, C. Dima, E. Filiot

LTL synthesis reduces to testing the emptiness of a universal co-Buchi tree automaton, that in turn can bereduced to solving a safety game. The structure of the safety games can be exploited to define a symbolicgame solving algorithm based on compact antichain representations [9].

In these works, the system is assumed to have perfect information about the state of the environ-ment. However in many practical scenarios, this assumption is not realistic since some environmentinformation may be hidden to the system (e.g. private variables). Towards the (more realistic) synthe-sis of partially informed systems, imperfect information two-player games on graphs have been studied[15, 7, 2, 8]. However, they consider explicit state transition systems rather than synthesis from temporalspecifications. Moreover, the winning objectives that they consider cannot express fine properties aboutimperfect information, i.e., cannot speak about knowledge.

Epistemic Temporal Logics [11] are logics formatted for reasoning about multi-agent situations. Theyare extensions of temporal logics with knowledge operators Ki for each agent. They have been success-fully used for verification of various distributed systems in which the knowledge of the agents is essentialfor the correctness of the system specification.

Synthesis problem with temporal epistemic objectives Vardi and van der Meyden [17] have consid-ered epistemic temporal logics to define specifications that can, in addition to temporal properties, alsoexpress properties that refer to the imperfect information, and they studied the synthesis problem. Theydefine the synthesis problem in a multi-agent setting, for specifications written in LTL extended withknowledge operators Ki for each agent (KLTL). In such models, transitions between states of the envi-ronment model depend on actions of the environment and the system. The system does not see whichactions are played by the environment but get some observation on the states in which the environmentcan be (observations are subsets of states). An execution of the environment model, from the point ofview of the system, is therefore an infinite sequence alternating between its own actions and observations.

The goal of the KLTL synthesis problem is to automatically generate a strategy for the system (ifit exists) that tells it which action should be played, depending on finite histories, so that whatever theenvironment does, all the (concrete) infinite executions resulting from this strategy satisfy the KLTLformula. In [17], this problem was shown to be undecidable even for two agents against an environment.For a single agent, they show that the problem is 2Exptime-c, by reduction to the emptiness of alternatingBuchi automata. This theoretically elegant construction is however difficult to implement and optimize,as it relies on complex Safra-like automata operations (Muller-Schupp construction).

Contributions We follow the formalisation of [17] and, as our main contribution, define and implementa Safraless synthesis procedure for the positive fragment of KLTL (KLTL+), i.e., KLTL formulas wherethe operator K does not occur under any negations. Our procedure relies on universal co-Buchi treeautomata (UCT). More precisely, given a KLTL+ formula ϕ and some environment model ME , weshow how to construct a UCT Tϕ whose language is exactly the set of strategies that realize ϕ in ME .

Despite the fact that our procedure has 2Exptime worst-case complexity, we have implemented it andshown its practical feasibility through a set of examples. In particular, based on ideas of [9], we reducethe problem of checking the emptiness of Tϕ to solving a safety game whose state space can be orderedand compactly represented by antichains. Moreover, rather than using the reduction of [9] as a blackbox,we further optimize the antichain representations to improve their compactness. Our implementationis based on the tool Acacia [5] and, to the best of our knowledge, it is the first implementation of asynthesis procedure for epistemic temporal specifications. As an application, this implementation can be

96

KLTL Synthesys 3

t, linit

/0

tinits1

s3

s2

(¬tout , lon),S (¬tout ,¬lon),S

(∗,∗),S

(¬tout , lon),S

(¬tout ,¬lon),S

(∗,∗),T

(tout ,∗),S(∗, lon ),T

(∗,∗),

T(t ou

t,∗),

S

(∗,¬l on

),T

Figure 1: Environment model ME of Example 1

used to solve two-player games of imperfect information whose objectives are given as LTL formulas, oruniversal co-Buchi automata.

2 Preliminaries

In this section, we define the realizability and synthesis problems for KLTL specifications, for one par-tially informed agent, called the system, against some environment.

Environment Model We assume to have, as input of the problem, a model of the behaviour of theenvironment as a transition system. This transition system is defined over two disjoint sets of actions Σ1and Σ2, for the system and the environment respectively. Additionally, each state s of the environmentmodel carries an interpretation τe(s) over a (finite) set of propositions P . However, the system is notperfectly informed about the value of some propositions, i.e., some propositions are visible to the system,and some are not. Therefore, we partition the set P into two sets Pv (the visible propositions) and Pi

(the invisible ones).An environment model is a tuple ME = (P,Σ1,Σ2,Se,S0,∆e,τe) where• P is a finite set of propositions, Σ1 and Σ2 are finite set of actions for the system and the environ-

ment resp.,

• Se is a set of states, S0 ⊆ Se a set of initial states,

• τe : Se→ 2P is a labelling function,

• ∆e ⊆ Se×Σ1×Σ2×Se is a transition relation.The model is assumed to be deadlock-free. Moreover, the model is assumed to be complete for all

actions of the system, i.e. for all states and all actions of the system, there exists an outgoing transition.The set of executions of ME , denoted by exec(ME), is the set of infinite sequences of states ρ = s0s1 · · · ∈Sω

e such that s0 ∈ S0 and for all i > 0, (si,a1,a2,si+1) ∈ ∆e for some (a1,a2) ∈ Σ1×Σ2. Given a sequenceof states ρ = s0s1 . . . and a set P ⊆P , we denote by traceP(ρ) its projection over P, i.e. traceP(ρ) =(τe(s0)∩P)(τe(s1)∩P) . . . . Finally, given an infinite sequence of actions a = a0

1a02 · · · ∈ (Σ1.Σ2)

ω and anexecution ρ = s0s1 . . . of ME , we say that a is compatible with ρ if for all i≥ 0, (si,ai

1,ai2,si+1) ∈ ∆e.

Example 1. We illustrate the notion of environment model on the example of [17], that describes thebehaviour of an environment against a system acting on a timed toggle switch with two positions (on,off)and a light. It is depicted in Fig. 1. The set P = t, l contains two propositions t (true iff the toggle is on)and l (true iff the light is on). Actions of the system are Σ1 = T,S for “toggle” and “skip” respectively.The system can change the position of the toggle only if it plays T , and S has no effect. Actions of the

97


environment are Σ2 = (tout , lon) | tout , lon ∈ 0,1. The boolean variables tout and lon indicate that theenvironment times out the toggle and that it switches on the light. The transition function is depicted onthe figure as well as the labelling function τe : Se→ 2P . The star ∗ means “any action”. The light canbe on only if the toggle in on (state s1), but it can be off even if the toggle is on (state s2), in case it isbroken. This parameter is uncontrollable by the system, and therefore it is controlled by the environment(action lon). The timer is assumed to be unreliable and therefore the environment can timeout at any time(action tout). The system sees only the light, i.e. Pv = l and Pi = t. The goal of the system is tohave a strategy such that he always knows the position of the toggle.

Positive KLTL(KLTL+) Positive KLTL formulas for one-agent (the system) are defined by the fol-lowing grammar:

ϕ ::= p | ¬p | ϕ ∧ϕ | ϕ ∨ϕ | ©ϕ |ϕ | Kϕ | ϕU ϕIn which p ∈P and©, and U are the ”next”, ”always” and ”until” operators from linear temporallogic. Formulas of the type Kϕ are read as ”the system knows that ϕ holds”.

The semantics of a KLTL formula ϕ is defined for an environment model ME =(P,Σ1,Σ2,Se,S0,∆e,τe),a set of executions R ⊆ exec(ME), an execution ρ = s0s1 · · · ∈ R and a position i ≥ 0 in ρ . It is definedinductively:

• R,ρ, i |= p if p ∈ τe(si); R,ρ, i |= ¬p if R,ρ, i 6∈ τe(si),

• R,ρ, i |= ϕ1∧ϕ2 if R,ρ, i |= ϕ1 and R,ρ, i |= ϕ2,

• R,ρ, i |= ϕ1∨ϕ2 if R,ρ, i |= ϕ1 or R,ρ, i |= ϕ2,

• R,ρ, i |=©ϕ if R,ρ, i+1 |= ϕ ,

• R,ρ, i |=ϕ if ∀ j ≥ i R,ρ, j |= ϕ ,

• R,ρ, i |= ϕ1U ϕ2 if ∃ j ≥ i s.t. R,ρ, j |= ϕ2 and ∀i≤ k < j, R,ρ,k |= ϕ1,

• R,ρ, i |= Kϕ if for all ρ ′ ∈ R s.t. ρ ∼i ρ ′, we have R,ρ ′, i |= ϕ .In particular, the system knows ϕ at position i in the execution ρ , if all other executions in R whose prefixup to position i are indistinguishable from that of ρ , also satisfy ϕ .

Consider Example 1 and the set R of executions that eventually loop in s1. Pick any ρ in R. ThenR,ρ,0 |= K♦(l). Indeed, take any position i in ρ and any other executions ρ ′ ∈ R such that ρ ∼i ρ ′.Then since ρ ′ will eventually loop in s1, it will satisfy ♦(l). Therefore R,ρ, i |= K♦(l), for all i≥ 0.

KLTL Realizability and Synthesis As presented in [9] for the perfect information setting, the realiz-ability problem, given the environment model ME and the KLTL formula ϕ , is best seen as a turn-basedgame between the system (Player 1) and the environment (Player 2). In the first round of the play, Player1 picks some action a0

1 ∈ Σ1, then Player 2 picks some action in a02 ∈ Σ2 and solves the nondetermin-

ism in ∆e, and a new round starts. The two players play for an infinite duration and the outcome is aninfinite sequence w = a0

1a02a1

1a12 . . . . Then, player 1 wins the play if for all executions ρ of ME that are

compatible with w, we have ME ,ρ |= ϕ .Player 1 plays according to strategies (called protocols in [17]). Since Player 1 has only partial

information about the state of the environment, his strategies are based on the histories of his own ac-tions and the observations he got from the environment. Formally, a strategy for Player 1 is a map-ping λ : (Σ1O)∗ → Σ1, where, as defined before, O denotes the set of observations of Player 1 overthe states of ME . An execution ρ = s0s1 · · · ∈ exec(ME) is said to be compatible with λ if there ex-ists an infinite sequence of actions a = a0

1a02... ∈ (Σ1.Σ2)

ω , compatible with ρ , such that for all i ≥ 0,ai

1 = λ (a01o(s0)a1

1o(s1)...ai−11 o(si−1)). We denote by exec(ME ,λ ) the set of executions of ME compati-

ble with λ .

98

KLTL Synthesys 5

Definition 2. A KLTL formula ϕ is realizable in ME if there exists a strategy λ for the system such thatexec(ME ,λ ) |= φ .

Theorem 3 (R. van der Meyden and M. Vardi in [17]). The KLTL realizability problem (for one agent)is 2ExpTime-complete.

If a formula is realizable, the synthesis problem asks to generate a finite-memory strategy that realizesthe formula. Such a strategy always exists if the specification is realizable [17] and can be representedby Moore machines that read observations and output actions of Player 1.

Considering again Example 1, the formula ϕ = (K(t)∨K(¬t)) expresses the fact that the systemknows at each step the position of the toggle. As argued in [17], this formula is realizable if the initialset of the environment is s1,s2 since both states are labelled with t. Then, a winning strategy of thesystem is to play first time T (it will lead to s3) and then always play S in order to stay in that state forever.Following this strategy, in the first step the formula K(t) is satisfied and then K(¬t) becomes true forever.However, the formula is not realizable if the set of initial states of the environment is s2,s3 since fromthe beginning the system doesn’t know the value of the toggle.

3 Safraless Synthesis Procedure for Positive KLTL

Having an environment model ME = (P,Σ1,Σ2,Se,S0,∆e,τe), we define by O the set of observationsof the system on the states of the environment, i.e., O is a partition of Se w.r.t. the observation of thesystem.

First, we show how to construct a Universal Co-Buchi tree automaton T = (Σ1,Q,Q0,O,∆,α) thataccepts exactly the complete Σ1−labelled O-trees 〈T,τ〉 representing strategies that realize an LTLformula ψ under the environment model ME . First, one converts ψ into an equivalent UCW A =(2P ,QA ,QA

0 ,∆A ,αA ) and then the states of the universal tree automaton T are pairs of states of Aand knowledges I ⊆ Se. The final states are defined as α = αA ×2Se and initial states as Q0 = QA

0 ×S0.Also, for the transition relation we define, for all states q′, the set Iq,q′ = s ∈ I | (q,τ(s),q′) ∈ ∆A .Then, ∆((q, I),a,o) is defined as the set ∆((q, I),a,o) = (q′,posta(Iq,q′ ,o)) | ∃s ∈ I, (q,τ(s),q′) ∈ ∆A .Note that, since

⋃q′∈QA posta(Iq,q′ ,o) = posta(I,o) and the automaton is universal, the system does not

have better knowledge by restricting the knowledge sets.

Lemma 4. The LTL formula ψ is realizable in ME iff L (T ) 6=∅.

Moreover, it is known that if a UCT has a non-empty language, then it accepts a tree that is theunfolding of a finite graph, or equivalently, that can be represented by a Moore machine. Therefore if ψis realizable, it is realizable by a finite-memory strategy.

Then, we extend the construction from above to KLTL+. The main idea is to replace, in the KLT L+

formula ϕ , the subformulas of the form Kγ by fresh atomic propositions kγ so that we get a sequence offormulas associated to ϕ: as: ϕ0 = ϕ and, for all i > 0, ϕ i is the formula ϕ i−1 in which the innermostsubformulas Kγ are replaced by fresh atomic propositions kγ . Let d be the smallest index such that ϕd

is an LTL formula, K denote the set of new atomic propositions, i.e., K =⋃d

i=0kγ | Kγ ∈ ϕ i, and letP ′ = P ∪K.

For the LTL formula ϕd , the realizability problem can be transformed into the emptiness of a UCTT d . The realizability of the subformulas Kγ that have been replaced by kγ is checked by branchinguniversally to a UCT for γ , constructed as above for LTL formulas. Since transitions are universal, thiswill ensure that all the infinite branches of the tree from the current node where a new UCT has beentriggered also satisfy γ . Therefore, we obtain a chain of universal co-Buchi tree automata T d , ...,T 0

99


incrementally constructed that satisfy the following invariant: for all i ∈ 0, . . . ,d, T i accepts exactlythe set of strategies that realize ϕ i in ME . The UCTs we construct are defined over an extended actionsof the system Σ′1 = Σ1∪2K(e-actions) and then an extended strategy is a strategy defined over e-actions,i.e. a function from (Σ′1O)∗ to Σ′1.

Having the automaton T i+1 we define the set of states Qi of T i by Qi+1 ∪⋃

kγ∈sub(ϕ i+1) Qγ . Itsset of transitions ∆i is defined as follows. If (q′, I′) ∈ ∆i+1((q, I),(a,K),o) where I, I′ ⊆ Se, a ∈ Σ1,K ⊆ K, o ∈ O and kγ ∈ K is such that kγ occurs in ϕ i+1, then we let (q′, I′) ∈ ∆i((q, I),(a,K),o) and∆γ((q0, I),(a,K),o) ⊆ ∆i((q, I),(a,K),o), where q0 is, w.l.o.g., the unique initial state in the universalco-Buchi word automaton equivalent to γ .

Then, we show that we can safely project the final UCT T 0 on the alphabet Σ1 and get strategiesover Σ1. Therefore, we get that

Theorem 5. For any KLTL+ formula ϕ , one can construct a UCT Tϕ such that L (Tϕ) is the set ofstrategies that realize ϕ in ME .

Then, it is already known from [9] that checking emptiness of the language defined by a UCT Tcan be reduced to checking the emptiness of Luc,B(T ) for a sufficiently large bound B, which in turncan be reduced to solving a safety game. The game can be solved on-the-fly[9] without constructingthem explicitly, and the fixpoint algorithm used to solve these safety games can be optimized by usingsome antichain representation of the sets constructed during the fixpoint computation. Rather than usingthe algorithm of [9] as a black box, we study the state space of the safety games constructed from theUCT Tϕ and show that they are also equipped with a partial order that allows one to get more compactantichain representations.

Finally, we developed a prototype implementation Acacia-K for KLT L+ synthesis[1] made in Pythontogether with C for the low level operations that need efficiency. As seen from the experiments, thetool generates strategies that are natural, the same that one would synthesize intuitively. This fact isremarkable itself since, in synthesis, it is often a difficult task to generate small and natural strategies.

4 ConclusionIn this paper, we have defined a Safraless procedure for the synthesis of KLTL+specifications in environ-ment with imperfect information. This problem is 2ExpTime-c but we have shown that our procedure,based on universal co-Buchi tree automata, can be implemented efficiently thanks to an antichain sym-bolic approach. We have implemented a prototype and run some preliminary experiments that prove thefeasibility of our method. While the UCT constructed by the tool are not small (around 1300 states),our tool can handle them, although in theory, the safety games could be exponentially larger than theUCT. Moreover, our tool synthesises small strategies that correspond to the intuitive strategies we wouldexpect, although it goes through a non-trivial automata construction. As a future work, we want to see ifAcacia-K scales well on larger examples. We also want to extend the tool to handle the full KLTL logicin an efficient way. This paper is an encouraging (and necessary) step towards this objective. In a firstattempt to generalize the specifications, we plan to consider assume-guarantees specifications Kφ → ψ ,where φ is an LTL formula and ψ a KLTL+ formula.

References[1] Acacia-k. Available at http://lacl.fr/~rbozianu/Acacia-K/.[2] D. Berwanger and L. Doyen. On the power of imperfect information. In R. Hariharan, M. Mukund, and

V. Vinay, editors, FSTTCS, volume 2 of LIPIcs, pages 73–82. Schloss Dagstuhl - Leibniz-Zentrum fuerInformatik, 2008.

100

KLTL Synthesys 7

[3] R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. Knighofer, M. Roveri, V. Schuppan, and R. Seeber. Ratsya new requirements analysis tool with synthesis. In T. Touili, B. Cook, and P. Jackson, editors, ComputerAided Verification, volume 6174 of Lecture Notes in Computer Science, pages 425–429. Springer BerlinHeidelberg, 2010.

[4] R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Sa’ar. Synthesis of reactive(1) designs. J. Comput.Syst. Sci., 78(3):911–938, 2012.

[5] A. Bohy, V. Bruyere, E. Filiot, N. Jin, and J.-F. Raskin. Acacia+, a tool for LTL synthesis. In P. Madhusudanand S. A. Seshia, editors, CAV, volume 7358 of Lecture Notes in Computer Science, pages 652–657. Springer,2012.

[6] R. Bozianu, C. Dima, E. Filiot. Safraless Synthesis for Epistemic Temporal Specifications. Available at:http://arxiv.org/abs/1405.0424.

[7] K. Chatterjee, L. Doyen, E. Filiot, and J.-F. Raskin. Doomsday equilibria for omega-regular games. In K. L.McMillan and X. Rival, editors, VMCAI, volume 8318 of Lecture Notes in Computer Science, pages 78–97.Springer, 2014.

[8] K. Chatterjee, L. Doyen, and T. A. Henzinger. A survey of partial-observation stochastic parity games.Formal Methods in System Design, 43(2):268–284, 2013.

[9] E. Filiot, N. Jin, and J.-F. Raskin. Antichains and compositional algorithms for LTL synthesis. FormalMethods in System Design, 39(3):261–296, 2011.

[10] B. D. Giampaolo, G. Geeraerts, J.-F. Raskin, and N. Sznajder. Safraless procedures for timed specifications.In FORMATS, volume 6246 of Lecture Notes in Computer Science, pages 2–22. Springer, 2010.

[11] J. Y. Halpern and Y. Moses. Knowledge and common knowledge in a distributed environment. In T. Kameda,J. Misra, J. G. Peters, and N. Santoro, editors, PODC, pages 50–61. ACM, 1984.

[12] B. Jobstmann and R. Bloem. Optimizations for LTL synthesis. In Formal Methods in Computer-Aided Design(FMCAD), pages 117–124. IEEE Computer Society, 2006.

[13] O. Kupferman and M. Y. Vardi. Safraless decision procedures. In FOCS, pages 531–542. IEEE ComputerSociety, 2005.

[14] A. Pnueli and R. Rosner. On the synthesis of a reactive module. In POPL, pages 179–190. ACM Press, 1989.[15] J.-F. Raskin, K. Chatterjee, L. Doyen, and T. A. Henzinger. Algorithms for omega-regular games with

imperfect information. Logical Methods in Computer Science, 3(3), 2007.[16] S. Schewe and B. Finkbeiner. Bounded synthesis. In International Symposium on Automated Technology for

Verification and Analysis (ATVA), volume 4762 of LNCS, pages 474–488. Springer, 2007.[17] R. van der Meyden and M. Vardi. Synthesis from knowledge-based specifications. In D. Sangiorgi and

R. Simone, editors, CONCUR’98 Concurrency Theory, volume 1466 of Lecture Notes in Computer Science,pages 34–49. Springer Berlin Heidelberg, 1998.

101

Composition of Stochastic Timed Automata

Pierre Carlier∗

Université de MonsBelgique

[email protected]

AbstractWe consider the model of stochastic timed automata that has been introduced in [1], a

model in which both delays and discrete choices are made probabilistically. We are interestedin the composition of two stochastic timed automata in the case where both automata runindependently. In order to define this composition, we have to find probability measures overdelays and edges satisfying some properties, which are not trivial. We try to find a class ofstochastic timed automata in which the composition is internal, well-defined and expressesan independent running of both automata. Finally, since we are interested in the almost-suremodel-checking problem, we would like to restrict this class to the automata in which we candecide whether the automaton satisfies a given property with probability 1 and we would likethat, in this new class, the composition is still internal.

1 Stochastic Timed Automata1.1 DefinitionThe notion of stochastic timed automata has been introduced in [1]. We first recall the notion oftimed automata. Let X be a finite set of real-valued variables called clocks. A clock valuationover X is a function ν : X → R+ where R+ is the set of non-negative real numbers. We writeRX+ for the set of clock valuations over X. Given ν ∈ RX+ , τ ∈ R+ and Y ⊆X we define the clock

valuations ν+ τ by (ν+ τ)(x) = ν(x) + τ for every x ∈X, and [Y ← 0]ν by [Y ← 0]ν(x) = 0 ifx ∈ Y and [Y ← 0]ν(x) = ν(x) otherwise. A guard over X is any finite conjunction of expressionsof the form x ∼ c where x ∈ X, c ∈ N and ∼∈ <,≤,=,≥,>. We denote by G(X) the setof guards over X. We say that ν satisfies a guard of the form x ∼ c with x ∈ X, c ∈ N and∼∈ <,≤,=,≥,> whenever ν(x)∼ c and we write ν |= g if ν satisfies g and .Definition 1. A timed automaton is a tuple A= (L,l0,X,E) such that:(i) L is a finite set of locations,(ii) l0 ∈ L is the initial location,(iii) X is a finite set of clocks,(iv) E ⊆ L×G(X)×2X ×L is a finite set of edges.

The semantics of a timed automaton is a transition system TA = (Q,q0,→) where Q=L×RX+is the set of states, q0 = (l0,0X) is the initial state, with 0X being the clock valuation that assigns 0to each clock x, and→ is the transition relation defined as follows: given (l,ν) and (l′,ν ′) ∈Q, we

∗In collaboration with Patricia Bouyer, Thomas Brihaye and Quentin Menet.

102

2 P. Carlier

have (l,ν)→ (l′,ν ′) if there is τ ∈ R+ and there is e∈E such that e= (l,g,Y, l′) for some g ∈ G(X)and some Y ⊆X, ν+τ |= g and ν ′ = [Y ← 0](ν+τ). We then write (l,ν) τ,e−→ (l′,ν ′). We define afinite run ρ of A as a finite sequence of consecutive transitions: ρ= q1

τ1,e1−−→ q2τ2,e2−−→ ·· · τn,en−−→ qn+1

where, for each i, qi = (li,νi) is a state. Similarly, we define an infinite run ρ of A as aninfinite sequence of consecutive transitions: ρ= q1

τ1,e1−−→ q2τ2,e2−−→ ·· · . We write Runs(A, q1) (resp.

Runsf (A, q1)) for the set of infinite (resp. finite) runs of A that start in q1.One would like to extend the notion of timed automata to the notion of stochastic timed

automata in order to define a probability measure over Runs(A, q) for every state q. In order todo it, we have to equip A with probability distributions over both delays and edges. We firstintroduce some notations. Given a state q of A and an edge e ∈ E, we define I(q,e) := τ ∈ R+ |∃q′ ∈Q s.t. q τ,e−→ q′ ∈→ and I(q) :=⋃

e∈E I(q,e). Intuitively, the set I(q,e) depicts the set ofdelays after which, starting from q, edge e is immediately enabled while I(q) is the set of delaysafter which, starting from q, some edge e is immediately enabled.Definition 2. A stochastic timed automaton is a tuple A= (L,l0,X,E,(µq,pq)q∈L×RX+ ) where:

(i) (L,l0,X,E) is a timed automaton,(ii) for every q = (l,ν) ∈ L×RX+ , µq is a probability distribution over R+ (equipped with the

Borel σ-algebra) such that µq(I(q)) = 1 and pq is a probability distribution over the set ofedges enabled in q, i.e. over (l,g,Y, l′) ∈ E | ν |= g,

(iii) for every q ∈ L×RX+ , if λ denotes the Lebesgue measure and if λ(I(q)) > 0 then µq isequivalent to the restriction of λ on I(q), otherwise µq is equivalent to the discrete uniformdistribution over the points of I(q).

We recall that two measures µ and ν over a σ-algebra S ⊆ 2Ω are said equivalent if for everyA ∈ S, µ(A) = 0⇔ ν(A) = 0. We also recall that the restriction of the Lebesgue measure λ on aBorel set B of R+, denoted by λB, is defined by λB(A) = λ(A∩B) for every Borel set A.

1.2 A probability measure over infinite runsNow, given a stochastic timed automaton A, with the aim of defining a probability measure overRuns(A, q) for each state q, we introduce some notations. Given a state q and a finite sequence ofedges (ei)1≤i≤n we define the symbolic path starting from q and determined by (ei)1≤i≤n as the setof finite runs π(q,e1, . . . ,en) := ρ= q

τ1,e1−−→ q1 · · · τn,en−−→ qn | τ1, . . . , τn ∈R+. Similarly, given a Borelset C of Rn+, we define the constrained symbolic path starting from q, determined by (ei)1≤i≤n andsatisfying C as the set of finite runs πC(q,e1, . . . ,en) = ρ= q

τ1,e1−−→ q1 · · · τn,en−−→ qn | (τ1, . . . , τn) ∈ C.Given a (constrained) symbolic path π, we define the cylinder generated by π, denoted byCyl(π), as the set of infinite runs ρ such that there is a prefix of ρ that is in π. In otherwords, if π = πC(q,e1, . . . ,en) where q ∈ Q, e1, . . . ,en ∈ E and C is a Borel set of Rn+, thenCyl(π) = ρ ∈ Runs(A, q) | ρ= q

τ1,e1−−→ q1 · · · τn,en−−→ qn→ ·· · and (τ1, . . . , τn) ∈ C.We inductively define a measure, denoted by PA, over finite symbolic paths from state q by:

PA(π(q,e1, . . . ,en)) =∫

t∈I(q,e1)pq+t(e1)PA(π(qt,e2, . . . ,en))dµq(t)

where e1, . . . ,en are in E and qt is such that q t→ q+ te1→ qt, and we initialize with PA(π(q)) = 1.

The formula for PA relies on the fact that the probability of taking transition e1 at time t

103

Composition of Stochastic Timed Automata 3

coincides with the probability of waiting t time units and then choosing e1 among the enabledtransitions, i.e. pq+t(e1)dµq(t). The value of PA(π), where π = π(q,e1, . . . ,en), is the result ofn successive integrals. Hence one can extend the measure PA to the the constrained symbolicpaths as follows. Given a state q, edges e1, . . . ,en and a constraint C which is Borel-measurable,we have:

PA(πC(q,e1, . . . ,en)) =∫

t1∈I(q,e1)pq+t1(e1)

∫

t2∈I(qt1 ,e2)pqt1+t2(e2) . . .

∫

tn∈I(qt1...tn−1 ,en)pqt1...tn−1+tn(en)1C(t1, . . . , tn)dµqt1...tn−1

(tn) . . .dµq(t1)

where for every i≥ 2, the state qt1...ti is such that qt1...ti−1ti−→ qt1...ti−1 + ti

ei→ qt1...ti and the stateqt1 is as defined before and 1C(t1, . . . , tn) is the characteristic function of C. This extension isrequired to measure rather complex sets. Now, since we are interested by the set of infinite runs,one can extend PA to the cylinders by PA(Cyl(π)) = PA(π), where π is a (constrained) symbolicpath. Using some extension’s theorem as the Carathéodory’s theorem, we can extend PA in aunique way to the σ-algebra generated by the cylinder starting in q, which we note Ωq

A.Proposition 3 ([3]). Let A= (L,l0,X,E,(µq,pq)q∈L×RX+ ) be a stochastic timed automaton. Forevery state q ∈Q, PA is a probability measure over (Runs(A, q),Ωq

A).

2 Compostion2.1 Construction and defininitionWe want now to define the composition of two stochastic timed automata. We first define thecomposition of two timed automata.

Definition 4. Let A1 = (L1, l(1)0 ,X1,E1) and A2 = (L2, l

(2)0 ,X2,E2) be two timed automata

such that X1 ∩X2 = ∅. We define the timed automaton A1 ×A2 as the tuple A1 ×A2 =(L1×L2,(l(1)

0 , l(2)0 ),X1∪X2,E), where

E =E1,•∪E•,2,E1,• =((l1, l2),g,Y,(l′1, l2)) | (l1,g,Y, l′1) ∈ E1, l2 ∈ L2,E•,2 =((l1, l2),g,Y,(l1, l′2)) | (l2,g,Y, l′2) ∈ E2, l1 ∈ L1.

We abusively denote E1,• by E1 and E•,2 by E2. Now one would like to extend the compositionto the stochastic timed automata. Let A1 =

(L1, l

(1)0 ,X1,E1,(µ(1)

q ,p(1)q )

q∈L1×RX1+

)and A2 =

(L2, l

(2)0 ,X2,E2,(µ(2)

q ,p(2)q )

q∈L2×RX2+

)be two stochastic timed automata. We want to find a family

of couples of probability measures, (µq,pq)q∈L1×L2×RX1+ ×R

X2+

, in order to define the stochastictimed automaton A1×A2 =

(L,l0,X,E,(µq,pq)q∈L×RX+

), where (L,l0,X,E) is as defined in the

previous definition and thus, L×RX+ = L1×L2×RX1+ ×RX2

+ . For any state q = ((l1, l2),(ν1,ν2)) ∈L1×L2×RX1

+ ×RX2+ we have to choose a probability distribution µq over I(q) and a probability

distribution pq over the set of enabled edges in q, i.e. the set ((l1, l2),g,Y,(l′1, l′2)) ∈E | (ν1,ν2) |=g. We first introduce some notations. Given q = ((l1, l2),(ν1,ν2)) a state of A1×A2 we write

104

4 P. Carlier

q1 (resp. q2) for the projection of q in A1 (resp. A2), i.e. q1 = (l1,ν1) (resp. q2 = (l2,ν2)). Ifλ(I(q1))> 0 (resp. λ(I(q2))> 0), we write fq,1 (resp. fq,2) for the Radon-Nikodym derivative ofµ

(1)q (resp. µ(2)

q ) with respect to the Lebesgue measure λ, i.e. µ(i)q (A) =

∫A fq,i(t)dt for each Borel

set A of R+ and each i ∈ 1,2. We have that fq,i is the density function of µ(i)q and we write

Fq,i for the cumulative function associated to fq,i for each i ∈ 1,2. We then write Xq,1 (resp.Xq,2) for a random variable of density fq,1 (resp. fq,2) and where Xq,1 and Xq,2 are independent.

We define µq(A) =∫A fq,min(t)dt for each Borel set A, where fq,min is the density function of

min(Xq,1,Xq,2). One can show that fq,min(t) = fq,1(t)(1−Fq,2(t))+fq,2(t)(1−Fq,1(t)) for everyt≥ 0. In order to define the probability distributions pq over the enabled edges in q, one couldconsider that from state q, both systems A1 and A2 are in a race to win the next edge, i.e. A1wins the race if the first edge taken from q is in E1. Hence, given t ∈ I(q), and an edge e ∈ E1enabled in q+ t, one would like that pq+t(e) = w1

q(t)p(1)q+t(e) where w1

q(t) is the probability that,starting from q, A1 wins the race knowing that it was won after a delay of t time units. Formally,we define w1

q(t) = limε→0P(Xq,1 = min(Xq,1,Xq,2) |min(Xq,1,Xq,2) ∈ [t, t+ε]

)for every t≥ 0 and

we then can show that w1q(t) = fq,1(t)(1−Fq,2(t))

fq,min(t) if fq,min(t) 6= 0. We formalize this in the nextdefinition.

Let CSTA denote the class of stochastic timed automata A such that for every state q of Awith λ(I(q))> 0,(a) the density function associated with µq, denoted by fq, is almost-surely continuous on R+,

and(b) for every t, t′ ≥ 0 with t and t+ t′ in I(q),

fq(t+ t′)(1−Fq+t(t′)) = fq+t(t′)(1−Fq(t+ t′)),

where Fq (resp. Fq+t) is the cumulative function associated with fq (resp. fq+t).Definition 5. Let A1 and A2 be two stochastic timed automata as before. We say that A1 andA2 are composable if A1 and A2 are in CSTA and if X1∩X2 = ∅ and we define the compositionA1×A2 as the stochastic timed automaton A1×A2 = (L,l0,X,E,(µq,pq)q∈L×RX+ ), where, forany q = ((l1, l2),(ν1,ν2)) such that λ(I(q1))> 0 and λ(I(q2))> 0,(i) (L,l0,X,E) is the composition of the underlying timed automata A1 and A2,(ii) µq is defined as follows:

∀A ∈ B(R+), µq(A) =∫

Afq,min(t)dt,

where fq,min(t) = fq,1(t)(1−Fq,2(t)) +fq,2(t)(1−Fq,1(t)) for every t≥ 0, and(iii) for any t ∈ I(q), pq+t is defined as follows:

pq+t(e) = 1E1(e)w1q(t)p

(1)q+t(e) +1E2(e)w2

q(t)p(2)q+t(e)

for every e ∈ E, where for any t ∈ I(q),

w1q(t) := fq,1(t)(1−Fq,2(t))

fq,min(t) and w2q(t) := fq,2(t)(1−Fq,1(t))

fq,min(t)

if fq,min(t) 6= 0, and w1q(t) = w2

q(t) = 0 if fq,min(t) = 0.

105

Composition of Stochastic Timed Automata 5

Let us notice that the case where, given a state q= ((l1, l2),(ν1,ν2)), λ(I(q1)) = 0 or λ(I(q2)) = 0is not treated in the definition. If, for instance, λ(I(q1)) = 0 and λ(I(q2)) > 0 then µ

(1)q is a

probability distribution over the points of I(q1) and µ(2)q is defined by the density function fq,2 as

before. Now if Xq,1 is a discrete random-variable of probability distribution µ(1)q and if Xq,2 is a

random-variable of density fq,2, where Xq,1 and Xq,2 are independent, then the random-variablemin(Xq,1,Xq,2) could lead to a probability distribution that is neither discrete, nor continuous,which is not convenient with our model. This case will be treated in future work. Meanwhile, weconsider stochastic timed automata in which the probability to reach a state q where λ(I(q)) = 0(i.e. where I(q) is a finite set) is null.

Hypotheses (a) and (b) are needed so that for every state q, fq,min, w1q and w2

q are well-defined.One can notice that the hypotheses express conditions that do not depend of the distributionsof both automata simultaneously, it is independent of the automaton product. Hypothesis (b)comes from the fact that, given a state q, pq is well-defined if for any t, t′ ≥ 0, p(q+t)+t′ = pq+(t+t′)since (q+ t)+ t′ = q+(t+ t′). One can show that this equality holds if wiq(t+ t′) = wiq+t(t′) forany t, t′ ≥ 0 and for any i ∈ 1,2. We can then show that it suffices that hypothesis (b) holds tohave this last equality.

It is not difficult to show that uniform and exponential distributions satisfy hypothesis (a) and(b). One can thus see that two stochastic timed automata A1 and A2, equipped with uniform orexponential distributions over the delays, are composable. We now give an example of probabilitymeasures that do not satisfy hypothesis (b).

Example 6 (Weighted uniform distributions). If for any q = (l1,ν1) with ν1 ∈ [0,1], we have

fq,1(t) = 32

11−ν1

1[0, 1−ν12 [(t) + 1

21

1−ν11[ 1−ν1

2 ,1−ν1]

for any t≥ 0. Then one can easily show that Fq,1(t) = 32

t1−ν1

1[0, 1−ν12 [(t)+

(12 + 1

2t

1−ν1

)1[ 1−ν1

2 ,1−ν1](t)+1]1−ν1,+∞[(t). Now, let us assume that q = (l1,0), t= 1

2 and t′ = 18 . Then t and t+ t′ are in I(q)

and we have

fq,1(5

8)(

1−Fq+ 12 ,1

(18))

= 12

(1− 3

2

18

1− 12

)

= 12(1− 3

8)

= 516 ,

and

fq+ 12 ,1

(18)(

1−Fq,1(5

8))

= 322(1− 1

2 −12

58)

= 3(1− 13

16)

= 916 .

We conclude that hypothesis (b) is not satisfied for some weighted uniform distribution and thus,a stochastic timed automaton equipped with this weighted uniform distribution over the delays,can not be composed with another stochastic timed automaton.

One can show that if A1 and A2 ∈ CSTA then A1×A2 ∈ CSTA.

106

6 P. Carlier

2.2 IndependenceNow, in order to express an independent running of A1 and A2, one would like for example that,given a state q = ((l1, l2),(ν1,ν2)), the probability that e1 is the first edge in E1 taken in A1×A2from q coincides with the probability that e1 is the first edge taken in A1 from (l1,ν1):

PA1×A2(qA∗2→ · e1→) = PA1(q1

e1→ ·) (1)

where qA∗2→ · e1→=⋃

n∈N⋃

(f1,...,fn)∈En2 Cyl(π(q,f1, . . . ,fn,e1)). One can show that (1) is satisfied ifA1 and A2 are almost-surely non-zeno and if for each i ∈ 1,2, for each state q of A1×A2, foreach t, t′ ≥ 0,

fq,i(t+ t′) = (1−Fq,i(t))fq+t,i(t′). (2)

We recall that an infinite run ρ= q1τ1,e1−−→ q2

τ2,e2−−→ q3 . . . is zeno if ∑i≥1 τi <+∞ and that the setof zeno runs can be expressed by

⋃

M∈N

⋂

n∈N0

⋃

(e1,...,en)∈EnCyl(πCM,n(q,e1, . . . ,en))

where CM,n = (τ1, . . . , τn) ∈ Rn+ | τ1 + . . .+ τn ≤M. Moreover, one can show that if C is theclass of stochastic timed automata almost-surely non-zeno, satisfying hypothesis (a) and (b)of Definition 5 and satisfying (2), then the composition is internal and well-defined in C, andsatisfies (1). Since we are interested by the model-checking problem, we would like now tofind an interesting class of stochastic timed automata in which, given an automaton A and anLTL-formula ϕ, we can decide whether the probability that A satisfies ϕ is 1 or not. We try tofind such an interesting class, satisfying all hypothesis of the class C, such that the compositionis internal and well-defined in C, and satisfies (1). Several classes of stochastic timed automatain which we can decide the almost-sure model-checking problem are described in [2], [3] and [4].

References[1] Christel Baier, Nathalie Bertrand, Patricia Bouyer, Thomas Brihaye, and Marcus Größer.

Probabilistic and topological semantics for timed automata. In FSTTCS’07: Foundationsof Software Technology and Theoretical Computer Science, volume 4855 of Lecture Notes inComputer Science, pages 179–191. Springer Berlin Heidelberg, December 2007.

[2] Christel Baier, Nathalie Bertrand, Patricia Bouyer, Thomas Brihaye, and Marcus Größer.Almost-sure model checking of infinite paths in one-clock timed automata. In LICS’08: Logicin Computer Science, pages 217–226, June 2008.

[3] Christel Baier, Nathalie Bertrand, Patricia Bouyer, Thomas Brihaye, Marcus Größer, MarcinJurdziński, and Quentin Menet. Stochastic timed automata. submitted for publication.

[4] Patricia Bouyer, Thomas Brihaye, Marcin Jurdziński, and Quentin Menet. Almost-suremodel-checking of reactive timed automata. In QEST’12: Quantitative Evaluation of Systems,pages 138–147, September 2012.

107

Efficient analysis on very large models

Maxime FolschetteLUNAM Université, École Centrale de Nantes, IRCCyN UMR CNRS 6597

(Institut de Recherche en Communications et Cybernétique de Nantes),1 rue de la Noë, 44321 Nantes, France.

[email protected]

Joint work with: Loïc Paulevé, Morgan Magnin, Olivier Roux

AbstractThe Process Hitting is a recently introduced framework to model concurrent processes. It models

a finite set of components gathering several local states, with a particular form for the actions. In thispaper, we define the reachability problem that aims at deciding if, starting from a given initial state, itis possible to reach a given local state. We also explain the static analysis method that was developedto answer to such problems in polynomial time, instead of the exponential complexity of the usualmodel checkers that apply a brute force approach. Our method thus answers in hundredths of asecond on models with hundreds of components, but at the price of being sometimes inconclusive.

1 Introduction

Creating a coherent model from an existing system is a very challenging task, but analyzing may turnout to be even harder. If we focus on discrete modeling, this kind of problems is recurrent. In biology,for example, it is rather common to build models using a series of local experiment in order to determinethe interactions between several components of the system (genes, proteins, metabolites. . . ). To achievethis, experimenters proceed to gene knockouts (that is, they prevent some genes to express and stop theproduction of the related protein) and then use microarrays to measure the concentration of each otherproteins. The result of such in vivo studies is a model that can gather up to hundreds of components,but several models of this kind can be also combined into a more general pathway, which can containthousands of components.

The problem of being able to efficiently study these models immediately emerges. Formal modelcheckers usually have to compute the whole dynamics of the model in order to analyze and confront itto good properties, often expressed in temporal logics. But the computing of a state graph (even partial)is of exponential complexity, thus preventing the application of these methods to large models. Someresults allow to statically derive some results given the structure of the model. For example, the presenceof some circuits in the regulations between genes is a necessary condition for interesting behaviors suchas oscillations [1]. Although such methods can be of interest, they do not allow precise analysis of thedynamics in order to validate the functionality of a model or predict in vivo behaviors.

In this paper we present an efficient method to compute a specific problem of reachability, thatconsists of checking if, starting from a given initial state of the system, a given component can reacha certain local state. This question is interesting to determine if, for instance, given a configuration ofinputs, a given output can be activated or not. The analysis we present here is applied to a specificrestriction of synchronous automata networks, called Process Hitting [2]. The purpose of this formalismis to model a finite set of local levels, contained into a finite set of components; actions are used to

108

2 M. Folschette, L. Paulevé, M. Magnin, O. Roux

change the local level of a component, and can be triggered by at most one other local level of anothercomponent. Although originally designed for large biological networks, this formalism is general enoughto represent any discrete system. The particular form of its actions allows an efficient analysis of thedynamics [3, 4] that we present in the following, which permits to answer reachability questions inpolynomial time. The main drawback of this approach is the possibility to be inconclusive although thiscase did not occur on the tested examples.

2 The Process Hitting formalism

2.1 Definition

Definition 1 introduces the Process Hitting (PH) [2] which allows to model a finite number of local levels,called processes, grouped into a finite set of components, called sorts. A process is written ai, where a isthe sort’s name, and i is the process identifier within the sort a. At any time, exactly one process of eachsort is active, and the set of active processes is called a state.

The concurrent interactions between processes are defined by a set of actions. Actions describe thereplacement of a process by another of the same sort conditioned by the presence of at most one otherprocess in the current state. An action is denoted by ai→ b j bk, which is read as “ai hits b j to make itbounce to bk”, where ai,b j,bk are processes of sorts a and b, called respectively hitter, target and bounceof the action. We also call a self-hit any action whose hitter and target sorts are the same, that is, of theform: ai→ ai ak.Definition 1 (Process Hitting). A Process Hitting is a triple (Σ,L,H ):• Σ = a,b, . . . is the finite set of sorts;

• L = ∏a∈Σ La is the set of states with La = a0, . . . ,ala the finite set of processes of sort a ∈ Σ andla a positive integer, with a 6= b⇒ La∩Lb = /0;

• H ⊆ ai→ b j bk ∈ La×L2b | (a,b) ∈ Σ2∧b j 6= bk∧a = b⇒ ai = b j is the finite set of actions.

The set of all processes is noted: Proc = ai ∈ La | a ∈ Σ. Given a state s ∈ L, the process of sort a ∈ Σpresent in s is denoted by s[a]. An action h = ai→ b j bk ∈H is playable in s if and only if s[a] = ai

and s[b] = b j. In such a case, (s · h) stands for the state resulting from the play of the action h in s,with (s ·h)[b] = bk and ∀c ∈ Σ,c 6= b,(s ·h)[c] = s[c]. A sequence of actions δ = (h1, . . . ,h|δ |) that aresuccessively playable in s is called a scenario in s, and we note: (s · δ ) = s · h1 · . . . · h|δ |. We denote bySce(s) the set of scenarios in s.Example. Figure 1 represents a PH (Σ,L,H ) with four sorts (Σ = a,b,c,d) and: La = a0,a1,Lb = b0,b1,b2, Lc = c0,c1 and Ld = d0,d1,d2.

2.2 The reachability problem

In this paper, we focus on the reachability of a process (Definition 2), which corresponds to the question:“Is it possible, starting from a given initial state, to play a number of actions so that a given process isactive in the resulting state?”Definition 2 (Reachability question). If ς ∈ L is a state and ai ∈ Proc is a process, we note P(ς ,ai) thereachability question: “Is there a scenario in ς so that, if we play all the actions of this scenario startingfrom ς , ai is active in the resulting state?”; that is, in formal terms:

P(ς ,ai)≡ ∃?δ ∈ Sce(ς),(ς ·δ )[a] = ai .

109

Efficient analysis on very large models 3

a

0

1

b

0

1

2

d

0

1

2

c

0 1

∗

Figure 1: A PH model example with four sorts. Circles represent the processes, boxes represent thesorts, and the actions are drawn by pairs of arrows in solid and dotted lines. The grayed processes andthe asterisk indicate an example of reachability problem P(〈a1,b0,c0,d1〉,d2) as explained in Section 2.2.

In fact, this question can be extended in several manners that will not be tackled here. The originalpaper deals with the question of the successive reachability of a sequence of processes [3], in whichseveral processes are required to be active successively, which is useful, for example, to state that a com-ponent can oscillate. Another interesting question is the simultaneous reachability of several processes;the addition of priorities in the PH [4], in addition to increasing the expressivity of the formalism, allowsto easily answer this question. Finally, we note that the static analysis developed in the following sectionscan also be to some extent generalized to more synchronous automata networks [5].

2.3 Overview of the solution

The method developed here relies on the approximation of the dynamics of a PH model, instead ofcomputing the exact dynamics, which requires an exponential time and memory usage in the size of themodel. Thus, the static analysis we propose only focuses on local dynamics of the model, that is to say,only computes the dynamics of single sorts each time it is necessary. This approximation is based onthe fact that an action ai→ b j bk can only be triggered by (at most) a process ai of another sort (in thecase where ai 6= b j). For example, solving P(ς ,bk) would simply require to recursively solve P(ς ,ai)if ς [b] = b j. In the general case, several actions are needed but the idea is the same. This drasticallydrops the complexity of the method to an almost polynomial complexity in the number of sorts in thewhole model, allowing to answer reachability questions in less than a second on models with hundredsor thousands of sorts.

However, an approximation does not come without drawbacks. Our method relies on two approxima-tions: the under-approximation Q is a sufficient condition to answer “Yes” to the reachability question,and the over-approximation R is a necessary condition, used to answer “No”. Indeed, instead of directlychecking a given reachability question P(ς ,ai), we check Q and R, which is easier as explained above,and use the fact that Q⇒ P(ς ,ai)⇒ R. But in the case where Q is false and R is true, the answer turnsout to be “Inconclusive”, and classical model checking techniques have to be used. Nevertheless, ourmethod has always been conclusive on the examples tested in [3].

110


3 Graphs of local causality

The approximations developed in [3, 4] rely on the construction of graphs called graphs of local causality(GLCs), that permit approximating the dynamics of a PH model. One graph is dedicated to the under-approximation, while the other focuses on the over-approximation. We present an intuitive definition ofthese graphs in the following, and illustrate it with the PH model of Figure 1 and the reachability questionP(ς ,d2) where ς = 〈a1,b0,c0,d1〉.

3.1 Nodes

GLCs contain process nodes, objective nodes and solution nodes as detailed below.

• Process nodes (in Proc) allow to state that the reachability of a given process is needed.

For example, for the reachability question P(ς ,d2), the process d2 will naturally be a node of the graph.Objectives have the form: b j ∗ bk, which stands for the reachability of bk from a state where b j

is present; it is thereby a refinement of a possible process node bk in the GLC, by focusing on thereachability of a process inside a sort from a given initial process. We denote the set of all possibleobjectives as Obj = b j ∗ bk ∈ Lb × Lb | b ∈ Σ. An objective of the form b j ∗ b j is called trivialbecause no action is needed to solve is.

• Objective nodes (in Obj) thus permit to name the source and destination processes of a localreachability.

For example, d1 ∗ d2 denotes the reachability of d2 from the initial process of d in ς , which is d1.Solving an objective b j ∗ bk implies to find a set of actions that locally solves it. This can be done

by analyzing all bounces and targets of actions on the sort b. and computing the paths without loops thatlead from b j to bk. Then, if a sequence of actions solving b j ∗ bk is found, we abstract it by extractingonly the hitters of the actions because they are the only requirement to play the said actions. Such anabstracted set of hitters is called a solution, and we denote Sol=℘(Proc) the set of all possible solutions.A solution indeed abstracts a sequence of actions because only the hitters are kept and the order of theactions is forgotten (as sets are not ordered). The solution for trivial objectives, or objectives that requireonly self-hits, is the empty set.

• Solution nodes (in Sol) are sets of processes that are required to locally solve an objective.

For example, c1,b2 and b1 are the two minimal solutions of the objective d1 ∗ d2 in Figure 1.

3.2 Edges

Edges in a GLC link the different nodes to their requirements. The GLC of the over-approximation isrecursively built the following way:

• A process node bk is linked to the objective of the form: (ς [b]) ∗ bk;

• An objective node is linked to all the minimal solutions that solve it;

• A solution is linked to all the processes it contains.

If a solution is the empty set, then it obviously has no successor, which terminates the recursion.The under-approximation GLC is built in a similar fashion, but a process may be linked to several

additional objective nodes, in order to become sufficient. Indeed, if two processes of a sort b, say, b j and

111

Efficient analysis on very large models 5

bk are needed to solve two different objectives, then we have to ensure that b j and bk are both reachablefrom the initial state process ς [b], but also that b j is reachable from bk and bk is reachable from b j. Thus,new objectives b j ∗ bk and bk ∗ b j are added. This step is executed iteratively until a fixed point isreached.

We note that the complexity of building these graphs is polynomial in the number of sorts and expo-nential in the number of processes in each sort visited (due to the local solving of objectives in order tofind solutions). However, if the model comprises few processes in every sort (i.e. less that four, whichis usual in biological models), then our method can be considered almost polynomial in the number ofsorts, which is very efficient compared to other solutions.Example. Figure 2 gives two examples of GLCs, one for the over-approximation (top) and another forthe under-approximation (bottom), both computed for two different reachability questions on the PHmodel of Figure 1.

d1 ∗ d2

d2

b2 b0 ∗ b2 d1 d1 ∗ d1

b1 b0 ∗ b1 c1 c0 ∗ c1 a0 a1 ∗ a0 (⊥)

d0 ∗ d2

d2

b0 b1 ∗ b0 a1 a1 ∗ a1

b0 ∗ b0

b1 b1 ∗ b1

b0 ∗ b1 c1 c1 ∗ c1

Figure 2: (top) Over-approximation GLC for P(〈a1,b0,c0,d1〉,d2); (bottom) Under-approximation GLCfor P(〈a1,b1,c1,d0〉,d2); both computed on the PH of Figure 1. Process nodes are in boxes, solutionnodes are the small circles (and are not detailed) and objective nodes are the nodes with no border.

4 Necessary and sufficient conditions

Finally, the two computed GLCs can be used in order to conclude on the initial reachability questionP(ς ,ai) (Theorem 3 and Theorem 4). Checking these theorems is of polynomial complexity in thenumber of nodes they contain, which is limited by the size of the model.Theorem 3 (Over-approximation). If, starting from the process ai in the over-approximation GLC, thereexists no path with no loop such that, from an objective node, exactly one linked solution node is traversedand, from any other node, all linked nodes are traversed, then P(ς ,ai) is false.Theorem 4 (Under-approximation). If the under-approximation GLC has no cycle and all its leaves aresolution nodes, then P(ς ,ai) is true.Example. By applying Theorem 3 on Figure 2(top), we can conclude that P(〈a1,b0,c0,d1〉,d2) is wrongbecause all paths lead to a1 ∗ a0 which has no solution. Conversely, with Theorem 4 we can concludethat P(〈a1,b1,c1,d0〉,d2) is true because all leafs of on Figure 2(bottom) are solutions.

112


5 Application to large models

The method presented here was implemented into the Pint1 library which gathers tools dedicated to PH,and applied on four biological models as detailed in [3]. In a nutshell, all models studied have between42 and 193 sorts, amongst them what we call inputs (resp. outputs), that is, sorts whose processes arenot the target (resp. the hitter) of any actions. For all the possible combinations of the inputs (that can beeither “active” or “inactive”) the reachability of an “active” state for each output was computed.

The implementation could answer in less than a tenth of a second for each reachability question.These computation times were compared to the classical model checkers Biocham [6] and libDDD [7],for which the solving of the same reachability questions took at least 1 second and in many cases did notterminate due to lack of memory. Furthermore, our method was always conclusive, that is, Theorem 3 orTheorem 4 could always be used in order to conclude, thus leading to no inconclusive analysis. Thesesexamples prove that the approximations developed in the previous sections are very efficient and allowan unprecedented study of very large models.

6 Conclusion

We summarized in this paper the static analysis developed in [3] and later extended in [4]. This analysisis applicable to a class of models called Process Hitting that is a restriction of synchronous automatanetworks, and aims at determining if a local state of a component in the model can be attained from agiven initial state. It consists in approximating the dynamics of the whole model by considering localreachabilities (objectives) and sets of local state requirements (solutions) to solve them. It turns out tobe very efficient by making tractable the study of models with up to hundreds of components, whileclassical model checkers take much more time of fail due to memory limitations.

References[1] A. Richard and J.-P. Comet, “Necessary conditions for multistationarity in discrete dynamical systems,” Dis-

crete Applied Mathematics, vol. 155, no. 18, pp. 2403 – 2413, 2007.[2] L. Paulevé, M. Magnin, and O. Roux, “Refining dynamics of gene regulatory networks in a stochastic π-

calculus framework,” in Transactions on Computational Systems Biology XIII, pp. 171–191, Springer, 2011.[3] L. Paulevé, M. Magnin, and O. Roux, “Static analysis of biological regulatory networks dynamics using

abstract interpretation,” Mathematical Structures in Computer Science, vol. 22, no. 04, pp. 651–685, 2012.[4] M. Folschette, L. Paulevé, M. Magnin, and O. Roux, “Under-approximation of reachability in multivalued

asynchronous networks,” Electronic Notes in Theoretical Computer Science, vol. 299, pp. 33 – 51, 2013. 4thInternational Workshop on Interactions between Computer Science and Biology (CS2Bio’13).

[5] L. Paulevé, G. Andrieux, and H. Koeppl, “Under-approximating cut sets for reachability in large scale au-tomata networks,” in Computer Aided Verification (N. Sharygina and H. Veith, eds.), vol. 8044 of LectureNotes in Computer Science, pp. 69–84, Springer Berlin Heidelberg, 2013.

[6] F. Fages and S. Soliman, “Formal cell biology in Biocham,” in Formal Methods for Computational SystemsBiology, pp. 54–80, Springer, 2008.

[7] J.-M. Couvreur, E. Encrenaz, E. Paviot-Adet, D. Poitrenaud, and P.-A. Wacrenier, “Data decision diagramsfor Petri net analysis,” in Application and Theory of Petri Nets 2002, vol. 2360 of Lecture Notes in ComputerScience, pp. 101–120, Springer, 2002.

1The source of Pint and the examples mentioned here are available at: http://loicpauleve.name/pint/

113

Quantitative verification : deciding temporal logics withnumerical assertions

Patrick GARDYLSV, ENS-Cachan and CNRS

[email protected]

Abstract

Extending formal verification techniques to handle quantitative aspects, both for the models andfor the properties to be checked, has become a central research topic over the last twenty years.Following several recent works, we study model checking for (one-dimensional) weighted Kripkestructures with positive and negative weights, and temporal logics constraining the total and/or av-erage weight. We prove decidability when only accumulated weight is constrained, while allowingaverage-weight constraints alone already is undecidable. We also show the decidability for a flatfragment of our extension of LTL in the multi-dimensional setting.

Introduction

Checking if a program behaves according to its intended specification is a necessity for obvious reasonsand numerous examples have confirmed the need for such theory (bugs in finance, aero-spacial or health-related programs have been released in the media).

Qualitative verification, the collection of methods to ensure that a system behaves according to itsintended behaviour, has been studied intensively for the last 50 years and is now well understood. Weare interested in two large areas : temporal logics and automata theory. But many practical problems arenot suited for qualitative verification : system may run on energy, and resources constraints or optimalconsumption are not taken into account. We may also want, given a system and an objective, to opti-mise the path leading to the objective for a maximal gain. Researchers hence have developed a theoryfor quantitative verification, ensuring basic properties but with important constraints on the energy con-sumption, or energy harvesting of a system. The theory around quantitative languages or the problemsrelated to weighted games ([3]) are perfect examples of the quantitative aspects that verification may take.

We are interested in mixing qualitative and quantitative properties. This has already been studiedin restricting settings ([7, 8, 9, 10]). Notorious examples being among counter automata theory, en-ergy/mean pay-off parity games, extensions of second order logics and extension of temporal logics tothe weighted settings. Our work belongs to the last one, but many of our results will be linked to theothers areas. In particular we are interested in improvements of the usual temporal logics on systemsusing discrete resources that can be both positive or negative. To model the system under considerationwe use discrete weighted Kripke structures (Kripke structure with weights on the edges).

Introduced around 30 years ago ([11, 6]), the logics CT L, LT L and CT L∗ are well known and wellstudied in the field of verification. Such logics allow to express numerous qualitative properties about

114

2 P. GARDY

the existence of a path in a structure such has ”may we find a path that reaches a state labelled with p” or”is there an infinite path that never sees a state labelled p just after seeing a state labelled q”. The modelchecking problem over Kripke structures (deciding if a given structure satisfies a given formula) for the3 temporal logics are well understood and efficient tools have been developed.

Weighted temporal logics (WCTL and WLTL) and weigthed Kripke structure

First we define the structure under consideration :

Definition 1 (Weighted Kripke structure).Let AP be a finite set of atomic propositions. A weighted Kripke structure over AP is a tuple K = (S,R, `)where S is a finite set of states, R⊆ S×W ×S (where W ⊆ is the set of weights of K, which we assumeare given in binary notation) is a weighted transition relation (which we assume total, meaning that forall s ∈ S, there exists w ∈W and s′ ∈ S s.t. (s,w,s′) ∈ R), and ` : S→ 2AP is a function labelling the stateswith atomic propositions.

Paths are defined as usual, the weight w(π) of a path π is the accumulation of the weights along theedges of π .

In [2], the authors study extensions of CT L and LT L that we will call WCT L and WLT L (definitionbelow). They show that for 2 or more variables both logics have undecidable model checking, and provethe decidability of a severe restriction of WCT L (a EF-fragment of WCT L). They, however, leave the onevariable case untouched. We draw a clear picture of the one variable case, some results being adaptationof already existing works, other being new.

Definition 2 (Numerical assertions over the variable x).A numerical assertions α is either of the form sum(x) ./ c or avg(x) ./ c with c ∈Q and ./∈ <,≤,=,6=,>,≥.

We can now define WCT L and WLT L :

Definition 3 (WCT L, WLT L).

WCT L ∈ ζ := p|α|¬ζ |ζ ∧ζ |EXζ |EζUζ |AXζ |AζUζ

WLT L ∈ ϕ := p|α|¬ϕ|ϕ ∧ϕ|ϕUϕ|Xϕ

We denote WCTLsum and WLTLsum the restrictions of WCTL and WLTL to formula using onlyone variable and only sum assertions. Formula from WLTL,WCTL are checked over weighted Kripkestructure :

We suppose all constants are stored in binary, the representation has an influence on complexityresults. The semantics of numerical assertions is defined on finite runs π of a weighted Kripke structureK as follows :

π |= sum(x)∼ c iff w(π)∼ c

π |= avg(x)∼ c iff w(π)∼ c · |π|

The semantics of WCTL is defined inductively, on the execution tree of a weighted Kripke structure.Let K be a weighted Kripke structure and (s0,w0) be an initial configuration. Let T be the executiontree of K ; fix a branch π of T , a position i∈N along π , we define π≤i as the restriction of π to positions

115

Quantitative verification : deciding temporal logics with numerical assertions 3

j ≤ i and π(i) as the node of π at position i. We write B(T ) the set of branchs of T . The semantics ofWCTL is defined as follows (atomic propositions and boolean operators omitted):

T ,π, i |= α iff π(i) |= αT ,π, i |= EX(φ) iff ∃π ′ ∈ B(T ). (π≤i = π ′≤i and T ,π ′, i+1 |= φ)T ,π, i |= AX(φ) iff ∀π ′ ∈ B(T ). (π≤i = π ′≤i ⇒ T ,π ′, i+1 |= φ)

T ,π, i |= E(φ1Uφ2) iff ∃π ′ ∈ B(T ).∃ j ≥ i. (π≤i = π ′≤i and

T ,π ′, j |= φ2 and ∀i≤ k < j. T ,π ′,k |= φ1)

T ,π, i |= A(φ1Uφ2) iff ∀π ′ ∈ B(T ).∃ j ≥ i. (π≤i = π ′≤i ⇒T ,π ′, j |= φ2 and ∀i≤ k < j. T ,π ′,k |= φ1)

The semantics of WLTL is defined inductively over infinite runs of a weighted Kripke structure. Let Kbe a weighted Kripke structure, π be an infinite run in K from some initial configuration (s0,w0), andi ∈ be a position along π . The semantics of WLTL is defined as follows (simple cases omitted):

π, i |= α iff π≤i |= απ, i |= X(φ) iff π, i+1 |= φπ, i |= φ1Uφ2 iff ∃ j ≥ i. (π, j |= φ2 and ∀i≤ k < j. π,k |= φ1)

Using only sum assertions

When only sum assertions are allowed in the formula, if 2 or more variables are allowed we get un-decidability ([2]) but with only one variable, we regain decidability. Simple reductions can be madeto obtain the same complexity as for model checking of CT L/LT L over succinct one-counter automata(one-counter automata where integers are stored in binary). The model checking problem for succinctone-counter automata has been studied for CT L in [9] and for LT L in [7].

Theorem 4. The model checking of WCTLsum is EXPSPACE complete and the model checking of WLTLsum

is PSPACE-complete.

Adding average assertions

If we allow average assertions in the formula, even in the one variable case the model checking becomesundecidable. The proof uses a reduction from two counter automata, and encodes the values of thecounters in the length of the path. The formula used in the proof being of type E(aUb), the result worksfor both logics.Theorem 5. The model checking of both WCTL and WLTL are undecidable

Idea behind the proof. We do a reduction from the non-emptiness problem for two counter automata tothe model checking of a formula of WCTL/WLTL. The two counter are encoded in the length of the path: a path of length n = 2c1 ∗3c2 ∗5a for some a ∈ N will code a configuration of the two counter machinewhere the first counter is equal to c1 and the second to c2. Incrementation of the first/second counter aredone by multiplying the length of the path by 2 or 3 and decrementation by multiplying the length of thepath by 5/2 or 5/3. The behaviour of the system being enforced by the formula.

116

4 P. GARDY

A decidable fragment of WLTL

We also exhibit a fragment flat-WLT L of WLT L that is decidable, even for several variables. Such re-striction seems more suited than the EF-fragment of WCT L considered in [2] for practical applications :model checking of our fragment is in NEXPTIME while the EF-fragment is as hard as Presburguer arith-metic satisfiability and the known upper-bound is quite high (lower bound: 2-NEXPTIME, 4-EXPTIMEupper bound). Sadly, everything comes at a cost and the merging part of quantitative and qualitativeaspects is affected in a non negligible way.

Flat-WT LT allows one to express combination of numerical assertions and atomic propositions asobjectives the path must see at some point, but forbids any quantitative control on the way to get to anobjective, only a qualitative control can be apply.

Definition 6 (flat-WLTL).

f lat−WLT L ∈ ϕ := p|¬p|α|ϕ ∨ϕ|ϕ ∧ϕ|Xϕ|Gψ|ψUϕ

with ψ a LTL formula.

Theorem 7. The model checking of flat-WLTL is decidable in NEXPTIME

Idea behind the proof. We combine the traditional automata approach with a reduction toward the satisfi-ability of an existential Presburguer Arithmetic formula. Due to the structure of flat-WLTL, the existenceof an accepting path satisfying a given formula can be witnessed by the existence of a finite path, andsuch witness can be decomposed into finitely many subpath where quantitative specifications are onlychecked at the end of the subpath.

Given ϕ a flat-WLTL formula and Q a weighted Kripke structure, we first do a non deterministiclabelling of the tree of ϕ , such labelling is chosen non deterministically which quantitatives objectivesmust be satisfied, and in which order. We then reduce (using the labelled tree of ϕ) the model checkingof ϕ over Q to the existence of finitely many paths that can be put together to get the witness in someweighted automata. Finally we reduce existence of said paths to the satisfiability of a Presburguer arith-metic formula (using the idea developed in [2], but without the segmentation, which is not need in ourcase).

In the end the algorithm works in NEXPTIME : a non-deterministic polynomial labelling of theformula, an exponential construction (from the formula to a bunch of automata), and an NP algorithm onthe exponential construction.

Present and future work : extension of ATL

From weighted Kripke structures, we know want to study concurrent systems, in particular games involv-ing multiples agents (both turn based or not). We are interested in contributing in a more general fashionto the subject of quantitative considerations in ATL. Hence our efforts now focus on finding extensionsof ATL and ATL* (game and multi-agent version of CTL and CTL*) to the quantitative setting whosemodel checking remains decidable.

Some work already exists in this domain, but most of the expressive logics introduced are undecid-able (see [5, 4] for example), hence need to be either restricted or modified. The resource-bound logic

117

Quantitative verification : deciding temporal logics with numerical assertions 5

developed in [1] is an interesting logic, decidable in polynomial time (for a fixed number of resources)but in some aspects lacks expressiveness. Moreover such logic uses costs on strategies while we aim fora logic with cost as objectives. We hope to contribute in finding the line separating decidable logics fromundecidable ones on weighted games process with multiples agents.

References[1] Natasha Alechina, Brian Logan, Abdur Rakib, and Nguyen Hoang Nga. Resource-bounded alternating-time

temporal logic, 2010.[2] Udi Boker, Krishnendu Chatterjee, Thomas A. Henzinger, and Orna Kupferman. Temporal specifications

with accumulative values. In Proceedings of the 26th Annual Symposium on Logic in Computer Science(LICS’11), pages 43–52. IEEE Comp. Soc. Press, June 2011.

[3] Patricia Bouyer, Uli Fahrenberg, Kim Gulstrand Larsen, Nicolas Markey, and Jiri Srba. Infinite runs inweighted timed automata with energy constraints. In Franck Cassez and Claude Jard, editors, Proceedingsof the 6th International Conferences on Formal Modelling and Analysis of Timed Systems, (FORMATS’08),volume 5215 of Lecture Notes in Computer Science, pages 33–47. Springer-Verlag, September 2008.

[4] Nils Bulling and Berndt Farwer. On the (un-)decidability of model checking resource-bounded agents. InECAI, volume 215 of Frontiers in Artificial Intelligence and Applications. IOS Press, 2010.

[5] Nils Bulling and Valentin Goranko. How to be both rich and happy: Combining quantitative and qualitativestrategic reasoning about multi-player games (extended abstract). In SR, pages 33–41, 2013.

[6] Edmund M. Clarke and E. Allen Emerson. Design and synthesis of synchronization skeletons usingbranching-time temporal logic. In Dexter C. Kozen, editor, Proceedings of the 3rd Workshop on Logicsof Programs (LOP’81), volume 131 of Lecture Notes in Computer Science, pages 52–71. Springer-Verlag,1982.

[7] Stephane Demri and Regis Gascon. The effects of bounding syntactic resources on Presburger LTL. Journalof Logic and Computation, 19(6):1541–1575, December 2009.

[8] E. Allen Emerson and Richard J. Trefler. Generalized quantitative temporal reasoning. Technical Report96-20, Department of Computer Science, University of Texas at Austin, USA, 1996.

[9] Stefan Goller, Christoph Haase, Joel Ouaknine, and James Worrell. Model checking succinct and parametricone-counter automata. In Samson Abramsky, Cyril Gavoille, Claude Kirchner, Friedhelm Meyer auf derHeide, and Paul G. Spirakis, editors, Proceedings of the 37th International Colloquium on Automata, Lan-guages and Programming (ICALP’10) – Part II, volume 6199 of Lecture Notes in Computer Science, pages575–586. Springer-Verlag, July 2010.

[10] Francois Laroussinie, Nicolas Markey, and Philippe Schnoebelen. Efficient timed model checking fordiscrete-time systems. Theoretical Computer Science, 353(1-3):249–271, March 2006.

[11] Amir Pnueli. The temporal logic of programs. In Proceedings of the 18th Annual Symposium on Foundationsof Computer Science (FOCS’77), pages 46–57. IEEE Comp. Soc. Press, October-November 1977.

118

Model-based Probabilistic Incremental Verification forEvolving Systems

Sinem GetirReliable Software Systems Group

Stuttgart, [email protected]

AbstractQuantitative attributes such as reliability, safety and performance are important in the design and

development of software systems. Verification of quantitative attributes via probabilistic QoS modelshas been a challenge for many years. The difficulty increases rapidly when the software evolves andadapt in order to comply with the requirements. Re-verifying of an evolving system multiple times isexpensive. Recently, incremental approaches have been found to be promising for software evolutionand self-* systems. However, substantial improvements have not yet been achieved for evaluatingstructural changes in the model. In this paper, an incremental verification framework is discussed toallow efficient evaluation of the changing models.

1 Introduction

Verifying quality of service (QoS) attributes such as safety, reliability, and performance is usually per-formed via probabilistic models [5][1]. Modern software alters continuously and adapts to changes toimprove software quality.

Re-analysis of multiple versions of models is required when the system evolves and its environmentchanges over time. In particular, actions taken especially at run-time are often time critical. On thecontrary, because of the complexity of the models, a complete re-evaluation of a quality model is timeconsuming. If the software engineers are considering multiple alternatives for possible system changesthat need to be verified, for quality evaluations will be a bottleneck in the decision-making process.Consequently, new specific solutions are needed to reduce the time required for quality re-evaluationafter a change occurs.

To achieve new incremental methods on probabilistic models, a good understanding of the modelsis required. In other words, the definition of incremental verification procedures requires definition ofthe model structures and their possible changes. Probabilistic models (such as fault trees, discrete timeMarkov chains, continuous time Markov chains for safety, reliability and performance respectively) canhave two type of changes: structural and parametric changes [2][4]. Compared to the overall complexityof the quality evaluation models, these changes affect only a part of the model (system). However, mostof the-state-art verification approaches requires re-analyzing the entire system.This paper discusses astrategy for the incremental verification of broad variety of probabilistic models.

2 Challenges of Incremental Verification

This section briefly explains the challenges of model based incremental verification approaches.

119

2

2.1 Choosing the input model

Choosing an input model for the QoS model analysis is a trade-off between the expressiveness of themodel and complexity of the analysis. Some of the most widely used probabilistic models and theirusage for quality evaluation are as follows:

• Reliability models:Discrete time Markov chains, Markov decision processes [5]

• Performance models:Continuous time Markov chains, petri nets, queuing models [1]

• Safety evaluation models:Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA) [10], timed automata[9]

Every model has different purposes with changing complexity as well as their expressiveness. Forinstance, petri nets are very expressive when the systems are concurrent and have performance concerns.Timed automata can be used for real-time systems reliability and safety evaluation. Additionally, theycan be extended whenever a certain type of information is needed for the analysis (etc. Markov chainsAugmented with rewards to represent cost or energy). The challenge appears when applying an incre-mental verification procedure for all modeling aspects. The question is then whether a generic frameworkcan be created into which probabilistic models can be translated to apply incremental algorithm.

2.2 Identifying the changes

We begin by classifying the changes as either run-time and design time changes in order to emphasizehow the changes are observed and identified. Continues monitoring techniques will be used to obtain therun-time changes and update the model. Design time changes can be propagated via model transforma-tions. This classification is not critical to handle the changes in the verification algorithm however it isimportant to understand the manner in which changes can be obtained.

A second classification is used to specify the type of changes that are important for the incrementalprocedure: parametric and structural changes. Parametric changes in a probabilistic models occur due tothe system call frequency and usage profile at run-time. They can, however, appear at design time basedon the design decisions. Triple graph transformations are currently used to identify the model changes inour approach.

2.3 Ensuring the global properties after partial re-analysis

Two steps are required to ensure that global properties are maintained after a partial re-analysis.

2.3.1 Identifying the smallest to be re-analyzed

Whenever model undergoes changes, the altered part will eventually affect some parts of the modeland the analysis should be adjusted accordingly. Analysis of the affected model can be considered thecore of the incremental analysis, as it involves finding the smallest part to re-analyze. This analysis isalso related to the power of incremental procedure to handle both parametric and structural changes.Handling parametric changes has recently improved significantly [4][6][3][8]. However handling thestructural changes for incremental analysis is still an existing problem.

120

3

2.3.2 Propagating the changes

After the detection of the affected part, analysis can be performed by propagating the changes on thispart. This propagation can be achieved efficiently depending on the input model expressiveness andanalysis complexity.

3 Research and Validation Plan

This section discusses the research map to achieve an incremental verification approach for probabilisticsystems.

Firstly we propose a strategy that can speed up quality evaluation during the software evolution.This simplifies the process by determining the changes only to the part of the model in which changesoccur, and propagates the result to compute the probabilistic analysis. Such methods are called deltaevaluation techniques and can be considered an incremental verification procedure. To be able to applyindividual techniques to the probabilistic quality evaluation models, we will generalize the methodsbased on promising models such as stochastic regular expressions and interactive Markov chains [7].Syntax driven techniques are providing promising results to identify changed part in the syntax tree andpropagate the verification metrics by using attribute grammars [2].

Secondly, we will integrate the incremental verification framework with the graph transformationapproaches developed for the change detection of the models. A general overview of the approach isgiven in Fig 1. The framework introduced in Fig 1 is provided for fault tree input model - as an exampleof probabilistic model and architectural model. The analysis framework is labeled with “A” in the frameof the figure and describes the analysis approach that takes the delta model and translates it to a genericmodel. The other parts of the figure shows the ways how delta calculation are used as an input for theanalysis.

Validation of this approach is planned by comparison with conventional approach and state-of-the-art probabilistic model checking tools. Slow down behavior can be observed for the initial input sinceit is translated and constructed on a generic model. However the speed up is expected when the modelevolves with partial changes considering its large size and high complexity.

4 Acknowledgments

This research has been supported by the DFG (German Research Foundation) under the Priority Pro-gramme SPP1593: Design For Future - Managed Software Evolution.

References

[1] Simonetta Balsamo, Antinisca Di Marco, Paola Inverardi, and Marta Simeoni. Model-based performanceprediction in software development: A survey. IEEE Trans. Software Eng., 30(5):295–310, 2004.

[2] Domenico Bianculli, Antonio Filieri, Carlo Ghezzi, and Dino Mandrioli. A syntactic-semantic approach toincremental verification. CoRR, abs/1304.8034, 2013.

[3] Antonio Filieri, Carlo Ghezzi, and Giordano Tamburrelli. Run-time efficient probabilistic model checking.In ICSE, pages 341–350, 2011.

[4] Vojtech Forejt, Marta Z. Kwiatkowska, David Parker, Hongyang Qu, and Mateusz Ujma. Incremental runtimeverification of probabilistic systems. In RV, pages 314–319, 2012.

121

4

Figure 1: Approach Overview During Software Evolution

S1 S2

FT2

monitoring

A

GENERIC MODELFT2

monitoring

RunningSystem

2

1

S

T

T

b*T

b*T

b

+T

T

b

+T

b*T

b

References

1

2

2

[5] Katerina Goseva-Popstojanova and Kishor S. Trivedi. Architecture-based approach to reliability assessmentof software systems. Perform. Eval., 45(2-3):179–204, 2001.

[6] Ernst Moritz Hahn, Holger Hermanns, and Lijun Zhang. Probabilistic reachability for parametric markovmodels. In Proceedings of the 16th International SPIN Workshop on Model Checking Software, pages 88–106, Berlin, Heidelberg, 2009. Springer-Verlag.

[7] Holger Hermanns. Interactive Markov Chains: The Quest for Quantified Quality, volume 2428 of LectureNotes in Computer Science. Springer, 2002.

[8] Indika Meedeniya and Lars Grunske. An efficient method for architecture-based reliability evaluation forevolving systems with changing parameters. In ISSRE, pages 229–238, 2010.

[9] Claudia Priesterjahn, Dominik Steenken, and Matthias Tichy. Timed hazard analysis of self-healing systems.In Assurances for Self-Adaptive Systems, pages 112–151. 2013.

[10] William E Vesely, Francine F Goldberg, Norman H Roberts, and David F Haasl. Fault tree handbook.Technical report, U.S. Nuclear Regulatory Commission, NUREG–0492, 1981.

122

Metric assume-guarantee reasoning withProbabilistic Process Calculi

Daniel GeblerVU University Amsterdam (NL)

[email protected]

Kim G. LarsenAalborg University (DK)

[email protected]

Simone TiniUniversity of Insubria (IT)

[email protected]

Abstract

We present recent results that explore which operators of probabilistic process calculi allow forcompositional reasoning with respect to bisimulation metric semantics. We consider various com-positionality properties proposed in the literature and argue that the modulus of continuity of thecompositionality property defines the maximal process replication behavior that is allowed for pro-cess combinators. Combining these results, we demonstrate how compositional reasoning aboutsystems specified by continuous process algebra operators allows for metric assume-guarantee likeperformance validation.

1 Introduction

We study compositional reasoning over probabilistic processes. A probabilistic process is specified bya process term of some probabilistic process algebra. The operational semantics of a process term isa probabilistic nondeterministic transition system [9] with transitions derived from SOS rules in theprobabilistic GSOS format [2, 8].

In order to specify and verify systems in a compositional manner, it is necessary that the behavioralsemantics is compatible with all operators of the language that describe these systems. For behavioralequivalence semantics there is the common agreement that compositional reasoning requires that the con-sidered behavioral equivalence is a congruence wrt. all operators. On the other hand, for behavioral met-ric semantics there are several proposals of properties that operators should satisfy in order to facilitatecompositional reasoning. Most prominent examples are non-expansiveness [4], non-extensiveness [1],Lipschitz continuity [7] and uniform continuity [6].

Our main results are as follows (originally [6, 7]):

1. We show that all non-recursive process combinators, esp. (nondeterministic and probabilistic vari-ants of each of) sequential, alternative and parallel composition, are non-expansive (and hence alsocontinuous).

2. We show that the recursive process combinators finite iteration and finite replication are continu-ous, but not non-expansive.

3. We apply those results to reason about a network protocol and derive from performance assump-tions about single components performance guarantees on the entire system, and in reverse derivefrom performance guarantees about the entire system performance requirements on the compo-nents.

123

2 D. Gebler, K. Larsen, S. Tini

a.n⊕

i=1

[pi]xia−→

n⊕

i=1

piδ(xi)

xa−→ µ

x + ya−→ µ

ya−→ ν

x + ya−→ ν

xa−→ µ y

a−→6x +p y

a−→ µ

xa−→6 y

a−→ ν

x +p ya−→ ν

xa−→ µ y

a−→ ν

x +p ya−→ µ⊕p ν

Table 1: Non-extensive process algebra operators

2 Preliminaries

All technical preliminaries may be found in [6, 7]. We repeat only the key definitions here.Let T(Σ) be the set of closed state terms over some signature Σ. By ∆(T(Σ)) we denote the set of all

probability distributions on T(Σ).

Definition 1 (PTS). A probabilistic nondeterministic labeled transition system (PTS) is a triple (T(Σ),A,−→),where Σ is a signature, A is a countable set of actions, and −→⊆ T(Σ)×A×∆(T(Σ)) is a transition relation.

We define bisimulation metric as the quantitative analogue to bisimulation equivalence [9]. A 1-bounded pseudometric is a function d : T(Σ)×T(Σ)→ [0,1] with (i) d(t, t) = 0, (ii) d(t, t′) = d(t′, t), and(iii) d(t, t′) ≤ d(t, t′′) + d(t′′, t′), for all t, t′, t′′ ∈ T(Σ). We order 1-bounded pseudometrics by d1 v d2 iffd1(t, t′) ≤ d2(t, t′) for all t, t′ ∈ T(Σ).

A 1-bounded pseudometric on terms T(Σ) is lifted to a 1-bounded pseudometric on distributions∆(T(Σ)) by means of the Kantorovich pseudometric. This lifting corresponds to the lifting of bisimulationequivalence relations on terms to bisimulation equivalence relations on distributions [3]. A matchingω ∈ ∆(T(Σ)×T(Σ)) for (π,π′) ∈ ∆(T(Σ))×∆(T(Σ)) must satisfy

∑t′∈T(Σ)ω(t, t′) = π(t) and

∑t∈T(Σ)ω(t, t′) =

π′(t′) for all t, t′ ∈ T(Σ). Let Ω(π,π′) be the set of all matchings for (π,π′). The Kantorovich pseudometricK(d) : ∆(T(Σ))×∆(T(Σ))→ [0,1] for a pseudometric d : T(Σ)×T(Σ)→ [0,1] is defined by K(d)(π,π′) =

minω∈Ω(π,π′)∑

t,t′∈T(Σ) d(t, t′) ·ω(t, t′) for all π,π′ ∈ ∆(T(Σ)).A 1-bounded pseudometric is a bisimulation metric if for all pairs of terms t and t′ each transition

of t can be mimicked by a transition of t′ with the same label and the distance between the accessibledistributions does not exceed the distance between t and t′.

Definition 2 (Bisimulation metric [4]). A 1-bounded pseudometric d on T(Σ) is a bisimulation metric iffor all t, t′ ∈ T(Σ) with d(t, t′) < 1, if t

a−→ π then there exists a transition t′a−→ π′ with K(d)(π,π′) ≤ d(t, t′).

The smallest (wrt. v) bisimulation metric, notation d, is called bisimilarity metric. Bisimilarityequivalence [9] is the kernel of the bisimilarity metric, i.e. d(t, t′) = 0 iff t and t′ are bisimilar.

3 Compositional Metric Reasoning over Non-recursive processes

Non-extensiveness and non-expansiveness are compositionality properties based on the p-norm. Theyallow for compositional reasoning over probabilistic processes that are built of non-recursive operators.Non-extensiveness and non-expansiveness are very strong forms of uniform continuity. For instance, anon-expansive operator ensures that the distance between the composed processes is at most the sum ofthe distances between its parts.

124

Metric assume-guarantee reasoning 3

xa−→ µ a ,

√

x;ya−→ µ;δ(y)

x√−−→ µ y

a−→ ν

x;ya−→ ν

xa−→ µ y

a−→ ν

x | y a−→ µ | νx

a−→ µ

x ||| y a−→ µ ||| δ(y)

ya−→ ν

x ||| y a−→ δ(x) ||| νx

a−→ µ ya−→ ν a ∈ B\ √

x ||B ya−→ µ ||B ν

xa−→ µ a < B∪√

x ||B ya−→ µ ||B δ(y)

ya−→ ν a < B∪√

x ||B ya−→ δ(x) ||B ν

x√−−→ µ y

√−−→ ν

x ||B y√−−→ δ(0)

xa−→ µ y

a−→6x |||p y

a−→ µ |||p δ(y)

xa−→6 y

a−→ ν

x |||p ya−→ δ(x) |||p ν

xa−→ µ y

a−→ ν

x |||p ya−→ µ |||p δ(y)⊕p δ(x) |||p ν

Table 2: Non-expansive process algebra operators

Definition 3 (Non-extensive operator). An operator f ∈ Σ is p-non-extensive for p ∈ [1,∞] if

d( f (t1, . . . , tn), f (t′1, . . . , t′n)) ≤

(∑ni=1 d(ti, t′i )

p)1/p

if p ∈ [1,∞)

maxni=1 d(ti, t′i ) if p =∞

for all closed terms ti, t′i ∈ T(Σ). An operator f is non-extensive if f is∞-non-extensive.Proposition 4. The process algebra operators action-prefix and (nondeterministic and probabilistic)alternative composition (as specified in Table 1) are non-extensive.Definition 5 (Non-expansive operator). An operator f ∈ Σ is non-expansive if

d( f (t1, . . . , tn), f (t′1, . . . , t′n)) ≤

n∑

i=1

d(ti, t′i )

for all closed terms ti, t′i ∈ T(Σ).Proposition 6. All standard non-recursive process algebra operators (as specified in Tables 1 & 2) arenon-expansive.

Continuity generalizes non-extensiveness and non-expansiveness and captures the essential natureof compositional reasoning wrt. behavioral pseudometrics. A continuous binary process combinatorf ensures that for any non-zero bisimulation distance ε (understood as the admissible tolerance fromthe operational behavior of the composed process f (t1, t2)) there are non-zero bisimulation distances δ1and δ2 (understood as the admissible tolerances from the operational behavior of the processes t1 andt2) such that the distance between the composed processes f (t1, t2) and f (t′1, t

′2) is at most ε whenever

the component t′1 (resp. t′2) is in distance of at most δ1 from t1 (resp. at most δ2 from t2). Continuity ascompositionality property allows to reason compositionally over probabilistic processes and probabilisticprograms that are composed by both recursive and non-recursive operators. We consider the uniformnotion of continuity because we aim for universal compositionality guarantees.Definition 7 (Continuous operator). An operator f ∈ Σ is continuous if for all ε > 0 there are δ1, . . . , δn > 0such that

∀i = 1, . . . ,n.d(ti, t′i ) < δi =⇒ d( f (t1, . . . , tn), f (t′1, . . . , t′n)) < ε

for all closed terms ti, t′i ∈ T(Σ).Proposition 8. The finitely bounded recursive process algebra operators of iteration and replication andprobabilistic bang (as specified in Table 3) are continuous.

Continuous operators are the cornerstone for metric assume-guarantee like performance validationusing probabilistic process algebras (see next section).

125


xa−→ µ

xn+1 a−→ µ;δ(xn)

xa−→ µ

xωa−→ µ;δ(xω)

xa−→ µ

x∗ya−→ µ;δ(x∗y)

ya−→ ν

x∗ya−→ ν

xa−→ µ

!n+1xa−→ µ ||| δ(!nx)

xa−→ µ

!xa−→ µ ||| δ(!x)

xa−→ µ

!pxa−→ µ⊕p (µ ||| δ(!px))

Table 3: Continuous process algebra operators

4 Metric assume-guarantee reasoning

We will exemplify the discussed compositional reasoning method by analyzing a communication pro-tocol. We show how to derive from specified performance properties of the protocol individual perfor-mance requirements of its respective components. This justifies both continuity as adequate propertyfor compositional reasoning as well as bisimulation metric semantics as a suitable distance measure forperformance validation of communication protocols.

We study the bounded retransmission protocol (BRP) that allows to transfer streams of data fromsome sender (e.g. a remote control RC) to some receiver (e.g. a TV). The RC tries to send to the TV astream of n data, d0, . . . ,dn−1, with each di a member of the finite data domain D. The length n of thestream is bounded by a given N. Each datum is sent separately and has probability p to get lost. Whenthe TV receives a data element di, it sends back a message to the RC, to acknowledge the reception; thisacknowledgment may also get lost, with probability q. If the RC does not receive the acknowledgmentfor di within a given time, it assumes that di got lost and retries to transmit it. However, the maximalnumber of attempts is T . Since the acknowledgment may get lost, it may happen that the RC sends morethan once the same datum di notwithstanding that it was correctly received by the TV. Therefore the RCattaches a control bit b to each datum di that it sends to the TV, so that the TV can recognize whether thisdatum is original or already received. Data items at even positions, i.e. d2k for some k ∈ N, get controlbit 0 attached, and data items d2k+1 get control bit 1 attached.

The BRP protocol is specified in Figure 1. Our specification adapts the nondeterministic processalgebra specification of [5] by refining the configuration of lossy channels. While in the nondetermin-istic setting a lossy channel (nondeterministically) either successfully transmits a datum or looses it, weattached a success and failure probability to this choice. The protocol specification BRP(N,T, p,q) rep-resents a system consisting of the RC modeled as process RC(N,T, p,q), the TV modeled as process TV ,and the channels CH(b, t, p,q) for data transmission and CH2(d,b, t,q) for acknowledgment.

The processes RC(N,T, p,q) and TV synchronize over the actions: (i) c(d,b), modeling the correcttransmission of datum d ∈D and control bit b ∈ 0,1 from the RC to the TV; (ii) ack, modeling the correcttransmission of the acknowledgment message from the TV to the RC, and (iii) lost, used to model thetimeout due to loss of the acknowledgment message. RC(N,T, p,q) starts by receiving the actual sizen ≤ N of the data stream, by means of action i(n). Then, for n times it reads the datum di by means ofaction i(d) and tries to send it to the TV . If all data are sent successfully, then the other RC componentsare notified by means of action res(OK). If the transmission of a datum failed, the action ⊥ is emitted andif the acknowledgment failed the message lost is emitted. In case of T failures the whole transmissionfails and emits res(NOK). If TV receives a pair (d,b) by action c(d,b), then if d is original, namely b isthe expected control bit, then d is sent to other TV components by o(d), otherwise (d,b) is ignored.

To reason compositionally over concrete instances of this protocol, we first translate some perfor-

126


BRP(N,T, p,q) = RC(N,T, p,q) ‖B TV , where B = c(d,b) | d ∈ D,b ∈ 0,1∪ ack, lost

RC(N,T, p,q) =

[ ∑

0≤n≤N,n=2k

i(n).(CH(0,T, p,q) ; CH(1,T, p,q)

)n/2+

∑

0≤n≤N,n=2k+1

i(n).((

CH(0,T, p,q) ; CH(1,T, p,q))n/2

;CH(0,T, p,q))]

;res(OK).√

CH(b, t, p,q) =∑

d∈D

i(d).CH′(d,b, t, p,q)

CH′(d,b, t, p,q) =

(⊥.CH′(d,b, t−1, p,q)) ⊕p CH2(d,b, t,q) if t > 0res(NOK) if t = 0

CH2(d,b, t,q) = c(d,b).CH′2(t,q)

CH′2(t,q) =

(lost.CH′2(t−1,q)) ⊕q (ack.

√) if t > 0

res(NOK) if t = 0

TV =

[((∑

d∈D

c(d,1).(ack.√

+ lost.√

))∗(∑

d∈D

c(d,0).o(d).(ack.√

+ lost.√

)))

;

((∑

d∈D

c(d,0).(ack.√

+ lost.√

))∗(∑

d∈D

c(d,1).o(d).(ack.√

+ lost.√

)))]ω

Figure 1: Specification of the Bounded Retransmission Protocol

mance properties of a BRP implementation BRP(N,T, p,q) to the bisimulation distance between thespecification BRP(N,T,0,0) and that implementation (Proposition 9). Then we relate the bisimulationdistances between the specification and implementation of the entire protocol with the distances betweenthe specification and implementation of its respective components (Proposition 10). On the one hand,this allows to derive from specified performance properties of the entire protocol individual performancerequirements of its components (compositional verification). On the other hand, it allows to infer fromperformance properties of the protocol components suitable performance guarantees on the entire proto-col (compositional specification).

Proposition 9. Let N,T ∈ N and p,q ∈ [0,1].

(a) Distance d(BRP(N,T,0,0),BRP(N,T, p,q)) = ε relates to performance properties:

• The likelihood that N data items are sent and acknowledged without any retry is 1− ε.• The likelihood that N data items are sent and acknowledged with exactly k ≤ N ·T retries is

(1− ε)(1− (1− ε)1/N)k.

• The likelihood that N data items are sent and acknowledged with at most k ≤ N ·T retries is(1− ε) 1−(1−(1−ε)1/N )k

(1−ε)1/N .

• The likelihood that N data items are sent and acknowledged is (1− ε) 1−(1−(1−ε)1/N )N·T(1−ε)1/N .

(b) Distance d(CH(b,T,0,0),CH(b,T, p,q)) = δ relates to performance properties:

127


• The likelihood that one datum is sent and acknowledged without any retry is1−δ.• The likelihood that one datum is sent and acknowledged with exactly k ≤ T retries is (1−δ) ·δk.• The likelihood that one datum is sent and acknowledged with at most k ≤ T retries is 1−δk.

Now we relate the distance between the specification and implementation of the entire protocol tothe distances between their components and furthermore to the respective parameters.

Proposition 10. Let N,T ∈ N and p,q ∈ [0,1]. For all d ∈ D and b ∈ 0,1(a) d(BRP(N,T,0,0),BRP(N,T, p,q)) ≤ 1− (1−d(CH(b,T,0,0),CH(b,T, p,q)))N

(b) d(CH(b,T,0,0),CH(b,T, p,q)) = 1− (1− p)(1−q)

(c) d(CH2(d,b,T,0),CH2(d,b,T,q)) = q

As all process combinators in BRP(N,T, p,q) are continuous, we can relate the distance betweenthis implementation and its respective specification BRP(N,T,0,0) (which relates by Proposition 9 toperformance properties of the entire protocol) to the concrete parameters p,q and N of the system.

Proposition 11. Let N,T ∈ N and p,q ∈ [0,1]. For all ε ≥ 0

d(BRP(N,T, p,q),BRP(N,T,0,0)) < ε whenever p + q− pq < ε/N.

Example 12. Consider the following scenario. We want to transmit a data stream of N = 20 dataitems with at most T = 1 retry per data item. We want to build an implementation that should sat-isfy the performance property ‘The likelihood that all 20 data items are successfully transmitted is atleast 99%’. By Proposition 9.a we translate this performance property to the resp. bisimulation dis-tance d(BRP(N,T,0,0),BRP(N,T, p,q)) ≤ 0.01052 on the entire system. By Proposition 10.a we de-rive the bisimulation distance for its channel component d(CH(b,T,0,0),CH(b,T, p,q) ≤ 0.00053. ByProposition 10.b this distance can be translated to appropriate parameters of the channel component, e.g.p = 0.020% and q = 0.032%. Otherwise, by Proposition 9.b it may be translated back to a performancerequirement, e.g. ‘The likelihood that one datum is successfully transmitted is at least 99.95%’.

References

[1] Giorgio Bacci, Giovanni Bacci, Kim G Larsen, and Radu Mardare. Computing Behavioral Distances, Com-positionally. In Proc. MFCS’13, pages 74–85. Springer, 2013.

[2] Falk Bartels. On Generalised Coinduction and Probabilistic Specification Formats. PhD thesis, VU UniversityAmsterdam, 2004.

[3] Yuxin Deng and Wenjie Du. Logical, Metric, and Algorithmic Characterisations of Probabilistic Bisimulation.Technical Report CMU-CS-11-110, CMU, March 2011.

[4] Josee Desharnais, Vineet Gupta, Radha Jagadeesan, and Prakash Panangaden. Metrics for Labelled MarkovProcesses. TCS, 318(3):323–354, 2004.

[5] Wan Fokkink. Modelling Distributed Systems. Springer, 2007.

[6] Daniel Gebler, Kim G. Larsen, and Simone Tini. Compositional metric reasoning with Probabilistic ProcessCalculi. Under submission., 2014.

[7] Daniel Gebler and Simone Tini. SOS Rule Formats for Compositional Reasoning about Probabilistic Systems.Under submission., 2014.

128


[8] Matias David Lee, Daniel Gebler, and Pedro R. D’Argenio. Tree Rules in Probabilistic Transition SystemSpecifications with Negative and Quantitative Premises. In Proc. EXPRESS/SOS’12, volume 89 of EPTCS,pages 115–130, 2012.

[9] Roberto Segala. Modeling and Verification of Randomized Distributed Real-Time Systems. PhD thesis, MIT,1995.

129

k-fault tolerant Nash equilibria

Bouyer Patricia1, Brihaye Thomas2, Hautem Quentin2, Markey Nicolas1

1LSV-ENS Cachan 2University Of Mons

AbstractThis paper presents a work in progress in the domain of game theory. Propositions consist to

define a new equilibrium, called k-fault tolerant Nash equilibrium, to ensure that no coalition ofk-faulty players can bring the game into bad issues. The proposed work consists to develop newalgorithms to decide the existence of this equilibrium.

As complex computer systems are ubiquitous, it is of capital importance to verify that these sys-tems are correct. Nowadays the model-checking approach is considered as a highly effective verificationtechnology, widely adopted in the hardware and software industries (cf. announcement of the 2007Turing Award Winners). This approach is most effective when applied to relatively unstructured andcontrol-intensive processes in which the system being analyzed is accurately modeled as a finite-stateautomaton. When we need to consider more complex systems which are distributed and where com-ponents may work collaboratively or as adversaries richer models have to be considered. That is whyrecently, games on graphs have been studied by computer scientists in order to model complex systems,and concepts from game theory (such as winning strategy, Nash equilibrium, ...) have been borrowed inorder to express acceptable collective behaviours.

A major hypothesis in game theory is that the agents (or players) are rational entities. This hypothesiscan be discussed when we work with computer systems. Indeed faulty behaviours can not be consideredas rational. This motivates the introduction of a new concept of equilibrium that we named k-faulttolerant Nash Equilibrium. This concept is inspired from concepts such as k-immune equilibrium [1]or k-resilient equilibrium [2]. Let us note that this quest of appropriate solution for modelling complexcomputer systems is not new, several new concepts have already been introduced, for instance secureequilibrium [8] or doomsday equilibrium [7].

The idea of k-fault tolerant Nash Equilibrium is that this is a Nash equilibrium such that no coalitionsof at most k faulty players can bring the game into bad issues. This notion appears to be complex, thusour aim is to develop algorithms to find these equilibria.

1 Turn-based games

The games we study are games played on finite directed graphs. Given a finite graph, the game is playedas follow: a token is moved by players from node to node, along the edges. A play of the game is thena path though the graph constructed by the moves of the token. In our case, each node of the graph iscontrolled by one and only one player, meaning that whenever the token reaches a node, the player whocontrols this node moves the token along an outgoing edge to a successor node (turn-based game). Tomake the description of the game complete, we need to know what are the goals of the players. We willonly work with qualitative objectives, that means that players want to ensure that some property holdsalong the play.

130

2 Q. Hautem

Once a game is fixed, it is natural to wonder how the game is played. Depending of the kind of theplayers’ behaviour, we can predict what might be a potential result of the game, which is formalisedthrough a particular solution concept.

We first give the definition of the arena of a turn-based game.

Definition 1. Given a finite set of players Agt, a finite arena is a tuple A = (V,(Vα)α∈Agt ,E) where

• G = (V,E) is a finite directed graph with nodes (also called vertices or states) V , edges E ⊆V ×Vsuch that for all v ∈V , there exists v′ ∈V with (v,v′) ∈ E, and

• (Vα)α∈Agt is a partition of V such that Vα is the set of nodes controlled by player α ∈ Agt.

We fix an arena A = (V,(Vα)α∈Agt ,E) and we now give most of the notations, definitions and vo-cabulary that we will use.

A finite (resp. infinite) path through the graph G = (V,E) is called a history (resp. a play) of A . Letε denote the empty history and Hist(A ) (resp. Plays(A )) denote the set of all histories (resp. plays) inA . For α ∈ Agt, the set Histα(A ) is the set of all histories h ∈ Hist(A ) whose last node belongs to Vα .We write h = h0 . . .hk, where h0, . . . ,hk ∈V (k ∈ N), for a non-empty history h.

The function First (resp. Last) returns, for a non-empty history h = h0 . . .hk, the first node h0 (resp.the last node hk). The function First naturally extends to plays. Let g,h be two histories, such that his non-empty, and such that (Last(h),First(h)) ∈ E, we denote by ghω the infinite path starting by thehistory g and then the history h repeated infinitely often, i.e. ghω = ghhhhh . . ..

A strategy of player α ∈ Agt in A is a function σ : Hist(A )α → V assigning to each non-emptyhistory h that ends in a node controlled by player α (Last(h) ∈ Vα ), a successor v = σ(h) of Last(h).That is, (Last(h),σ(h)) ∈ E. We say that a play ρ = ρ0ρ1 . . . of A is consistent with a strategy σ ofplayer α if, for all k ∈ N such that ρk ∈ Vα , we have that ρk+1 = σ(ρ0 . . .ρk). The same terminology isused for any history h. We denote by Strat(A )α the set of strategies of player α . A subset C ⊆ Agt iscalled a coalition and a strategy σC for this coalition C is a tuple of strategies, one for each player in C .We denote by StratC (A ) the set of strategies of the coalition C .

A strategy profile of A is a tuple (σα)α∈Agt of strategies, where σα refers to the strategy of playerα . We often simply write σAgt for (σα)α∈Agt . Let h be a non-empty history and α ∈ Agt be the playersuch that Last(h) ∈ Vα , we sometimes abusively denote σα(h) by σAgt(h), even if only σα is definedfor the history h. Given an initial node v ∈ V , a strategy profile (σα)α∈Agt determines a unique playstarting in v that is consistent with all strategies σα . This play is called the outcome of σAgt from v andis denoted by Out(v,σAgt). When the context is clear, we will simply call Out(v,σAgt) the outcome ofσAgt . Given a strategy σα of a player α and an initial node v, we denote by Out(v,σα) the set of all playsstarting in v which are consistent with σα . Given β ∈ Agt, we write σ−β for (σα)α∈Agt\β, the set ofstrategies σα for all players except for player β . We say that a player deviates from a strategy if he doesnot carefully follows this strategy. More formally, for a strategy σα , we say that player α deviates fromσα if player α plays another strategy σ ′σ ∈ Stratα . When the context is clear, we write Hist,Plays,Stratfor Hist(A ),Plays(A ) and Strat(A ).

Here is the definition of a turn-based game.

Definition 2. A qualitative turn-based game G is a tuple G = (Agt,V,(Vα)α∈Agt ,E,(Ωα)α∈Agt) where

• Agt is the set of players,

• A = (V,(Vα)α∈Agt ,E) is a finite arena, and

• for all α ∈ Agt, Ωα ⊆ Plays is an arbitrary set of plays.

131

k-fault tolerant Nash equilibria 3

We also call these games non-zero-sum turn-based games. For each α ∈ Agt, Ωα is called theobjective of α (or winning condition) and a play ρ ∈ Ωα is said winning for player α . We give below,an example of such a game.

Example 3. Consider the turn-based game depicted on Figure 1. We depict the initial node of the gamewith an incoming arrow without source, i.e. we have that node 1 is the initial node (we will keep thesame convention in the sequel). Let the circle nodes (resp. square nodes) be the nodes controlled byplayer A (resp. player B). The objective of player A (resp. player B) is to reach node 2 (resp. node 3), i.e.

ΩA =

ρ ∈ Plays | ∃i ∈ N,ρ[i] = 2

and ΩB =

ρ ∈ Plays | ∃i ∈ N,ρ[i] = 3.

1 33

2

Figure 1: A turn-based game

2 Equilibria

In non-zero-sum games, we usually look for a ”contract” that makes everyone ”satisfied” (in the sensethat no one wants to break the contract if the others follow it), that is, we search for something like anequilibrium.

A Nash equilibrium is a solution concept that captures the idea that each player is selfish (he onlycares about his own objectives) and rational (he prefers winning to losing). Roughly, a Nash equilibriumis a strategy profile in which each player has chosen the best strategy for him, taking into account thestrategies of the other players.

Definition 4. Let G = (Agt,V,(Vα)α∈Agt ,E,(Ωα)α∈Agt) be a turn-based game and v be the initial node.A strategy profile σAgt is a Nash equilibrium from node v if

∀α ∈ Agt, ∀σ ′α ∈ Stratα ,[Out(v,σ ′α ,σ−α) ∈Ωα ⇒ Out(v,σAgt) ∈Ωα

].

Example 5. Let us denote G the turn-based game depicted on Figure 2. Let player A (resp. player B)be the player with the diamond nodes (resp. square nodes), ΩA (resp. ΩB) be the set of plays that visitinfinitely often node 1 (resp. node 2) and node 1 be the initial node.

Let us consider the strategy of A (resp. of B) defined for any history h ∈ HistA and h′ ∈ HistB by

σA(h) =

2 if Last(h) = 13 otherwise

and by σB(h′) = 1.

Then (σA,σB) is a Nash equilibrium from node 1 since Out(1,σA,σB) = (12)ω that is winning for bothplayers.

132

4 Q. Hautem

1 2

3

Figure 2: A turn-based game with a Nash equilibrium

Definition 6. Let G = (Agt,V,(Vα)α∈Agt ,E,(Ωα)α∈Agt) be a turn-based game, v be the initial node andlet B ⊆ Plays be a subset of bad plays for all the players. We assume that B∩Ωα = /0 for all α ∈ Agt.

Given an integer k≥ 1, we say that a strategy profile σAgt is a k-fault tolerant Nash Equilibrium fromv if σAgt is a Nash Equilibrium from v that additionally satisfies that

∀C ⊆ Agt,∀σ ′C ∈ StratC ,[|C| ≤ k⇒ (Out(v,σ ′C ,σ−C ) /∈B

].

Let us illustrate this concept on the two examples of Figure 3.Example 7. Let us denote GL (resp. GR) the game depicted on the left (resp. the right) of Figure 3. Inboth games, let A (resp. B) be the player with the diamond nodes (resp. square nodes), ΩA (resp. ΩB) bethe set of plays that visit infinitely often node 1 (resp. node 2), B be the set of plays that visit the “sadstate”, and node 1 be the initial node.

In GL, let us consider the strategies defined in Example 2. We have shown that (σA,σB) is a Nashequilibrium from node 1 but it is not a 1-fault tolerant Nash equilibrium from node 1 because if player Adeviates alone, he can reach the “sad state”. Indeed, if we consider the strategy σ ′A defined by σA(h) =/for all histories h ∈ HistA, then we have that Out(σ ′A,σB) ∈B.

In GR, let us consider the strategy of A (resp. of B) defined for any history h ∈ HistA by σA(h) = 2(resp. for any history h′ ∈ HistB by σB(h′) = 1). One can show that (σ1,σ2) is a 1-fault tolerant Nashequilibrium from node 1. Indeed on one hand, if player A deviates alone, then he goes either to node 4 ornode 2 but player B plays in order to come back to node 1. On the other hand, if player B deviates alone,then after player A has played to node 2, player B goes either to node 1 or node 3 but player A plays inorder to come back to node 2. Then, no player can bring the game into a bad issue.

1 2

/1 2

34 /

Figure 3: Two examples

The existence of a k-fault tolerant Nash Equilibrium can be expressed in rich formalisms such asStrategy Logic [6] or ATLsc [5], which are decidable. We are developing specialized, more efficientalgorithms for deciding this problem by adapting the techniques of [3, 4].

As we have seen in Example 3, it does not necessarily exist a k-fault tolerant Nash Equilibrium ina turn-based game. We would like to be able to decide when such an equilibrium exist in a turn-basedgame. Then, our aim is to develop algorithms to find these equilibria.

Moreover, we would like to modify the concept we introduced by adding a bound of mistakes thatplayers can make.

133

k-fault tolerant Nash equilibria 5

References[1] I. ABRAHAM, D. DOLEV, R. GONEN, and J. Y. HALPERN. Distributed computing meets game the-

ory: robust mechanisms for rational secret sharing and multiparty computation. In Proc. 25th ACMSymposium on Principles of Distributed Computing (PODC’06), pages 53–62. ACM, 2006.

[2] R AUMANN. Acceptable points in general cooperative n-person games. Contributions to the Theory ofGames, Annals of Mathematical Studies, IV:287–324, 1959

[3] R. BRENGUIER. Nash Equilibrium in Concurrent Games - Application to Timed Games. Doctoral The-sis, ENS Cachan, 2012.

[4] R. BRENGUIER. Robust Equilibria in Concurrent Games. Arxiv, 2014.[5] Th. BRIHAYE, A. DA COSTA, F. LAROUSSINIE and N. MARKEY. ATL with Strategy Contexts and

Bounded Memory. In Proc. Symposium on Logical Foundations of Computer Science (LFCS’09), pages92-106. Springer, 2009.

[6] K. CHATTERJEE, T. A. HENZINGER and N. PITERMAN. Strategy Logic. In Proc. 18th InternationalConference on Concurrency Theory (CONCUR’07), pages 59-73. Springer, 2007

[7] K. CHATTERJEE, L. DOYEN, E. FILIOT, and J-F. RASKIN. Doomsday Equilibria for Omega-RegularGames. In Proc. 15th International Conference on Verification, Model Checking, and Abstract Interpre-tation (VMCAI’14), pages 78-97. To appear.

[8] K.CHATTERJEE, R. MAJUMDAR, and M. JURDZINSKI. On Nash equilibria in stochastic games. InProc. 18th International Workshop Computer Science Logic (CSL’04), pages 26–40. Springer, 2004.

[9] Q. HAUTEM. K-fault tolerant Nash equilibria in qualitative turn-based games. Master Thesis, Univer-sity Of Mons, 2014.

134

Observable Liveness

Jörg Desel1 and Görkem Kılınç1,2

1Fakultät für Mathematik und Informatik, FernUniversität in Hagen, Germany2Universitá degli Studi di Milano-Bicocca, Italy

AbstractWhereas the traditional liveness property for Petri nets guarantees that each transition can always

occur again, observable liveness requires that, from any reachable marking, each observable tran-sition can be forced to fire by choosing appropriate controllable transitions; hence it is defined forPetri nets with distinguished observable and controllable transitions. We introduce observable live-ness and show this new notion generalizes liveness in the following sense: liveness of a net impliesobservable liveness, provided the only conflicts that can appear are between controllable transitions.This assumption refers to applications where the uncontrollable part models a deterministic machine(or several deterministic machines), whereas the user of the machine is modeled by the controllablepart and can behave arbitrarily.

1 Introduction

Liveness and boundedness have turned out to be the most prominent behavioral properties of Petri nets– a Petri net is considered to behave well if it is live and bounded. This claim is supported by manypublications since decades, and in particular by the nice correspondences between live and boundedbehavior of a Petri net and its structure, see e.g. [4, 8].

This work concentrates on liveness, but looks at yet another scenario: Petri nets with transitions thatcan be observable or unobservable (silent transitions), and can be controllable or not. These nets areinspired by Petri net applications in control theory [7, 3], but can also be seen as a generalization ofPetri nets with silent transitions. We provide a notion of liveness which is tailored for Petri nets withobservable and controllable transitions, or for the systems modeled by these nets. Observable liveness ofa model of a software system (embedded or not) with a user interface roughly means liveness from theuser’s perspective.

The standard definition of liveness for traditional Petri nets reads as follows: A transition t is live if,for each reachable marking m, there is a marking m′ reachable from m that enables t. A net is live if allits transitions are live.

We consider Petri net models of software systems where only some activities are observable, andonly a subset of these can be controlled by a user (like a vending machine, which has a user interface andan internal behavior). Our liveness notion applies to such nets, which also have observable transitionsand, among them, controllable ones. This liveness notion still follows the idea that, no matter whichmarking m was reached, an occurrence sequence can be constructed which includes a given transition t.However, in contrast to the traditional definition,

• we only consider observable transitions t (i.e., if a transition cannot be observed then we do notcare about it),

135

2 J. Desel and G. Kılınç

• we assume that instead of constructing the entire sequence, we (i.e., the user) can only control thenet by choosing controllable transitions whenever they are enabled, whereas the net is always freeto fire uncontrollable transitions arbitrarily. In particular, if a controllable transition is in conflictwith an uncontrollable one, the controllable one might fire but cannot be enforced by the user.

2 Basic Definitions

An (initially marked) place/transition net N consists of a finite and non-empty set of places P, a finite andnon-empty set of transitions T with P∩T = /0, a set of arcs F ⊆ (P×T )∪ (T ×P) and an initial markingm0 : P→ N. For a place or transition x, we denote its pre-set by •x = y ∈ P∪T | (y,x) ∈ F. Similarly,the post-set of x is denoted by x• = y ∈ P∪T | (x,y) ∈ F.

A marking m is an arbitrary mapping m : P→N. It enables a transition t if each place p ∈ •t satisfiesm(p)> 0. If it enables t then t can fire, which leads to the successor marking m′, defined by

m′(p) =

m(p)+1 if p ∈ t•, p /∈ •tm(p)−1 if p ∈ •t, p /∈ t•

m(p) otherwise

We denote this by m t−→ m′.The set of reachable markings of the net N, R(N), is the smallest set of markings that contains the

initial marking m0 and satisfies [m ∈ R(N) ∧ m t−→ m′] =⇒ m′ ∈ R(N). The place/transition net iscalled bounded if R(N) is finite. Equivalently, it is bounded if and only if there exists a bound b suchthat each marking m ∈R(N) satisfies for each place p: m(p)≤ b. It is called 1-bounded if this conditionholds for b = 1.

If m1t1−→ m2

t2−→ m3t3−→ m4 · · · , then t1 t2 t3 t4 . . . is called occurrence sequence (enabled at

marking m1). If an occurrence sequence σ is finite, i.e. σ = t1 t2 . . . tn, then we write m1σ−→ mn+1.

The place/transition net is live if, for each reachable marking m and each transition t, there exists amarking m′ reachable from m that enables t. Equivalently, it is live if and only if for each transition tand each finite occurrence sequence σ enabled at m0 there exists a transition sequence τ such that σ τ tis an occurrence sequence enabled at m0. Note that in order to append two sequences, the left hand oneis supposed to be finite. In turn, when writing σ τ we implicitly express that σ is finite.

Transitions can be observable or non-observable, and they can be controllable or non-controllable.We denote by O⊆ T the set of observable transitions and by C ⊆ O the set of controllable ones.

A place/transition net with observable and controllable transitions is called observableplace/transition net N = (P,T,F,m0,O,C). Given an occurrence sequence σ of the place/transition net,its projection σ to the observable transitions is called observable occurrence sequence. Conversely, asequence t1 t2 t3 . . . of observable transitions is an observable occurrence sequence if and only if there arefinite sequences σ0,σ1,σ2, . . . of unobservable transitions such that σ0 t1 σ1 t2 σ2 t3 . . . is an occurrencesequence.

An infinite occurrence sequence t1 t2 t3 . . . enabled at some marking m is called weakly unfair w.r.t.some transition t if, for some k ∈ N, t1 t2 . . . tk t is enabled at m and, for each j > k, we have •t j ∩ •t = /0(after some finite initial phase, t is persistently enabled and not in structural conflict with any occurringtransition). Notice that this definition is slightly weaker than the usual definition of weak fairness whichonly demands that t is persistently enabled. The occurrence sequence is weakly fair w.r.t. t if it is notweakly unfair w.r.t. t. By this definition, every finite occurrence sequence is weakly fair w.r.t. to alltransitions.

136

Observable Liveness 3

3 The Setting

The generic software system to be modeled consists of a machine (or several machines), a user interfaceto this machine, and perhaps of activities and conditions which do not belong to the machine. Theuser can observe and control all activities outside the machine, he can neither control nor observe anyactivities inside the machine. Concerning the user interface, there are activities that the user can onlyobserve but not control, whereas other interface activities might be both observable and controllable.

One might argue that instead of activities, only local states of machines are observable, for examplea light which can be on or off. Then, instead of observing this state, in our setting we observe theactivities that cause the changes of the state. In terms of nets, instead of observing a place, we observethe (occurrences of) transitions in the pre- or post-set of the place.

Controllable activities can be those not connected to the machine or can be activities of the interface.Whereas a controllable activity outside the machine is clearly also observable, one might argue that thisis not obvious for controllable interface activities. In fact, if the activity can be caused by pressing abutton, the user cannot be sure that with every use of this button the activity takes place. An additionalprerequisite is that the activity is enabled by the machine, whereas buttons can always be pressed. Sowe implicitly assume that the user sees whether a controllable transition is enabled or not and can thusdistinguish activities from non-activities caused by buttons.

Assume that a user wants to enforce an observable activity a after some previous run of the system.Then, depending on what he has observed so far, he should have a strategy to control activities in sucha way that eventually he can observe a. By translating activities to transitions, the same holds for thePetri net model. The strategy is formalized by a function that maps an arbitrary sequence of observabletransitions to a set of controllable transitions: if a sequence was observed, then one of these controllabletransitions can be fired. Since the domain of this function is infinite in general, and its co-domainfinite (theoretically exponential in the number of controllable transitions, but usually linear), differentsequences are mapped to the same set. We assume that the user can effectively compute this functionby using, e.g., only a finite history or an automata based approach. For generality of our approach, wenevertheless consider a strategy an arbitrary function as above.

There might be states in which controllable activities and uncontrollable ones are enabled, i.e., boththe machinery and the user can do something. In such a state, we cannot expect that the user is able todo his controllable activity first. This means that, in case of competition between activities, the user doesnot have control if not only controllable activities are involved.

For an observably live activity, we want that the user can enforce the occurrence of this activity.Therefore, we provide an appropriate behavioral model of the net. Clearly, the user can only enforceany reaction from the machine if the machine obeys some progress assumption: we do not consider runsin which an uncontrollable transition is enabled, does not occur, and is not in conflict with any otheroccurring transition. Progress is only assumed for controllable transitions if they are persistently chosenby the response function and moreover concurrent to uncontrollable ones.

4 Observable Liveness

In order to give the definition of observable liveness, we first stick to observable liveness of a singletransition, which apparently has to be observable, and later define observable liveness of observableplace/transition nets as observable liveness of all observable transitions.

So consider a single observable transition t which might be moreover controllable or not. If the net

137


reaches from the initial marking m0 a marking m by the occurrence of an arbitrary occurrence sequenceσ0, an agent wants to enforce transition t by selecting appropriate controllable, enabled transitions. Ifthis is always (for each reachable marking m) possible, then we call t observably live.

From the marking m, the net first proceeds arbitrarily and autonomously, i.e., some occurrence se-quence σ1 without controllable transitions occur. This sequence can be

a) finite and lead to a deadlock,

b) finite and lead to a marking that enables controllable and uncontrollable transitions,

c) finite and lead to a marking that enables only controllable transitions,

d) or infinite.

For the infinite case we demand weakly fair behavior w.r.t. all uncontrollable transitions, i.e. there isprogress in all concurrent parts of the net. For cases b) and c), the agent fires a controllable transitionand then proceeds as before with a next autonomous sequence σ2, and so on. This will lead to either aninfinite sequence σi, or eventually to case a) or case d).

Our liveness notion should express that – in case of observable liveness – there always is (at leastone) controllable transition after any sequence σi in case c). To formalize this, (and to avoid an infinitealternation of ∀ and ∃) we introduce a response function ϕ , which delivers a set of possible controllabletransitions as a response of the agent to the sequence observed so far. Notice that an observed sequencedoes not determine the reached marking because unobservable transitions might occur, changing themarking but not effecting the observed sequence. In turn, different observed sequences might lead to thesame marking.

We call the transition t observably live if, for some such response function, we eventually observe tin the sequence created this way.

More formally, the definition reads as follows:Definition 1. Let ϕ : O∗→ 2C be a response function and let m0

σ0−−→ m be an occurrence sequence. Wecall an occurrence sequence σ , enabled at marking m, ϕ-maximal if it is either an infinite compositionσ = σ1 t1 σ2 t2 σ3 t3 . . . or a finite composition σ = σ1 t1 σ2 t2 . . .σk tk µ, where k ≥ 0, satisfying thefollowing:

a) All σi are finite and can be empty, µ is finite or infinite.

b) For each ti we have ti ∈ ϕ(σ0 σ1 t1 σ2 t2 . . .σ i), i.e., ti is a response to the sequence observed sofar.

c) No σi contains a controllable transition (i≥ 1), and the same holds for µ .

Only for the second variant:

d) µ is weakly fair w.r.t. all non-controllable transitions. µ is moreover weakly fair w.r.t. all control-lable transitions t satisfying t /∈ ϕ(σ0 σ ′) for only finitely many prefixes σ ′o f σ .

e) If µ is finite then all transitions enabled after σ are controllable and do not belong to ϕ(σ0 σ) (thisincludes deadlocks).

Lemma 2. Assume that σ0 leads from m0 to a marking m and σ is a ϕ-maximal occurrence sequenceenabled at m. If σ = σ1 σ2 and m σ1−−→ m1, then σ2 is a ϕ-maximal occurrence sequence enabled atm1.Theorem 3. An observable transition t of an observable place/transition net is observably live if and onlyif there is a response function ϕt : O∗→ 2C such that, for each m0

σ0−−→ m, each ϕt-maximal occurrencesequence enabled at m contains infinitely many occurrences of t.

138

Observable Liveness 5

5 Properties and Relations with Traditional Liveness

In this section, we provide some properties of observable liveness and relations to traditional liveness.We do not give the proofs here because of space issues. See [5] for the proofs and more details.

Lemma 4. For each response function ϕ and each m0σ0−−→ m, there is a ϕ-maximal occurrence se-

quence enabled at m.

Proposition 5. Each observably live transition t is live.

Corollary 6. An observably live net is live if all transitions are observable.

Notice that Cor. 6 does not hold without the assumption that all transitions are observable.If all transitions are controllable then liveness of t implies its observable liveness:

Proposition 7. If O =C = T then observable liveness of a transition t coincides with its liveness.

Corollary 8. If O =C = T , then observable liveness of a net coincides with liveness of the net.

Proposition 9. Assume that in an observable net there is an infinite and weakly fair occurrence sequenceσ without controllable transitions. Then each observable transition which does not appear in σ infinitelyoften is not observably live.

Corollary 10. If an observable net without controllable transitions has an infinite and weakly fair oc-currence sequence which does not include all the observable transitions then the net is not observablylive.

A live net is not necessarily observably live. The main reason is that, for proving liveness, we canalways choose an appropriate occurrence sequence enabling some transition t whereas for observableliveness this choice is only possible for controllable transitions (which are not in conflict with unob-servable ones) and the net behaves arbitrarily elsewhere. The situation is different if the only choices tobe made are among controllable transitions. This is not an unrealistic setting; the automated part of asystem often behaves deterministically (but still concurrently), whereas the user model might allow foralternatives.

Theorem 11. If a 1-bounded observable Petri net, which is conflict-free w.r.t. all uncontrollable transi-tions, is live, then it is observably live.

Again proof is not included here because of space issues. See [5].

6 Conclusion and Future Work

We considered a variant of Petri nets with observable transitions, where an observable transition canalso be controllable. In analogy to the usual definition of liveness of a Petri net, we provided a notionfor observable liveness, which roughly means that a user can always enforce the occurrence of anyobservable transition, only by stimulating the net by choosing appropriate enabled controllable transition.Therefore it is necessary to assume that also the uncontrollable part of a net proceeds, i.e., we assumethat the net behaves weakly fair.

In general, liveness does not imply observable liveness and neither the opposite direction holds. Thispaper proves that for 1-bounded Petri nets with transitions that can be observable or additionally control-lable, liveness implies observable liveness, where the latter means that control can force every transitionto fire eventually from an arbitrary reachable marking – provided the net model behaves deterministicallyin its uncontrollable part. This control can only select enabled controllable transitions and is based only

139


on the sequence of transitions observed so far. This way the result generalizes the obvious observation,that in a fully deterministic net a transition is live if and only if it eventually fires.

A future consideration refers to possible generalizations of our result. It clearly still holds when thereis some limited nondeterminism in the uncontrolled part. For example, if two alternative uncontrollabletransitions cause the same marking transformation, the result is not spoiled. More generally, we aimat defining an equivalence notion on nets, based on the respective observed behavior, which preservesobservable liveness. Reduction rules, as defined e.g. in [1], [6] and [4] but also in many other papers,could be applied to the uncontrollable part leading to simpler but equivalent nets. However, there areobvious additional rules. For example, a rule that deletes a dead transition is sound w.r.t. the equivalencebecause dead uncontrollable transitions do not contribute to the observable liveness or non-liveness ofthe considered net.

As a future work, we plan to use our approach to define a security property concerning the infor-mation flow in observable/controllable Petri nets. In [2] different classes of non-interference are definedon Petri nets. We are interested to explore secure information flow on Petri nets starting with translat-ing the existing non-interference properties to Petri nets with observable and controllable transitions andperhaphs to study different levels of secure information flow.

References[1] Gérard Berthelot. Transformations and decompositions of nets. In Wilfried Brauer, Wolfgang Reisig, and

Grzegorz Rozenberg, editors, Advances in Petri Nets, volume 254 of Lecture Notes in Computer Science,pages 359–376. Springer, 1986.

[2] Nadia Busi and Roberto Gorrieri. A survey on non-interference with petri nets. In Jörg Desel, WolfgangReisig, and Grzegorz Rozenberg, editors, Lectures on Concurrency and Petri Nets, volume 3098 of LectureNotes in Computer Science, pages 328–344. Springer Berlin Heidelberg, 2004.

[3] Christos G. Cassandras and Stephane Lafortune. Introduction to Discrete Event Systems. Springer-Verlag NewYork, Inc., Secaucus, NJ, USA, 2006.

[4] J. Desel and J. Esparza. Free Choice Petri Nets. Cambridge tracts in theoretical computer science. CambridgeUniversity Press, 1995.

[5] Jörg Desel and Görkem Kılınç. Observable liveness. In Daniel Moldt and Heiko Rölke, editors, InternationalWorkshop on Petri Nets and Software Engineering (PNSE’14), number 1160 in CEUR Workshop Proceedings,pages 143–163, Aachen, 2014. CEUR-WS.org. http://ceur-ws.org/Vol-1160/.

[6] Serge Haddad. A reduction theory for coloured nets. In Grzegorz Rozenberg, editor, European Workshop onApplications and Theory in Petri Nets, volume 424 of Lecture Notes in Computer Science, pages 209–235.Springer, 1988.

[7] Lawrence E. Holloway, Bruce H. Krogh, and Alessandro Giua. A survey of petri net methods for controlleddiscrete event systems. Discrete Event Dynamic Systems, 7(2):151–190, 1997.

[8] T. Murata. Petri nets: Properties, analysis and applications. In Proceedings of the IEEE, volume 77, pages541–580, April 1989.

140

Symbolic representation of convex polyhedra∗

Extended abstract

Isabelle Mainz, Bernard BoigelotInstitut Montefiore, B28

Université de LiègeB-4000 Liège, Belgique

mainz, [email protected]

Abstract

This work describes an automata-like data structure, the Convex Polyhedron Decision Diagram(CPDD), developed for representing symbolically bounded and unbounded convex polyhedra. TheCPDD provides a canonical representation, is closed under intersection as well as projection, andadmits an efficient decision procedure for identifying the polyhedron component (vertex, edge, k-face) that contains a given point.

1 Introduction

Convex polyhedra, i.e., finite conjunctions of linear constraints, are extensively used in many areas ofcomputer science such as optimization theory [9], computer-aided verification [4, 6], and constraintprogramming. The manipulation operations that need to be performed differ according to the applicationfield. In optimization theory, for example, a typical problem consists in searching inside a polyhedronfor a point that maximizes a certain objective function. Our motivation for studying convex polyhedrais related to computer-aided verification, where convex polyhedra are used for representing reachablesets during symbolic state-space exploration of hybrid automata [6, 3]. The operations that need to beperformed are intersections, projections and tests of inclusion and equality.

A possible solution is to represent polyhedra by logical formulas in additive real arithmetic. Amajor drawback of this method is that the formulas are difficult to simplify, and that testing emptiness,equality and inclusion become hard problems. Another approach is to use automata-based methods,which provide simple algorithms for most operations, and possess a canonical form.

Among automata-based representations of convex polyhedra, one finds the Real Vector Automaton(RVA) [2] and the Implicit Real Vector Automaton (IRVA) [5]. They both encode n-dimensional vectorsas words over a given alphabet, and represent a set of points by a finite-state machine that accepts thelanguage of their encodings. RVA and IRVA can represent arbitrary finite Boolean combinations oflinear constraints and represent thus a broader class than that of convex polyhedra. One of the maindrawbacks of the RVA is that they cannot efficiently handle linear constraints with coefficients that havelarge values. This problem has been solved by the IRVA that represents some of the information of theRVA implicitly. The drawback of IRVA is that they produce complicated structures in the particular caseof convex polyhedra. In this work, we introduce Convex Polyhedron Decision Diagrams (CPDD), whichcan be seen as a simplification of IRVA suited for convex polyhedra.

∗This work is supported in part by the grant 2.4545.11 of the Belgian Fund for Scientific Research (F.R.S.-FNRS).

141

2 I. Mainz, B. Boigelot

2 Preliminaries

2.1 Convex polyhedra

We define a convex polyhedron as a finite conjunction ~x ∈Rn |∧i ~ai.~x#i bi of linear constraints, wherefor all i,~ai ∈Zn, bi ∈Z, and #i ∈ ≤,<. Such sets are a subset of Nef polyhedra ([8]), i.e. finite Booleancombinations of linear constraints.

For each constraint ~ai.~x#i bi, we say that a point ~v ∈ Rn satisfies this constraint if ~ai.~v#i bi, andsaturates it if ~ai.~v = bi. Constraints of the form ~ai.~x≤ bi are called closed, or non-strict, and constraintsof the form~ai.~x < bi are called open, or strict.

2.2 Geometrical components

A convex polyhedron P :∧

i ~ai.~x#i bi induces an equivalence relation∼P over Rn: For every~v,~v ′ ∈Rn,one has~v∼P ~v ′ iff either both~v and~v ′ do not satisfy all closed constraints ~ai.~x≤ bi, or~v and~v ′ satisfyall closed constraints~ai.~x≤ bi, and both points saturate the same subset of those constraints.

Each equivalence class of the relation ∼P defines a geometrical component of P . It is shown in [5]that the points that belong to the same geometrical component share identical local views of P: For~v,~v ′ such that ~v ∼P ~v ′, there exists ε > 0 such that the intersection of P with balls of size ε centeredon ~v and ~v ′ are equal up to translation. Formally, we have BP,ε(~v) = BP,ε(~v ′), where for all ~u ∈ Rn,BP,ε(~u) = ~x−~u |~x ∈P ∧ |~x−~u|< ε.

It is furthermore established in [5] that local views of a polyhedron have a conical structure: Forevery~u∈Rn, sufficiently small ε > 0, 0 < λ ≤ 1, and~v∈Rn such that |~v|< ε we have that~u+~v∈P⇔~u+λ~v ∈P

Finally, we call a geometrical component exterior to P if its elements do not satisfy all the closedconstraints~ai.~x≤ bi. Note that each non-exterior geometrical component of P is uniquely characterizedby the subset of constraints of P that are saturated by its elements, which is a set of equalities. In otherwords, a non-exterior geometrical component is characterized by the affine space, called its characteristicaffine space, corresponding to the set of solutions of those equalities. The dimension of the geometricalcomponent is defined as the dimension of this affine space. This dimension is equal to 0 for vertices, to1 for edges, to k with 2≤ k < n for k-faces, and to n for the interior component.

2.3 Incidence relation

The geometrical components of a polyhedron P are linked by an incidence relation, defined as a par-tial order that satisfies the following property: Two components C,C′ ⊆ Rn are such that C C′

if for every point in C, there exists an arbitrarily close point in C′. Formally, we have C C′ iff∀~v ∈C, ∀ε > 0 : ∃~v ′ ∈C′ : |~v−~v ′|< ε.

It is shown in [5] that, for every pair of components C and C′ such that C C′, the characteristicaffine space of C is a subset of the one of C′.

3 Convex Polyhedron Decision Diagram

The Convex Polyhedron Decision Diagram (CPDD) is a data structure that represents the geometricalfeatures of a polyhedron. Typically, two polyhedra that are identical up to rotations and translations willhave similar representations with different labels. Intuitively, a CPDD is a decision diagram in which

142

Symbolic representation of convex polyhedra 3

the nodes and edges correspond respectively to the geometrical components of a polyhedron and itsincidence relation. In addition, a Boolean polarity is assigned to each node in order to represent the openor closed property of the corresponding element.

3.1 Syntax

The syntax described below is general and allows the structure to have nodes that do not correspond togeometrical components. This design choice was made in order to have simple intersection and projec-tion algorithms. We will introduce in Section 4.1 a canonization operation that gets rid of nodes that donot match geometrical components. An example of a CPDD can be found in Figure 1

For a finite set of constraints ~ai.~x#i bi | i ∈ I, we define its minimum consistent set as the set Pcohcontaining all the sets ~a j.~x = b j | j ∈ J with J ⊆ I such that⋂

j∈I\J~x ∈ Rn |~a j.~x < b j∩⋂

j∈J~x ∈ Rn |~a j.~x = b j 6= /0. Intuitively, the elements of Pcoh correspondto the geometrical components of the polyhedron defined by the set of constraints ~ai.~x#i bi | i ∈ I.

A CPDD representing a convex polyhedron P induced by the set of constraints ~ai.~x#i bi | i ∈ I is atuple (Q,T,q0), where

• Q is a finite set of nodes. Each node q ∈ Q corresponds to a subset of saturated constraints, i.e., toa set q= = ~a j.~x = b j | j ∈ J where J ⊆ I. In addition, we must have that Pcoh ⊆

⋃q∈Qq=. We

also define q< = ~a j.~x < b j | j ∈ I \ J.Each node q ∈ Q is characterized by:

– the set aff(q) of solutions of the system of equations defined by q=. This is either the emptyset /0 or an affine space.

– a Boolean polarity pol(q) representing the accepting status of the node.

• T is an acyclic and anti-transitive transition relation. For every pair of nodes q,q′ ∈ Q, if (q,q′) ∈T , then the set of saturated constraints associated to q is a proper superset of the saturated con-straints associated to q′. This implies aff(q) ⊆ aff(q′). We label each transition t = (q,q′) ∈ T bythe finite set constr(t) = q′< \q< of constraints corresponding to the strict form of the constraintsthat are saturated by q and not by q′.

• q0 ∈ Q is an initial node in which all the constraints are saturated, i.e. q0= = ~ai.~x = bi | i ∈ I.

The CPDD corresponding to a given set of constraints ~ai.~x#i bi | i ∈ I is well formed if

• ∀q ∈ Q, pol(q) = T if and only if q=∩q< ⊆ ~ai.~x#i bi | i ∈ I• ~ai.~x#i bi | i ∈ I ⊆⋃

q∈Qq=∩q< | pol(q) = T• the structure is complete, i.e., every node q ∈ Q is reachable from the nodes q′ s.t. q= ⊂ q′=.

3.2 Point decision

We address here the problem of deciding whether a point~v∈Rn is accepted or not by a CPDD (Q,T,q0),in other words, whether or not it belongs to the corresponding polyhedron P . This can be done thanksto the following procedure:

Note that when we are talking about a set of constraints, strictly speaking we are talking about a multiset as we considereach equation only via its index i ∈ I.

143


P :

x1 ≥ 1x1 + x2 ≥ 3x1− x2 ≤ 1

x1(2,1)

(1,2)

x2

(a) A Polyhedron P .

x1− x2 < 1

x1− x2 < 1

x1 + x2 = 3

T

x1 = 1(1,0)+λ (0,1)

T(0,3)+λ (1,−1)

x1− x2 = 1(0,−1)+λ (1,1)

T

(0,0)+λ (0,1)+µ(1,0)T

x1 = 1 x1 + x2 = 3x1− x2 = 1

(1,2)T

(2,1)T

/0F

x1 > 1

x1− x2 < 1 x1 > 1

x1 + x2 > 3 x1 + x2 > 3

x1 + x2 = 3

x1 > 1 x1 + x2 > 3

(b) The canonized CPDD of P .

Figure 1: An example of a CPDD.

1. Let q be the initial node q0 of the structure.

2. Check whether~v belongs or not to aff(q).• If~v ∈ aff(q), then~v is accepted iff the polarity of q is true. The procedure terminates.• If ~v 6∈ aff(q), then follow an arbitrary outgoing transition from q, labeled by constraints sat-

isfied by~v. The value of q is replaced by the destination of this transition, and the procedurerepeats at Step 2. If no suitable transition exists (i.e., all outgoing transitions from q arelabeled by at least one constraint violated by~v), then~v is rejected. The procedure terminates.

Note that, by construction, for every pair of nodes q, q′ ∈ Q, all the paths leading from q to q′ arelabeled by the same set of constraints. Indeed, this set contains the strict form of all constraints that aresaturated by q and not by q′, i.e. q′< \ q<. Thus, if there exist several paths leading from q to q′, eitherone can be chosen, which guarantees that our algorithm is deterministic.

4 Operations

The CPDD should ideally only represent relevant information about a polyhedron, i.e., its polyhedralcomponents and the link between them. The syntax given in Section 3.1 allows however for more generalCPDD. This is, among other reasons, due to the fact that after performing the intersection algorithm, theresulting CPDD can contain nodes that do not represent any geometrical information. We present acanonization algorithm that only keeps relevant information.

4.1 Canonical form

The idea of the canonical form is to get rid of all unnecessary and redundant information. We thus onlykeep the nodes that are important for deciding whether a certain point ~v ∈ Rn is accepted. We aim at

144

Symbolic representation of convex polyhedra 5

eliminating inconsistent nodes (i.e., its affine space is non-empty and q=∩q< = /0) as well as the nodesq ∈ Q such that aff(q) = /0. We also eliminate redundant equations (as q= is a multiset) and transitions.

First, we remove all unnecessary nodes from the CPDD. This can be done iteratively by removingone by one inconsistent nodes and nodes that have an empty affine space.

After this step, redundant equations can simply be removed. In fact, assume that a certain constraint~a j.~x#i b j is present k times. After the first step of canonization, there are only nodes that either containall k copies of the constraints or none as all other nodes are inconsistent and are therefore removed. Wecan thus simply replace the k copies of the constraint by a single one.

The resulting CPDD contains a unique final node, in the sense that there is exactly one node that isreached from all other nodes. It corresponds to the interior of the polyhedron. If the affine space aff(q f )of this node is not universal, then this polyhedron can be represented in a smaller affine space and thesmallest affine space in which the polyhedron can be represented is exactly aff(q f ). We extract this affinespace, and perform the corresponding variable change operation. Now the affine space of the final nodeis universal and the set of labels in the CPDD corresponds to the canonical set of linear inequalities thatrepresents the polyhedron. By convention, if no affine space can be extracted, we consider the extractedaffine space to be Rn.

The resulting CPDD forms a canonical, unique up to isomorphism, representation of its underlyingpolyhedron.

4.2 Geometric interpretation

The following proposition guarantees that each node of a canonized CPDD corresponds to a geometricalcomponent of P , the only exception being q0 in the case where aff(q0) = /0.

In addition, the transition relation corresponds exactly to the incidence relation without transitivity.The point decision algorithm given in Section 3.2, when applied to a canonized CPDD, can be usedto determine the polyhedron component to which an accepted point belongs, as each node correspondsexactly to a geometric component of the polyhedron.Proposition 1. Every q∈Q such that q=∩q< 6= /0 corresponds to a non-exterior geometrical componentof P and vice-versa.

4.3 Intersection

The algorithm for computing the intersection of two convex polyhedra represented by a CPDD is similarto the product algorithm for finite automata. It is however preceded by taking the intersection of theextracted affine spaces. If this intersection is empty, the intersection of the two polyhedra is empty aswell, and if it is non-empty, the extracted affine space of the resulting CPDD will contain this intersection.

Let (QA,TA,qA0) be the representation structure of a polyhedron PA and (QB,TB,qB0) be the repre-sentation structure of a polyhedron PB then (QA×QB,T,(qA0 ,qB0)) is a representation structure of thepolyhedron PA∩B = PA∩PB.

For every node (qAi ,qBi) ∈ QA×QB we have that• pol(qAi ,qBi) = pol(qAi)∧pol(qBi)

• aff(qAi ,qBi) = aff(qAi)∩aff(qBi)

The transition relation T is defined as follows: ((qAi ,qBi),(qA j ,qB j)) ∈ T iff[qAi = qA j and (qBi ,qB j) ∈ TB] or [qBi = qB j and (qAi ,qA j) ∈ TA].

Proposition 2. Let~v ∈ Rn, then~v is accepted by (QA×QB,T,(qA0 ,qB0)) iff~v ∈PA∩B.

145


4.4 Projection

We now give an algorithm for projecting a polyhedron P of Rn onto the space Rn−1 with respect to i,which amounts to computing

P|6=i = (x1, . . . ,xi−1,xi+1, . . . ,xn) | ∃xi ∈ R : (x1, . . . ,xn) ∈PIt is well known that the projection of a convex set is convex as well. We therefore project each node ofthe canonized CPDD separately, preserving the transition relation, before putting them back together toform a CPDD for the projected polyhedron. So, after projecting each node, we fusion all the nodes thatpossess to the same affine space. It is possible that nodes appear that do not correspond to geometricalcomponents of the projected polyhedron. Those can be detected by convexity and are combined with thenodes that correspond to the geometrical component to which they belong. Finally, following a bottom-up approach, we determine the labels of the transitions and therefore the set of linear constraints thatdefine the projected polyhedron.

5 Conclusions

The CPDD is a data structure for representing convex polyhedra, that has a deterministic point decisionprocedure, an easy to compute canonical form, and automata-like algorithms for computing the productand projection of polyhedra. It has the advantage that useless geometrical features are not systematicallyconsidered, especially in the projection algorithm, similar to Chernikova’s improvement of the Fourier-Motzkin variable elimination [7].

6 Acknowledgment

The authors thank Nicolas Legrand for his contribution to this work.

References[1] B. Boigelot, J. Brusten, and J.-F. Degbomont. Automata-based symbolic representations of polyhedra. In

Proc. LATA, volume 7183 of Lecture Notes in Computer Science, pages 3–20. Springer, 2012.[2] B. Boigelot, S. Jodogne, and P. Wolper. An effective decision procedure for linear arithmetic over the integers

and reals. ACM Trans. Comput. Log., 6(3):614–633, 2005.[3] O. Bournez, O. Maler, and A. Pnueli. Orthogonal polyhedra: Representation and computation. In HSCC,

volume 1569 of Lecture Notes in Computer Science, pages 46–60. Springer, 1999.[4] P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Conf.

rec. 5th POPL, pages 84–96. ACM Press, 1978.[5] J.-F. Degbomont. Implicit Real-Vector Automata. PhD thesis, University of Liège, 2013.[6] N. Halbwachs, Y. Proy, and P. Raymond. Verification of linear hybrid systems by means of convex approxi-

mations. In SAS, volume 864 of Lecture Notes in Computer Science, pages 223–237. Springer, 1994.[7] H. Le Verge. A note on Chernikova’s algorithm. Technical report, IRISA, Rennes, 1994.[8] W. Nef. Beiträge zur Theorie der Polyeder mit Anwendungen in der Computergraphik (contributions to the the-

ory of polyhedra, with applications in computer graphics). Beiträge zur Mathematik, Informatik une Nachrich-tentechnik, 1978.

[9] A. Schrijver. Theory of linear and integer programming. Wiley-Interscience series in discrete mathematicsand optimization. Wiley, 1999.

146

Verification of stochastic and spatial behavioursof Complex Systems

Laura NenziIMT, Lucca, Italy

[email protected]

1 Introduction

A complex system is a system comprised of a large number of heterogeneous interacting components,agents or processes. A key characteristic of these systems is that the interactions between their com-ponents are non-linear which reflect in the emergence of unpredictable behaviours, i.e. they expressproperties that are not directly derivable from the analysis of the individual entities.

Formal methods techniques are powerful tools that can be exploited to design and analyse complexsystems. High level languages (e.g. stochastic process algebras) can be used to describe the model ina compositional and flexible way and then to automatically derive the mathematical model. Temporallogics, instead, are suitable languages to express the properties of interest, and analysis routines suchmodel checking are efficient techniques to verify those properties and control the behaviour of the system.

Our work started from the study of Signal Temporal Logic (STL) [6, 10], temporal logic suitable tospecify behaviours in real value time series generated during the simulation of a dynamical system. Aspecial characteristic of this logic is the definition of a quantitative semantics, allowing us to quantify thesatisfiability of a property, i.e. to give a value expressing how robustly a property is satisfied. This valueis given by a robustness function.

Usually, with model checking, we are able to state whenever a system verifies or not a certain prop-erty, we may be able to compute the satisfaction probability, but we have no information about therobustness of satisfiability. Such information can really be useful when we deal with stochastic models,for example to verify the capacity of the system to maintain a certain behaviour also under small pertur-bations of the system. In [3], we extended the notion of robustness of STL to stochastic systems, showingthat this leads to a distribution of robustness scores. We used a statistical model checking algorithm toestimate this distribution for a given temporal logic formula. To show the power of this new notion ofrobustness, we exploited it in an optimisation problem. The goal of the problem was, given a certainproperty, to optimise some parameters of a stochastic model to make the model satisfy that property asrobustly as possible. This was done putting together statistical model checking techniques and a strongmachine learning algorithm [8].

Another crucial characteristic of many complex systems consists in their non-homogeneous spatialdistribution. While the temporal properties of this kind of systems have been studied from many points ofview, the verification of their spatial dynamical properties is still an open interesting challenge. Startingfrom the above work, we are now analysing and testing possible spatial extensions of STL for differentnotions of space, for example discrete space, depicted as un undirected graph, or continuous space,modelled as a real interval. Here, we present a preliminary work on a spatial extension of STL for

147

L. Nenzi

patch-based quantitative population models with a space structured as an undirected graph. The spatialoperators are inspired from the modal spatial operators of the Multiprocess Network Logic [11].

The next sections are organised as follows. In section 2, we introduce some background material. Insection 3, we describe the robustness notion of STL for stochastic systems and we apply it in an exampleof system design problem. Finally in section 4, we present a first version of a spatial extension of STL.

2 Background material

Signal Temporal Logic. Signal Temporal Logic [10] (STL) is a temporal logic that describes well prop-erties of linear, dense-time, traces defined by state variables taking real values. It extends the dense-timesemantics of Metric Interval Temporal Logic [2] (MITL), parametrized by a set of numerical predicatesplaying the role of atomic propositions. STL provides two different semantics: a boolean semanticsthat returns yes/no depending on whether or not the observed trace satisfies the STL specification anda quantitative semantics that also returns a measure of robustness of the specification; the definition ofthis quantitative measure, degree, of satisfaction is a reformulation of the robustness degree of CITEand we will describe it below. Donze et. al [6] proposed a very efficient monitoring algorithm for STL,implemented in the Breach [5] tool.

We describe now the syntax and the quantitative semantics of STL, the boolean semantics can bederived using the sign of the quantitative result (positive for true and negative for false). We implicitassume the existence of a system under study whose state is described by a set of n variables X1, ...,Xnwith space state D =D1×⋯×Dn. Furthermore, the evaluation of formulae is done over real valued tracesx(t), generating by the simulation of the model, where xi ∶T→Di, and T is the time set.

Definition 1 (STL syntax). The syntax of the STL is given by

ϕ ∶= µ ∣¬ϕ ∣ϕ1∧ϕ2 ∣ϕ1U[a,b] ϕ2

where conjunction and negation are the standard boolean connectives, [a,b] is a dense-time interval witha < b, U[a,b] is the until operator. The atomic predicates µ ∶D→B are defined as µ(X) ∶= ( f (X) ⩾ 0) andf ∶D→R is a real-valued function. For example, the property µ = (X1+X2−10 > 0) is equal to 1 whenthe value of X1 plus the value of X2 is more than 10 units and 0 otherwise.

The (bounded) until operator ϕ1U[a,b] ϕ2 requires ϕ1 to hold from now until, in a time between a and btime units, ϕ2 becomes true. The eventually operator F[a,b] and the always operator G[a,b] can be definedas usual: F[a,b]ϕ ∶= ⊺U[a,b)ϕ , G[a,b]ϕ ∶= ¬F[a,b]¬ϕ.Definition 2 (STL Quantitative Semantics). The robustness of an STL formula ϕ relative to a tracex at time t is computed by the function ρ , called the quantitative satisfaction function; it returns a realnumber ρ(ϕ, x,t) and it is defined inductively as

ρ(µ, x,t) = f (x[t]) where µ ≡ f (X) ≥ 0

ρ(¬ϕ, x,t) = −ρ(ϕ, x,t)ρ(ϕ1∧ϕ2, x,t) = min(ρ(ϕ1, x,t),ρ(ϕ2, x,t))ρ(ϕ1U[a,b]ϕ2, x,t) = sup

t′∈t+[a,b](minρ(ϕ2, x,t′), inft′′∈[t,t′](ρ(ϕ1, x,t′′)))

Moreover, ρ(ϕ, x) ∶= ρ(ϕ, x,0), i.e. a trace satisfies a formula if and only if it satisfies the formula attime 0.

148

For more details about STL see [10] and [6].

Modelling Approaches. Deterministic and stochastic models are two mainstream ways of describingcomplex systems. A deterministic model is such that, given the initial conditions and the environmentinfluencing the model (external signals), the response is uniquely determined. This class of modelsusually represents the system with a set of non-linear Ordinary Differential Equation (ODE) [9]. It welldescribes systems with a large number of entities so that fluctuations are (relatively) negligible. Instead,the stochastic approach involves random variables, so its behaviour cannot be predicted a priori but itcan only be statistically characterised. The most important class of stochastic processes we consider areContinuous Time Markov Chains (CTMC) [7] that describe population processes. A population modelis a systems in which heterogeneous entities interact together. A Population Continuous-Time MarkovChains (PCTMC) [4] is a stochastic process in which the state space is described by n integer-valuedvariables X = (X1(t), . . . ,Xn(t)) ∈ Zn, indicating the number of entities in each state of the model attime t. The time series of Zn-vectors generated during the simulation of a PCTMC are referred to astrajectories. For more detail about PCTMC, see for instance [4].

Statistical Model Checking. The class of algorithms that go under the name of Statistical Model Check-ing (SMC) are successfully used in the formal methods community to estimate the probability of thesatisfaction of a temporal logic formula ϕ over a stochastic process exploiting simulation and statisticalmethods. The idea is that given a PCTMC (or an equivalent stochastic model), a simulation algorithm isused to sample trajectories of the process. For each sample, a monitoring algorithm is run to validate ϕ .In this way, we generate a Bernoulli random variable Xϕ (equal to 1 iff ϕ is true) and statistical analysis,like sequential testing [13] or Bayesian alternatives [14] are performed on Xϕ to compute the probabilitydistributions of the satisfaction of ϕ . In particular, we apply a Bayesian SMC, to establish if P(ϕ ∣θ) > qis true with a chosen confidence level α , where θ is a set of fixed parameters of the model. It uses aBeta a prior distribution Beta(q∣a,b) for the probability of q = P(ϕ = 1), where a and b are positive realparameters that regularise the estimate when a truth value is rarely observed. The interested reader aboutSMC is referred to [12–14].

3 A technique for parameter synthesis of PCTMC models exploiting therobustness of STL

Given the space of trajectories D, we interpret the PCTMC model X(t) as a random variable X overD. Consider an STL formula ϕ , interpreted over a state variables X(t), we can extend the robustness ofSTL to PCTMC models in this way: given a trajectory x(t) of the CTMC, we compute its robustnessρ(ϕ, x,0) by the classic monitor property of STL, then ρ(ϕ, x,0) can be seen as a functional Rϕ fromthe trajectories in D to R. It can be proved that Rϕ is measurable (with respect to the Borel σ -algebraof the standard topology of D). From this assumption, we can define the real-valued random variableRϕ = Rϕ(X) with probability distribution:

P(Rϕ(X) ∈ [a,b]) = P(X ∈ x ∈D ∣ ρ(ϕ, x,0) ∈ [a,b])More details about this definition can be found in [3]. Applying this definition to a stochastic model,

we obtain a distribution of robustness degrees and, by statistical model checking, we can compute the av-erage robustness degree of this distribution, which gives a measure of how strongly a formula is satisfiedon average. This means that the satisfaction will be more robust when this value will be higher.

149

L. Nenzi

An interesting example where this characteristic can be exploited is the systems design problem.:consider a PCTMC X and let θ be a set of parameters of X . Let ϕ be a property of X expressed in termsof an STL formula whose robustness takes values in (−∞,+∞). The system design problem seeks tofind the parameter combination θ∗ such that the system satisfies ϕ with probability at least p ∈ [0,1]as robustly as possible. To achieve this target, we perform the following tasks. We fix a number Nof simulation and we run the SMC algorithm computing the average of all the resulting robustnessesof ϕ . Then we compute the probability q of satisfaction of ϕ , and we add to the average robustness apenalty term of the form γ ∣q− p∣, if q < p, and 0 otherwise (where γ < 0 controls the penalty intensity).Let F be the resulting function, then formally the system design problem seeks to find the combinationof parameters θ∗ that maximises F . The noise in the SMC estimation of F is heteroschedastic, i.e. itdepends on the variability of the estimate and on the joint satisfaction probability. We choose so to use, inthe optimisation algorithm that we will describe below, a non-homogeneous treatment of noise, in orderto reduce the variability in the estimation of the function. In particular, we compute the observation noiseby Bootstrapping, a standard statistical technique to obtain estimates of confidence intervals [15].

Solving the design problem requires to optimise a function, F , depending on the satisfaction of anSTL formula for different values of θ . For this task the algorithm exploits a Statistical Model Checking(SMC) procedure, which provides noisy estimates. If the statistical analysis of the SMC is performedover a sufficiently large number of simulations of the process, we can assume that the estimation noiseis approximately Gaussian. For this reason, we treat the unknown function to be maximised as a randomfunction (sampled form a suitable prior stochastic process, namely a Gaussian Process (GP)), and thenumerical estimations based on SMC as function evaluations. These observations are then used to obtaina posterior prediction at new input points, which are chosen according to an efficient optimisation pro-cedure called GP - Upper Confidence Bound (GP-UCB) [8]. The algorithm uses an uncertain GP modelto estimate a statistical substitute of the noise unknown function. The noise of the unknown function istaken into account in the emulation/regression, which is the core operation of the GP-UCB. This allowsus to keep low the number of SMC runs per parameter value without affecting the quality of results.

We give now an example of application of the method describe above. As model we chose the Type 1Incoherent Feed Forward Loop (I1FFL); it is a small motif in genetic regulatory networks [1], composedby three genes, A, B and C, in which B inhibits the production of C and A is an activator for both B andC 1. The network will be described by a Markov population process, in which activation and repressionare modelled as Hill functions, while degradation is described in the classic mass action style. We treatA as en external input (constant) that activates the production of B and C in parallel. If B has a lowinitial concentration, it takes some time to increase and to cross the threshold concentration to repressC. This results in a pulse-like behaviour of the C protein, i.e. an initially high production of C followedby a decrease and then a stabilisation to a low steady state. This behaviour can be translated in an STLformula as

ϕpulse = F[Tr,Tr+h]G[0,Ts](XC ⩾ θhigh)∧G[To f f ,Tend](XC ⩽ θlow). (1)

The formula ϕpulse requires the concentration of XC to be above an high threshold θhigh at a certaintime t ∈ [Tr,Tr + h] from the introduction of the input A, and remains high for at least Ts time units.Furthermore, the formula forces the pulse to terminate after To f f units of time, so that the concentrationof XC stabilises to a low value (less than θlow) for at least Tend −To f f time units.

We try to optimise model parameters to force a specific shape to the pulse. In Figure 1(a) we reporta stochastic simulation with a certain set of fixed parameters. We can see that the pulse is really fast

1 We consider the case of an “AND” logic gate in C, corresponding to the situation in which we have production of C if A isabove its concentration threshold and B is not above its concentration threshold.

150

0 5 10 150

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

time

concentration

(a) Stochastic simulation before the optimisation

0 5 10 150

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

time

concentration

(b) Stochastic simulation after the optimisation

Figure 1: Two stochastic simulations of the protein C of the I1FFL, before and after the optimisation oftwo its parameters. The red and green lines corresponds to the values of the ϕpulse formula parameters.The formula requires the concentration of XC to be above an high threshold θhigh = 0.7 (—-) at a certaintime t ∈ [0.5,1.5](- - -) and remains high for at least Ts = 1.5 time units (- - -); furthermore, the pulse hasto terminate after To f f = 10 units of time (- - -), so that the concentration of XC stabilises to a low value(less than θlow = 0.3) (—-).

and the concentration stabilises rapidly at a low level. We try to stretch the duration of the pulse. Thisis obtained in the STL framework by assigning the following parameters to the formula (1): θhigh = 0.7,Tr = 0.5, h = 1, Ts = 1.5,To f f = 10, T = 15 and θlow = 0.3. With the given model and formula parametersthe average robustness of ϕpulse by SMC, with 1000 simulations and confidence level α = 0.95, is -0.2169. We optimise simultaneously both inhibition parameter and the degradation rate of C, we use therobustness score of the STL formula 1, penalising satisfaction probabilities below 0.75. A simulationwith the optimised parameters can be seen in Figure 1(b). The average robustness of ϕpulse by SMC with1000 simulations and confidence level α = 0.95 with the new optimised parameters is become positive,equal to 0.1282. The red and green lines corresponds to the values of the formula parameters. It is clearhow in this case the property is satisfied.

4 A spatio-temporal logic for spatial heterogeneous complex systems

Often, complex systems involve a large number of heterogeneous spatial entities. The study of spatio-temporal behaviour, in the context of formal method, is an area that has not yet been investigated thor-oughly. Our next step, after the stochastic extension of STL, consists in the design of some spatialoperators suitable to specify spatial behaviour of complex systems. The design of spatial operators isstrictly related with the choice of the space where the model is embedded. The first option that wedecided to investigate are systems for patch-based quantitative population models with a discrete spacestructured as an undirected graph.

We can have two types of patch based models depending if we work with CTMC or a set of ODE. ThePatch-CTMC is a stochastic process that describes the dynamics of a system that evolves over a discretespace. The space is represented as a graph, where each node represents a different spatial location(patches) and each edge represents a link between two locations. Each patch contains a population ofagents, described by indicating the number of individuals in each state, as a classic stochastic populationprocess. The dynamics is given by intra-patch interactions and inter-patch migration of agents resultingin a PCTMC. In the case of a Patch-ODEs system, in each node, for each agent class, we have an ODE

151

L. Nenzi

system that describes how the population changes over time; such values are not necessarily integers butrather non-negative reals, that can be interpreted as average population counts.

Formally, given a system with a set of agent classes S and a set of locations L, the modelM of thesystem is defined over:

• an undirected weighted graph G = (L,E,w), where L is the set of locations, E ⊂ L×L is the set ofedges and w ∶ E →R is the function that returns the weight of each edge; furthermore, E∗ is the setcontaining all the pairs of connected locations, i.e. the transitive closure of E, we can extend w tothe domain E∗ as the sum of the weights of a shortest path between two different locations,

• a state vector X = (Xs1,`1 ,Xs2,`1 , ...), with si ∈ S and ` j ∈ L, where each state variable Xsi,` j describesthe state (the number/density) of the class si in the location ` j. The length of X is equal to ∣S×L∣.The domain of valuation of X is denoted by D =R∣S×L∣⩾0 .

A behaviour, or a trace, of the system in this case is then a function ξ ∶ T → D that associates, foreach time t ∈ T ⊆R≥0, the state of each agent class s ∈ S in each location ` ∈ L. The state variable Xs,` attime t is equal then to the projection Πs,`(ξ)(t), i.e. Πs,`(ξ) is the trajectory of the agent class s in thelocation `. To simplify the notation we denote xs,` =Πs,`(ξ) and the trace as x = (xs1,`1 ,xs2,`1 , ...).

The new spatial operators that we added to STL are: the somewhere operator [w1,w2]ϕ and theeverywhere operator [w1,w2]ϕ . The design of these operators comes from the analysis of the modalspatial operators of the Multiprocess Network Logic [11]. The somewhere operator [w1,w2]ϕ requires ϕto hold in a location reachable from the current one with a total weight more or equal to w1 and less orequal to w2. The everywhere operator can be directly derived as [w1,w2]ϕ ∶= ¬[w1,w2] ¬ϕ . It requiresϕ to hold in all the locations reachable from the current one with a total weight more or equal to w1 andless or equal to w2.

Formulae of this extension of STL are interpreted over triplets (x,t,`) where x is a trace, t ∈ [0,T ]and ` ∈ L (a finite set of locations). Note that a trace x satisfies ϕ from location `, denoted by (x,`) ⊧ ϕ ,if and only if (x,0,`) ⊧ ϕ and for the quantitative semantics we have that ρ(ϕ, x,`) ∶= ρ(ϕ, x,0,`).

We are now working on the design of an efficient property monitor, i.e. the algorithm for decidingwhether a given behaviour x satisfies a property ϕ .

At the same time, we are investigating a number of case studies in order to find interesting spatialproperties to specify and verify with our new spatial operators. In particular we are working with a bikesharing system and an epidemiological model, both with a patch-based structure.

References

[1] U. Alon. An introduction to systems biology: design principles of biological circuits. Chapman & Hall/CRC,2007.

[2] R. Alur, T. Feder, and T.A. Henzinger. The benefits of relaxing punctuality. J. ACM, 1996.

[3] Ezio Bartocci, Luca Bortolussi, Laura Nenzi, and Guido Sanguinetti. On the robustness of temporal proper-ties for stochastic models. Electronic Proceedings in Theoretical Computer Science, 125:3–19, August 2013.arXiv:1309.0866 [cs].

[4] L. Bortolussi, J. Hillston, D. Latella, and M. Massink. Continuous approximation of collective systemsbehaviour: a tutorial. Performance Evaluation, 70(5):317–349, May 2013.

[5] A. Donze. Breach, a toolbox for verification and parameter synthesis of hybrid systems. In Proceedings ofCAV. 2010.

152

[6] A. Donze, T. Ferrer, and O. Maler. Efficient robust monitoring for stl. In Proc. of CAV 2013, the 25thInternational Conference on Computer Aided Verification, Saint Petersburg, Russia, July 13-19, volume 8044of Lecture Notes in Computer Science, pages 264–279, 2013.

[7] R. Durett. Essentials of stochastic processes. Springer, 2012.[8] N. Srinivas et al. Information-theoretic regret bounds for gaussian process optimization in the bandit setting.

IEEE Transactions on Information Theory, 58(5):3250–3265, 2012.[9] H. De Jong. Modeling and simulation of genetic regulatory systems: A literature review. Journal of Compu-

tational Biology, 9(1):67–103, 2002.[10] O. Maler and D. Nickovic. Monitoring temporal properties of continuous signals. In Proc. of Joint Inter-

national Conferences on Formal Modeling and Analysis of Timed Systmes, FORMATS 2004, and FormalTechniques in Real-Time and Fault -Tolerant Systems, FTRTFT 2004, Grenoble, France, September 22-24,volume 3253, pages 152–166, 2004.

[11] John H. Reif and A.P. Sistla. A multiprocess network logic with temporal and spatial modalities, journal ofcomputer and system sciences, vol. 30, no. 1, pp. 41-53. February 1985.

[12] H. L. S. Younes, M. Z. Kwiatkowska, G. Norman, and D. Parker. Numerical vs. statistical probabilistic modelchecking: An empirical study. In Proc. of 2004, the 10th International Conference on Tools and Algorithmsfor the Construction and Analysis of Systems, Barcelona, Spain, March 29 - April 2, 2004.

[13] Hakan LS Younes and Reid G Simmons. Statistical probabilistic model checking with a focus on time-bounded properties. Information and Computation, 204(9):1368–1409, 2006.

[14] Hakan LS Younes and Reid G Simmons. Sumit K. Jha, Edmund M. Clarke, Christopher J. Langmead, AxelLegay, Andre Platzer and Paolo Zuliani. A Bayesian Approach to Model Checking Biological Systems. Proc.of the 7th International Conference on Computational Methods in Systems Biology, Berlin, Heidelberg, 2009.

[15] M. Christopher Bishop. Pattern Recognition and Machine Learning. Information Science andStatistics,Springer-Verlag New York, Inc.,Secaucus, NJ, USA, 2006.

153

True Concurrency Models as Psi-calculi

Hakon Normann∗

Dept. of Informatics, University of Oslo, – [email protected]

Abstract

Psi-calculi are a parametric framework for nominal calculi, where standard calculi are found asinstances, like the pi-calculus, or the cryptographic spi-calculus and applied-pi. Psi-calculi have aninterleaving operational semantics, with a strong foundation on the theory of nominal sets and processalgebras. Much of the expressive power of psi-calculi comes from their logical part, i.e. assertions,conditions and entailment, which are left quite open thus accommodate a wide range of logics. Weare interested in how this expressiveness can deal with event-based models of concurrency. We thustake the popular prime event structures model and give an encoding into an instance of psi-calculi.We also take the recent and expressive model of Dynamic Condition Response Graphs (in whichevent structures are strictly included) and give an encoding into another corresponding instance ofpsi-calculi. The encodings that we achieve look rather natural and intuitive.

1 IntroductionThis abstract is based on the paper [12], and we refer to this paper for the full definitions and results.

Psi-calculi [3] are a recent framework where various existing calculi can be found as instances. Inparticular, the spi- and applied-pi calculi [2, 1] are two instances of interest for security. Psi-calculi canalso accommodate probabilistic models, by going through CC-pi [4, 6] which has already been treatedas a corresponding psi-calculus instance. The theory of psi-calculi is based on nominal data structures[13]. Psi-calculi can be seen as a generalization of pi-calculus with two main features: (i) nominal datastructures (i.e., general, possibly open, terms) in place of communication channels and also in place ofthe communicated data; and (ii) a rather open logic for capturing dependencies (i.e., through conditionsand entailment) on the environment (i.e., assertions) of the processes.

The semantics of psi-calculi is given through structural operational rules and adopts an interleavingapproach to concurrency, in the usual style of process algebras. On the other hand, event-based models ofconcurrency take a non-interleaving view. Many times these form domains and are used to give denota-tional semantics, as e.g., done by Winskel in [21, 23]. Many non-interleaving models of concurrency canactually distinguish between interleaving and, so called, “true” concurrency, as is the case with higherdimensional automata [14, 16, 18], configuration structures [20], or Chu spaces [7, 15]. The recent Dy-namic Condition Response graphs (abbreviated DCR-graphs or DCRs) [8] is a model of concurrencywith high expressive power which strictly extends event structures by refining the notions of dependentand conflicting events, and including the notion of response. Due to their graphical nature, DCRs havebeen successfully used in industry to model business processes [17].

In this paper we are interested in how psi-calculi could accommodate the event structures model ofconcurrency [11, 22], with a final goal of capturing the DCRs model [8]. Event names in event-basedmodels of concurrency are unique, and can thus be thought of nominals, whereas the execution of anevent can be seen as a communication of some sort. The dependencies between events that an event

∗I would like to thank my Master supervisors Thomas Hildebrandt and Cristian Prisacariu

154

2 Normann

structure defines can be captured with rather simple assertions on the nominal data structures, whereasthe notion of computation is captured through reduction steps between psi-processes. To be confidenton the encodings, we like to see a correlation between the notions of concurrency from the two encodedmodels and the interleaving diamonds from the psi-calculus behaviour.

These are the basic ideas we follow in this work to give encodings of event structures and DCRs intocorresponding instances of psi-calculus. After a couple of results meant to explain better the correlationbetween the encoding and the event structure model, we give a result that shows that the concurrencyembodied by the event structure is captured in the encoding psi-process through the standard interleavingdiamond. For the event structures encoding we also give a result that identifies the syntactic shape ofthose psi-processes which correspond exactly to event structures. Another feature of true concurrencymodels is that they are well behaved wrt. action refinement [19]. For this we give a result showingthat action refinement is preserved by our translation; under a properly defined refining function onpsi-processes, which we define similarly to the refinement function on the event structures.

2 BackgroundPsi-calculus [3] has been developed as a framework for defining nominal process calculi, like the manyvariants of the pi-calculus [10]. The psi-calculi framework is based on nominal datatypes, [3, Sec.2.1]giving an introduction to nominal sets used in psi-calculi. We will not refer much to nominal datatype inthis paper, but refer the reader to the book [13] which contains a thorough treatment of both the theorybehind nominal sets as well as various applications (e.g., see [13, Ch.8] for nominal algebraic datatypes).We expect, though, some familiarity with notions of algebraic datatypes and term algebras.

The psi-calculi framework is parametric; instantiating the parameters accordingly, one obtains aninstance of psi-calculi, like the pi-calculus, or the cryptographic spi-calculus. These parameters are:

T terms (data/channels) C conditions A assertionswhich are nominal datatypes not necessarily disjoint; together with the following operators:

.↔ : T×T→ C channel equality ⊗ : A×A→ A composition of assertions1 ∈ A minimal assertion ` ⊆ A×C entailment relation

The syntax for building psi-process is the following (psi-processes are denoted by the P,Q, . . . ; termsfrom T by M,N, . . . ; ):

P := 0 |M〈N〉.P |M〈(λ x)N〉.P | case ϕ1 : P1, . . . ,ϕn : Pn | (νa)P | (P |P) |!P | (|Ψ|)known respectably as Empty process, Output, Input, Conditional choice, Restriction of name a insideprocess P, Parallel composition, Replication and Assertions. Transitions are done in a context, whichis represented as an assertion Ψ ∈ A, capturing assumptions about the environment: Ψ B P α−→ P′. Thecontext assertion is obtained using the notion of frame which essentially collects (using the compositionoperation) the outer-most assertions of a process. The frame F (P) is defined inductively on the structureof the process as:

F ((|Ψ|)) = Ψ F (P |Q) = F (P)⊗F (Q) F ((νa)P) = (νa)F (P)F (!P) = F (case ϕ : P) = F (M〈N〉.P) = F (M〈(λ x)N〉.P) = 1

Any assertion that occurs under an action prefix or a condition is not visible in the frame.For event structures we try to follow the standard notation and terminology from [23, sec.8]. We

choose to use prime event structures as this is one of the most basic and well known models of con-currency. Moreover, the DCR-graph model which is our final goal, is a conservative extension of eventstructures. Therefore, a first step is to look at event structures.

Definition 1 (prime event structures). A labelled prime event structure over alphabet Act is a tupleE = (E,≤, ], l) where E is a set of events, ≤ ⊆ E×E is a partial order (the causality relation) satisfying

155

True Concurrency Models as Psi-calculi 3

1. the principle of finite causes, i.e.: ∀e ∈ E : d ∈ E | d ≤ e is finite,

and ]⊆ E×E is an irreflexive, symmetric binary relation (the conflict relation) satisfying

2. the principle of conflict heredity, i.e., ∀d,e, f ∈ E : d ≤ e∧d] f ⇒ e] f .

and l : E→ Act is the labelling function.

Definition 2 (concurrency). Casual independence (concurrency) between events is defined as:

d||e M= ¬(d ≤ e∨ e≤ d∨d]e)

Dynamic Condition Response Graphs (DCR Graphs) is a recent model of concurrency, which gen-eralizes event structures by taking into account progress in terms of demanded responses, while giving afinite model of possibly infinite behaviour. DCRs are used in industry for business work flow manage-ment. We follow the notations for DCRs from [8, 9].

Definition 3 (DCR Graphs). We define a Dynamic Condition Response Graph to be a tuple G=(E,M,→•, •→,→,→+,→%,L, l) where

1. E is a set of events,

2. M ∈ 2E ×2E ×2E is the initial marking,

3. →•, •→,→,→+,→%⊆ E×E are respectively called the condition, response, milestone, include,and exclude relations,

4. l : E→ L is a labelling function mapping events to labels from L.

3 Encoding event structures in psi-calculiDue to their popularity, we have chosen to encode, in this section, the version of event structures calledprime. These have many nice features like correlations with domains which makes them a good candidatefor being used for semantics of concurrent programs. Nevertheless, we believe that other, more general,versions of event structures, like those from [22] or [20], can be encoded in psi-calculi following similarideas.

Definition 4 (event psi-calculus). We define a psi-calculus instance, which we call eventPsi, parameter-ized by a nominal set E, to be understood as events, by providing the following definitions of the keyelements of a psi-calculus instance:

T de f= E C de f

= 2E ×2E A de f= 2E .↔de f

== ⊗ de f= ∪ 1 de f

= /0

`de f= Ψ ` ϕ iff (πL(ϕ)⊆Ψ)∧ (Ψ∩πR(ϕ) = /0) Ψ ` a .↔ b iff a = b

where T, C, and A are nominal data types built over the nominal set E, and πL,πR are the standardleft/right projection functions for pairs.

The conditions C are pairs of subsets of events, which intuitively will hold the enabling conditionsfor an event, i.e., the left set holding those events it depends on and the right set holding those eventsit is in conflict with. The assertions A intuitively can be understood as capturing the set of all executedevents, i.e., a configuration of the event structure. Channel equivalence is equality of event names, as instandard pi-calculus. Composition of two assertions is the union of the sets. The entailment ` intuitivelycaptures when events may fire, thus describing when events are enabled by a configuration.

We define a function ESPSI that takes an event structure and a configuration and return an eventPsi-process. A process generated by the ESPSI function is built up from smaller “event processes” put inparallel. These come in two forms: those corresponding to the events in the configuration of the translated

156

4 Normann

event structure (i.e., those that already happened), and processes corresponding to events that have nothappened yet. For the later we use a condition ϕe that contains the set ≤e of events e is depending onand the set ]e of events e is in conflict with. These two sets along with the assertions, make it possiblefor us to have entailment say when an event is enabled. When an event happens we will have a transitionover the channel with the same name as the event. Usually an event structure is encoded into eventPsistarting from the empty configuration, i.e., with no behavior.

Theorem 5 (preserving concurrency). For an event structure E = (E,≤, ]) with two concurrent eventse||e′ then in the translation ESPSI(E , /0) we find the behavior forming the interleaving diamond, i.e., there

exists CE s.t. /0 B ESPSI(E ,CE )e−→ P1

e′−→ P2 and /0 B ESPSI(E ,CE )e′−→ P3

e−→ P4 with P2 = P4.

Theorem 6 (independence diamonds). For any event structure E , in the corresponding eventPsi-process

ESPSI(E , /0), for any interleaving diamond /0 B ESPSI(E ,CE )e−→ P1

e′−→ P2 and /0 B ESPSI(E ,CE )e′−→ P3

e−→P4 with P2 = P4, for some configuration CE ∈ CE , we have that the events e||e′ are concurrent in E .

Theorem 7 (syntactic restrictions). Consider eventPsi-process terms built only with the following gram-mar:

PES := (|e|) | case ϕ : e〈e〉.(|e|) | (PES |PES)

Moreover, a term PES has to respect the following constraints, for any ϕe,ϕe′ from case ϕ : e〈e〉.(|e|)respectively case ϕ ′ : e′〈e′〉.(|e′|) :

1. conflict: e 6∈ πR(ϕe) and e′ ∈ πR(ϕe) iff e ∈ πR(ϕe′);

2. causality: e 6∈ πL(ϕe) and if e ∈ πL(ϕe′) then e′ 6∈ πL(ϕe)∧πL(ϕe)⊂ πL(ϕe′);

3. executed events: PES cannot have both (|e|) and case ϕ : e〈e〉.(|e|) for any e, nor multiples of each.

For any such restricted process PES there exists an event structure E and configuration CE ∈ CE s.t.

ESPSI(E ,CE ) = PES.

4 DCR graphs as psi-calculi

We achieved a rather natural and intuitive translation of the prime event structures into an instance ofpsi-calculi. We made special use of the logic of psi-calculi, i.e., of the assertions and conditions and theentailment between these, as well as the assertion processes. Noteworthy is that we have not used thecommunication mechanism of psi-calculus, which is known to increase expressiveness.

We try to extend this approach from event structures to the DCRs. However, it appears that weneed the communication constructs on processes to keep track of the current marking of a DCR. Theparticularities and expressiveness of DCRs do not allow for a simple way of updating the marking, aswas the case for event structures when union with the newly executed event was enough. But by usingcommunication to send a term that is the same as the current frame, and using an idea of generationson assertions, we get a nice natural encoding of DCRs in a psi-calculus instance. We can then seecorrelations with the previous encoding of the event structures. The markings are kept in the assertions,i.e., as the frame of the process; the same as we did with the configurations of the event structures.Case processes are used for each event of the DCR, and the conditions of the case processes capture theconditions that the events of a DCR depend on to be enabled in a marking. The entailment relation thencaptures the enabling of events by markings.

157

True Concurrency Models as Psi-calculi 5

Definition 8 (dcrPsi instance). We define an instantiation of Psi-calculi called dcrPsi by providing thefollowing definitions: T de f

= m∪A A de f= 2E ×2E ×2E ×N

where E is a nominal set and N is the nominal data structure capturing natural numbers using a successorfunction s(·) and generator 0, whereas m is a single name used for communication;

C de f= 2E ×2E ×E .↔de f

== 1 de f= ( /0, /0, /0,0)

(|(Ex,Re, In,G)|)⊗ (|(Ex′,Re′, In′,G′)|) de f=

(|(Ex,Re, In,G)|) if G > G′

(|(Ex′,Re′, In′,G′)|) if G < G′

(|(Ex∪Ex′,Re∪Re′, In∪ In′,G)|) if G = G′

where the comparison G < G′ is done using subterm relation, eg., s(N)> N. Entailment ` is defined as:

(|(Ex,Re, In,G)|) ` (Co,Mi,e) iff e ∈ In∧ (In∩Co)⊆ Ex∧ ((In∩Mi)∩Re) = /0.

We define a function DCRPSI who takes a DCR-graph and returns a dcrPsi process where terms canbe either a name m, which we will use for communications, or assertions which will be the data commu-nicated. Assertions are a tuple of three sets of events, and a number we intend to hold the generation ofthe assertion. The first set is meant to capture what events have been executed, the second set for thoseevents that are pending responses, and the third set for those events that are included. These three setsmimic the same sets that the marking of a DCR-graph contains. The generation number is used to get theproperties of the assertion composition, which are somewhat symmetric, but still have the compositionreturn only the latest marking/assertion (i.e., somewhat asymmetric).

The composition of two assertions keeps the assertion with highest generation. This makes thecomposition associative, commutative, compositional, and with identity defined to be the tuple withempty sets and lowest possible generation number.

The conditions are tuples of two sets of events and a single event as the third tuple component. Thefirst set is intended to capture the set of events that are conditions for the single event. The second set isintended to capture the set of events that are milestones for the single event.

The process Pdcr generated by DCRPSI contains a starting processes Ps that models the initial markingof the encoded DCR as an assertion process, and also communicates this assertion (i.e., the currentmarking) on the channel m. The rest of the process, i.e. PE is a parallel composition of processes Pe

for each event e in the encoded DCR. The events in a DCR can happen multiple times, hence the useof the replication operation as the outermost operator. Each event is encoded, following the ideas forevent structures, using the case construct with a single guard ϕe. The guard contains the conditions forthe event e that need to be checked against the current marking (i.e., the assertion) to decide if the eventis enabled; these conditions are the set of events that are prerequisites for e (i.e., →•e) and the set ofmilestones related to e.

Theorem 9 (preserving transitions). In a DCR graph D , for any transition (D ,M)e−→ (D ,M′) there

exists a reduction between the corresponding dcrPsi processes DCRPSI(D ,M)τ−→ DCRPSI(D ,M′).

5 OutlookThe purpose of our investigations was to see how well the expressiveness of psi-calculi can accommodatethe expressiveness of true concurrency models. We conclude that a discrepancy remains between theinterleaving semantics based on SOS rules of psi-calculi, and the true concurrency nature of the twomodels we considered. Further investigations would look for a true concurrency semantics for psi-calculi, and then see how our encodings fit with the true concurrency models that this semantics wouldreturn. One could also look into adding responses to psi, as done in [5] for Transition Systems withResponses.

158

6 Normann

References[1] M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In POPL, pages 104–115.

ACM, 2001.[2] M. Abadi and A. D. Gordon. A calculus for cryptographic protocols: The spi calculus. Inf. Comput.,

148(1):1–70, 1999.[3] J. Bengtson, M. Johansson, J. Parrow, and B. Victor. Psi-calculi: a framework for mobile processes with

nominal data and logic. Logical Methods in Computer Science, 7(1), 2011.[4] M. G. Buscemi and U. Montanari. Cc-pi: A constraint-based language for specifying service level agree-

ments. In ESOP’07, volume 4421 of LNCS, pages 18–32. Springer, 2007.[5] M. Carbone, T. T. Hildebrandt, G. Perrone, and A. Wasowski. Refinement for transition systems with re-

sponses. In FIT, volume 87 of EPTCS, pages 48–55, 2012.[6] R. De Nicola, G. L. Ferrari, U. Montanari, R. Pugliese, and E. Tuosto. A process calculus for qos-aware

applications. In COORDINATION, volume 3454 of LNCS, pages 33–48. Springer, 2005.[7] V. Gupta. Chu Spaces: A Model of Concurrency. PhD thesis, Stanford University, 1994.[8] T. T. Hildebrandt and R. R. Mukkamala. Declarative event-based workflow as distributed dynamic condition

response graphs. In PLACES, volume 69 of EPTCS, pages 59–73, 2010.[9] T. T. Hildebrandt, R. R. Mukkamala, and T. Slaats. Nested dynamic condition response graphs. In FSEN,

volume 7141 of LNCS, pages 343–350. Springer, 2012.[10] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, i-ii. Information and Computation,

100(1):1–77, 1992.[11] M. Nielsen, G. Plotkin, and G. Winskel. Petri nets, event structures and domains. In Semantics of Concurrent

Computation, volume 70 of LNCS, pages 266–284. Springer, 1979.[12] H. Normann, C. Prisacariu, and T. Hildebrandt. Concurrency models with causality and events as psi-calculi.

In ICE 2014.[13] A. M. Pitts. Nominal Sets: Names and Symmetry in Computer Science, volume 57 of Cambridge Tracts in

Theoretical Computer Science. Cambridge Univ. Press, 2013.[14] V. R. Pratt. Modeling concurrency with geometry. In POPL, pages 311–322, January 1991.[15] V. R. Pratt. Chu spaces and their interpretation as concurrent objects. In Computer Science Today: Recent

Trends and Develop., volume 1000 of LNCS, pages 392–405. Springer, 1995.[16] V. R. Pratt. Higher dimensional automata revisited. Math. Struct. Comput. Sci., 10(4):525–548, 2000.[17] T. Slaats, R. R. Mukkamala, T. T. Hildebrandt, and M. Marquard. Exformatics declarative case management

workflows as dcr graphs. In Business Process Management, volume 8094 of LNCS, pages 339–354. Springer.[18] R. van Glabbeek. On the Expressiveness of Higher Dimensional Automata. Theor. Comput. Sci., 356(3):265–

290, 2006.[19] R. J. van Glabbeek and U. Goltz. Refinement of actions and equivalence notions for concurrent systems.

Acta Informatica, 37(4/5):229–327, 2001.[20] R. J. van Glabbeek and G. Plotkin. Configuration structures, event structures and Petri nets. Theor. Comput.

Sci., 410(41):4111–4159, 2009.[21] G. Winskel. Event structure semantics for ccs and related languages. In ICALP, volume 140 of LNCS, pages

561–576. Springer, 1982.[22] G. Winskel. Event structures. In Advances in Petri Nets, volume 255 of LNCS, pages 325–392. Springer.[23] G. Winskel and M. Nielsen. Models for concurrency. In Handbook of Logic in Computer Science – vol 4,

pages 1–148. Oxford Univ. Press, 1995.

159

Update Consistent Distributed Data Types

Matthieu PerrinLINA – University of Nantes, France

[email protected]

AbstractSpecifying shared objects is specially critical to ensure reliability of distributed systems.

In large scale systems such as the Internet, replicating data is an essential feature in order toprovide availability and fault tolerance. However, these systems are prone to partitioning,which, by Brewer’s CAP theorem, makes it impossible to use strong consistency. Eventualconsistency guaranties that all replicas eventually converge to a common state when theparticipants stop doing updates. However, eventual consistency fails to fully specify sharedobjects and requires additional non-intuitive and error-prone distributed specification tech-niques. In this paper, we formalise the notion of consistency criterion, and propose a newconsistency criterion, update consistency, that solves the problem of specifying eventuallyconvergent data types.

1 IntroductionConsistency in partitionable systems. Reliability of large scale systems is a challenge to buildmassive distributed applications over the Internet. At this scale, data replication is essential toensure availability and fault-tolerance. In a perfect world, distributed objects should behave asif there is only one shared object that evolves following the atomic operations issued by the par-ticipants. We use indifferently participant or process to designate the computing entities thatinvoke the distributed object. The feeling of distribution transparency is aimed by strong con-sistency criteria such as linearizability and sequential consistency. However, the CAP theorem[5] claims that it is impossible to simultaneously provide all of the three following properties:strong consistency, availability and partition tolerance. In big modern distributed systems suchas Amazon’s cloud, partitions “do occur between data centers, as well as inside data centers”[11], and they should be considered as a property of the system. Moreover, it is economicallyunthinkable to sacrifice availability when partitions occur. The only solution is then to provideweaker consistency criteria.

State of the art. Eventual consistency [11] is a weak consistency criterion which requires thatwhen all the processes stop updating then all replicas eventually converge to a similar state. Itis used in practice in many large scale applications such as Amazon’s Dynamo highly availablekey-value store [4]. It has been widely studied and many algorithms have been proposed toimplement eventually consistent shared object. Conflict-free replicated data types (CRDT) [8]give sufficient conditions on the specification of objects so that they can be implemented. Morespecifically, if all the updates made on the object commute or if the reachable states of the objectform a semi-lattice then the object has an eventually consistent implementation [8].

160

2 Matthieu Perrin

Unfortunately, many useful objects are not CRDTs. For example, the insertion and dele-tion of a same element in a set do not commute. The set is however one of the most studiedeventually consistent data structures, and many different types of sets have been proposed asextensions of CRDTs to implement eventually consistent sets. Many of them are presented in[9]. Different techniques have been proposed to resolve conflicts in case of concurrent insertionand deletion of the same element. For example, C-Set [1] uses counters on the elements to de-termine if they should be present or not. In the Observe-Remove Set (OR-Set) [7], the insertionalways wins, and the element is present in the end. Finally, the last-writer-wins element set(LWW-element-Set) [9] attaches a timestamp to each element to decide which operation shouldwin in case of conflict.

Eventual consistency only requires the existence of a consistent state, so all these implemen-tations are eventually consistent. In order to prove the correctness of a program, it is necessaryto fully specify which behaviors are accepted for an object, including this consistent state. Inthose examples, the meaning of the operations depends on the context in which they are exe-cuted. The notion of intention was widely discussed in [10, 6] to specify an eventually consistenttext editor. The intention of an operation not only depends on the operation and the state onwhich it is done, but also on the intentions of the concurrent operations. Another solution wasproposed in the context of commutative replicated data types. In [2], it is claimed that, as theinsertion and the deletion of a same element in a set cannot commute, it is sufficient to specifywhat their concurrent execution should give, for example it could lead to an error state. Thisresult, acceptable for the shared set, cannot be extended to other more complicated objects. Inthis case, any partial order of updates can lead to a different result. This approach was formal-ized in [3], where the concurrent specification of an object is defined as a function of partiallyordered sets of updates to a consistent state.

Interest for a new consistency criterion. Shared objects are often used as a practical abstrac-tion of communications to let processors enjoy a more general view of the system. In thiscontext, programmers would use the data types they used to use in sequential programs. Forexample, there is a large variety of set data structure. But which ones correspond to its intuitionof what a set should be? The general opinion is that a C-Set is incorrect because some execu-tions lead to non intuitive states. However, it is eventually consistent and has a distributedspecification. Is an OR-Set correct/acceptable? More generally, what does that mean for anobject to be correct according to its sequential specification?

The work on the intention have failed to give an acceptable way to define distributed spec-ifications. It might not be sufficient to consider pairs of operations to specify an object, sincethe context in which it is executed is any partial order of operations. The only way to define allpossible distributed specifications is to use the approach presented in [3] that can give specifi-cations as complicated as the implementations themselves. Moreover, this approach is limitedby a more serious issue. The concurrent specification of objects uses the notion of concurrentevents. In message-passing systems, two events are concurrent if they are enforced by differ-ent processes and each process enforced its event before it received the notification messagefrom the other process. In other words, the notion of concurrency depends on the implemen-tation of the object, not on its specification. Consequently, the final user may not know if twoevents are concurrent without explicitly tracking the messages exchanged by the processes. Aspecification should be independent of the system on which it is implemented.

161

Update Consistent Data Types 3

Contributions of the paper. We believe that an object should be totally specified by twofacets: its abstract data type, that defines the set of its sequential executions, and a consis-tency criterion, that defines how it is supposed to behave in a distributed environment. Notonly sequential specification helps repeal the problem of intention, it also allows to use the wellstudied and understood notions of languages and automata. This makes possible to apply allthe tools developed for sequential systems, from their simple definition using structures andclasses to the most advanced techniques like model checking and formal verification.

We present two main contributions. First, we formalize the notion of consistency criteria.Second, we introduce the new consistency criterion called update consistency, that is strongerthan eventual consistency, and for which the sequential specification is sufficient.

The remainder of this paper is organized as follows. Section 2 formalizes the notion ofconsistency criteria and the type of objects we target in this paper. Section 3 introduces updateconsistency and compares it with eventual consistency. Finally, Section 4 concludes the paper.

2 Abstract Data Types and Consistency Criteria

In distributed systems, sharing objects is a way to abstract communications between processes.The abstract type of these objects has a sequential specification, defined in this paper by atransition system, that characterizes the sequential histories allowed for this object. As sharedobjects are implemented in a distributed system, typically using replication, the events in adistributed history are partially ordered. A consistency criterion is necessary to make the linkbetween the sequential specification of the object and the distributed executions that invokeit, by a characterization of the histories that are acceptable for a program that uses an object,depending of its types.

We use the transition systems of Def. 1 to specify sequential abstract data types. The transi-tions between the abstract states correspond to the application of the operation. In most weakconsistency criteria, updates and queries are handled differently. On the one hand, the updatescan have a side-effect that usually affects everyone, but do not return a value. It is alwayspossible to make an update operation, and its effect only depends on the current state, so thetransition system must be complete and deterministic with respect to the updates. On the otherhand, the queries can only read the state of the object but not modify it. The possible returnedvalues are directly encoded in the alphabet of the query operations, that label loops in thetransition system.Definition 1 (Update-query abstract data type). An update-query abstract data type (UQ-ADT)is a tuple O = (U,Q,S,s0,T ) such that:

• U and Q are countable sets of update and query operations,

• S is a countable set of states,

• s0 ∈ S is the initial state,

• T ⊂ S× (U ∪Q)×S is the transition function,

• for all s ∈ S and all u ∈U , there is a unique s′ such that (s,u,s′) ∈ T ,

• for all s,s′ ∈ S and all q ∈ Q such that (s,q,s′) ∈ T , s = s′.

We denote by L(O) the set of all the (finite or infinite) sequences of operations in (U ∪Q)ω thatlabels a path in O starting from s0.

162

4 Matthieu Perrin

During an execution, the participants call the methods of an object, an instance of the ab-stract data type, which produces a set of partially ordered events labelled by the operations ofthe abstract data type. This representation of distributed history is generic enough to modela large number of distributed systems. For example, in the case of communicating sequen-tial processes, an event a precedes an event b in the program order if they are executed by thesame process in that sequential order. In this case, the processes correspond to the maximalchains of the history. It is also possible to model more complex modern systems in which newthreads are created and destroyed dynamically, or peer-to-peer systems where peers join andleave permanently.

Definition 2 (Distributed History). A distributed history is a tuple H = (U,Q,E,Λ, 7→):

• U and Q are countable sets of update and query operations,

• E is a countable set of events,

• Λ : E→U ∪Q is a labelling function,

• 7→∈ E×E is a partial order called program order, such that ∀e ∈ E,e′ ∈ E : e′ 7→ e is finite.

Given a history H = (U,Q,E,Λ, 7→), we define a projection that allows to withdraw some events:for F ⊂ E, HF = (U,Q,F,Λ|F , 7→ ∩(F ×F)) is the history that contains only the events of F . Alinearization of H corresponds to a sequential history that contains the same events as H in anorder consistent with the program order. We denote by Lin(H) the set of all linearizations of H.

A consistency criterion characterizes which histories are allowed for a given data type.More formally, it is an application that associates a set of consistent histories to all UQ-ADT.For example, the application O 7→ H : Lin(H)∩L(O) 6= /0 defines a criterion that requires theexistence of a linearization of all the operations consistent with the sequential specification,which is known as sequential consistency. A distributed object is consistent with respect to aconsistency criterion C if it admits only histories that are consistent with respect to C.

3 Update Consistency

In this section, we introduce a new consistency criteria, update consistency, and we compareit to eventual consistency [11]. We consider an UQ-ADT O = (U,Q,S,s0,T ) and a history H =(U,Q,E,Λ, 7→). We first recall the definitions of eventual consistency before defining updateconsistency. Fig. 1 illustrate these two consistency criteria on three small examples representingtwo processes sharing a set of integers.

Eventual consistency requires that, if all the participants stop updating, all the replicas even-tually converge to the same state. In other word, H is eventually consistent if it contains aninfinite number of updates (i.e. the participants never stop to write) or if there exists a statecompatible with all but a finite number of queries (the consistent state).

Definition 3 (Eventual consistency). A history H is eventually consistent if u ∈ E : Λ(u) ∈Uis infinite or there exists a state s ∈ S such that the set of queries that cannot be issued while inthe state s, q ∈ E : Λ(q) ∈ Q∧ (s,Λ(q),s) 6∈ T, is finite.

163

Update Consistent Data Types 5

•I(1)

•I(2)

•Rω2

•D(1)

•Rω1,2

(a) Not eventually consistent

•I(1)

•D(2)

•Rω1,2

•I(2)

•D(1)

•Rω1,2

(b) Eventually consistent butnot update consistent

•I(1)

•R1 •

I(2)•

Rω1,2

•R2

•Rω1,2

(c) Update consistent

Figure 1: Three histories for an instance of SN, with different consistency criteria. The arrowsrepresent the program order, and an event labeled ω is repeated an infinity of times.

The histories presented in Fig. 1b and 1c are eventually consistent, as both processes readthe same value once they have converged. On the contrary, the history presented in Fig. 1a isnot eventually consistent, as one processes reaches state 2while the other reaches state 1,2.

Update consistency. Eventual consistency imposes no constraint on the convergent state, thatvery few depends on the sequential specification. For example, an implementation that ignoresall the updates is eventually consistent, as all the queries are done in the initial state. In updateconsistency, we impose the existence of a total order on the updates that contains the programorder and that leads to the consistent state according to the abstract data type. Another equiva-lent way to approach update consistency is that, if the number of updates is finite, it is possibleto remove a finite number of queries such that the history is sequentially consistent.

Definition 4 (Update consistency). A history H is update consistent if it contains an infinitenumber of updates or there exists a finite set of queries Q′ ⊂ q ∈ E : Λ(q) ∈ Q such thatLin

(HE\Q′

)∩L(O) 6= /0.

The history of Fig. 1c is update consistent because I(1).I(2) is a possible explanation for thestate 1,2, but the history of Fig. 1b is not update consistent because any serialization of theupdates would position a deletion as the last event, leading to three possible consistent states:/0, 1 and 2.

As eventual consistency does not impose a semantic link between updates and queries, itis hazardous to say anything on the conformance to the specification of the object. Burckhardtet al. [3] propose to specify the semantics of a query by a function on its concurrent history,called visibility, and a linearization of this history, called arbitration. In comparison, sequentialspecifications are restricted to the arbitration relation. Although the variety of objects with adistributed specification seems to be a chance that compensates the lower level of abstractionit allows, an important bias must be taken into account: from the point of view of the user,the visibility of an operation is not an a priori property of the system, but an a posteriori wayto explain what happened. In update consistency, the convergent state is the same as if nooperations were concurrent, which could have happened, for example, if all the messages aredelivered instantaneously and the order of the updates is explained by the relative speeds ofthe processes. Finally, update consistency is only stronger than eventual consistency, and anupdate consistent object can always be used instead of its eventually convergent conterpart.

164

6 Matthieu Perrin

4 Conclusion

This paper addresses the problem of specifying eventually consistent shared objects. We pro-posed a new approach based on sequential specifications and a new consistency criterion, up-date consistency, that is stronger than eventual consistency. Our approach has the advantage tobe well formalized around the intuitive notions of sequential specification for an abstract datatype and distributed history.

In another work, this formalization allowed us to prove the universality of update con-sistency through a generic construction that implements all update-query abstract data types.This genericity is very important because it may give a substitute to composability. Indeed,update consistency is not composable: a program that uses two update consistent objects to-gether can still be inconsistent with the composition of the objects. Composability is an impor-tant property of consistency criteria because it allows to program in a modular way, but it isvery difficult to achieve for consistency criteria. A same algorithm that pilots several objectsduring a same execution allows this execution to be update consistent. This universality re-sult allows to imagine automatic compilation techniques that compose specifications insteadof implementations.

References

[1] Khaled Aslan, Pascal Molli, Hala Skaf-Molli, Stephane Weiss, et al. C-set: a commutative replicateddata type for semantic stores. In RED: Fourth International Workshop on REsource Discovery, 2011.

[2] Annette Bieniusa, Marek Zawirski, Nuno Preguica, Marc Shapiro, Carlos Baquero, Valter Balegas,and Sergio Duarte. An optimized conflict-free replicated set. arXiv preprint arXiv:1210.3368, 2012.

[3] Sebastian Burckhardt, Alexey Gotsman, Hongseok Yang, and Marek Zawirski. Replicated datatypes: specification, verification, optimality. In Proceedings of the 41st annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 271–284. ACM, 2014.

[4] Giuseppe DeCandia, Deniz Hastorun, Madan Jampani, Gunavardhan Kakulapati, Avinash Laksh-man, Alex Pilchin, Swaminathan Sivasubramanian, Peter Vosshall, and Werner Vogels. Dynamo:amazon’s highly available key-value store. In ACM SIGOPS Operating Systems Review, volume 41,pages 205–220. ACM, 2007.

[5] Seth Gilbert and Nancy Lynch. Brewer’s conjecture and the feasibility of consistent, available,partition-tolerant web services. ACM SIGACT News, 33(2):51–59, 2002.

[6] Du Li, Limin Zhou, and Richard R Muntz. A new paradigm of user intention preservation inrealtime collaborative editing systems. In Parallel and Distributed Systems, 2000. Proceedings. SeventhInternational Conference on, pages 401–408. IEEE, 2000.

[7] Madhavan Mukund, Gautham Shenoy, and SP Suresh. Optimized or-sets without ordering con-straints. In Distributed Computing and Networking, pages 227–241. Springer, 2014.

[8] Marc Shapiro, Nuno Preguica, Carlos Baquero, and Marek Zawirski. Conflict-free replicated datatypes. In Stabilization, Safety, and Security of Distributed Systems, pages 386–400. Springer, 2011.

[9] Marc Shapiro, Nuno Preguica, Carlos Baquero, Marek Zawirski, et al. A comprehensive study ofconvergent and commutative replicated data types. Technical report, INRIA, 2011.

[10] Chengzheng Sun, Xiaohua Jia, Yanchun Zhang, Yun Yang, and David Chen. Achieving conver-gence, causality preservation, and intention preservation in real-time cooperative editing systems.ACM Transactions on Computer-Human Interaction (TOCHI), 5(1):63–108, 1998.

[11] Werner Vogels. Eventually consistent. Queue, 6(6):14–19, 2008.

165

New parallel algorithms for Combinatorial Optimization

Alejandro REYES-AMAROLINA, Inria

Nantes, [email protected]

Abstract

The evolution of computer architecture is leading us toward massively multi-core computers fortomorrow, composed of thousands of computing units. However, nowadays we do not know how todesign algorithms able to manage efficiently such a computing power. In particular, this is true forcombinatorial optimization algorithms, like algorithms solving constraint-based problems.

There exists several techniques for solving constraint-based problems, but meta-heuristics is oneof the most efficient techniques to solve large size problems.

Nowadays, as far as we know, there exists only one algorithm showing very good performancesscaling to thousands of cores: the local search algorithm Adaptive Search. However its parallelscheme does not include inter-processes cooperative communications. Moreover, the rising of moreand more complex algorithms leads to a number of parameters which become intractable to manageby hand.

In this context, this paper intents to propose and implement scalable meta-heuristics over thou-sands of cores with cooperative and communicating processes, and to develop and implement auto-tuning mechanisms for parallel local search methods.

1 Introduction

Optimization Problems are classical problems in Applied Mathematics and Computer Science. Theirmain goal is to find the best solution to a given mathematical model, which can have restrictions (con-straints) or not. Variables composing the problem take their value from continuous or discrete domains.This paper focuses on discrete domains, then in the following we will talk about Combinatorial Opti-mization.

Combinatorial Optimization has important applications in several fields, including machine learn-ing, artificial intelligence, and software engineering. For example, some common problems involvingcombinatorial optimization are the Traveling Salesman Problem (TSP) and the Minimum Spanning Treeproblem (MST).

In some cases, the main goal is only to find one solution, which is the case for Constraint SatisfactionProblems (CSP). Here, a solution is a configuration of variables that complies with the constraints set. Inother words: finding one feasible solution is enough.

The CSPs are one of the most trendiest in the Combinatorial Optimization field, and they find a lotof applications in the industry: for instance, the management of the flow of goods between suppliersand consumers (logistics), and the analysis of a large amount of biological information generated bythe scientific community in fields of molecular biology and genomic technologies (bio-informatics). Intheoretical terms, it means that new and more complex (also bigger) problems appear. For that reason, alot of techniques and methods are applied to the resolution of these problems.

166

2 REYES-AMARO, A.

Although many of these techniques, like meta-heuristics, have shown themselves to be effective,sometimes the real problems we want to solve are too large, in those cases the search space is huge, andtoo long execution time is needed to find a solution. However, the development of the super-computinghas opened a new way of finding solutions for these problems in a more feasible manner, reducing thesearch times, and for that reason, this is a good way to follow because the future of the computersarchitecture belongs to massively multi-cores computers.

Therefore, in this paper we will focus in finding new technologies and methods for the solution ofCSPs through parallel computing, developing cooperative parallel algorithms and applying autotuningtechniques to choose the proper parameters for them, which is a field not explored yet.

2 Theoretical context

Combinatorial Optimization consists in finding one or all potential solutions of problems for which val-ues of variables belong to a discrete domain. The objective is to find the best possible solution satisfyinga global criterion (named objective function). Resource Allocations, Task Scheduling, the TravelingSalesman Problem, the Knapsack Problem, etc, are well-known examples of Combinatorial Optimiza-tion [18]. CSP can be considered as a special case of Combinatorial Optimization where the objectivefunction is to reduce to the minimum the number of violated constraints: a solution is then obtainedwhen the function reaches the nil value.

Due to the complexity of the concrete Combinatorial Optimization problems coming from the indus-trial and ”real” worlds, these problems are intractable for classical constraint programming approaches,like tree search-based solvers exploring the whole solution space. For that reason, these kinds of prob-lems are tackled using meta-heuristic methods.

2.1 Constraint Satisfaction Problems

Constraint satisfaction problems are normally solved using meta-heuristics to guide the search inside thesearch space. The most used are variants of tree search and local search.

Tree search based techniques are methods used to reduce the domain of the variables, and turning aproblem into one that is equivalent, but usually easier to solve. The main task is to choose one (or some)constraint and analyse local consistency, which means trying to find values in the variable domains thatturn the constraint unsatisfiable in order to remove them from the domain. In [1] a formalization ofconstraint propagation is proposed through chaotic iterations.

Most of the CPSs can not be solved only by applying constraint propagation techniques. It is neces-sary to combine them with efficient local search methods. Integrations of global search (complete search)with local search have been developed, leading to hybrid algorithms [15].

Other techniques have been developed to solve these problems, such as autonomous search, based onthe supervised or controlled learning [10]. In [5] a solution model is proposed based on the case-basedreasoning, trying to imitate a human behavior in solving a problem: look in the memory how we havesolved a similar problem.

2.2 Metaheuristic methods

Meta-heuristic Methods are often nature-inspired. They are are divided in two groups [4]: i) SingleSolution Based: more exploitation oriented, intensifying the search in some specific areas (we will focus

167

New parallel algorithms for Combinatorial Optimization 3

our attention on this first group). ii) Population Based: more exploration oriented, identifying areas ofthe search space where there are (or where there could be) the best solutions.

The methods of the first group are also called trajectory methods, and they are based on choosinga solution taking into account some criterion (usually random), and they move from a solution to his”neighbour”, following a trajectory into the search space [4]. Adaptive Search is also another efficientalgorithm based local search method, that takes advantage of the structure of the problem in terms ofconstraints and variables [8, 7].

Many of these techniques have shown themselves to be effective, but sometimes the real problemswe want to solve are too large, i.e., the search space is too large and too long execution time is needed tofind a solution. However, the development of massively parallel architectures shows us a new possibleway to follow in order to find solutions for these problems in a more feasible manner, reducing the searchtimes.

2.3 Parallel computing

The power delivered by massively parallel architectures allows us to treat these problems faster, andeven to just be able to treat them. However this architectural evolution is a non-sense if algorithmsdo not evolve in the same time: the development and the implementation of an algorithm benefitingthe power of the massively parallel should be tackled with very different methods than the sequentialreasoning researchers in Computer Science are used to.

Some results have been obtained on this field. The contribution in terms of hardware has been crucial,achieving powerful technologies to perform large–scale calculations. On the other hand, the developmentof the techniques and algorithms to solve problems in parallel is also visible, focusing the main effortsin three fundamentals concepts: i) Problem subdivision, ii) Scalability and iii) Process communication.

Scalability is the ability of a system to handle the increasing growth of workload [11]. Anotherway to measure the scalability of a system is through its capability to maintain or even increase its levelof performance or efficiency when the resources of calculus are increased. Adaptive Search is a goodexample of local search method that can scale up to a larger number of cores, e.g., a few hundreds oreven thousands. In [19], an estimation of the speed-up (a performance measure of a parallel algorithm)through statistical analysis of its sequential algorithm is presented. This is a very interesting resultbecause it provides a way to have a rough idea of the resources needed to solve a given problem inparallel.

Sub-dividing a given problem in some smaller sub-problems is sometimes not an easy issue to ad-dress. Even when we can do it, the time needed by each process to solve its own part of the problem israrely balanced [17].

Another issue to treat is the interprocess communication. Many times a close collaboration betweenprocess is required, in order to achieve the solution. However, the first inconvenient is the slowness ofthe communication process. For that reason some works like [9] allow us to perform the clause-shearing,controlling the exchange between any pair of process.

Related to the search process, we can find two main approaches. First, the single walk approach, inwhich all the processes try to follow the same path towards the solution, solving their corresponding partof the problem, with or without cooperation (communication). The other is known as multi walk, andit proposes the execution of various independent processes to find the solution. Each process applies itsown strategies (portfolio approach) or simply explores different places inside the search space. Althoughthis approach may seem too trivial and not so smart, it is fair to say that it is in fashion due to the goodresults obtained using it [8].

168

4 REYES-AMARO, A.

As we said before, meta-heuristic methods are an effective way to face the CSP. The problem is thatthey use parameters that need to be well adjusted, and most of the times they depend on the nature of thespecific problem, so they require a previous analysis to study their behavior [3]. Most of these methodsto tackle combinatorial problems, involve a sort of number of parameters that govern their behaviour.This is where another branch of the investigation arises: parameter tuning. It is also known as a metaoptimization problem, because the main goal is to find the best solution (parameter configuration) for aprogram, which will try to find the best solution for some problem as well [12, 14].

3 Early efforts

In this section we resume some ideas still in experimentation/development phase. We do not have yetconcrete results, because they are product of ideas recently conceived.

3.1 Relaxation model for discrete CSPs

On a first attempt to tackle the problem of reducing the search space of a CSP, we thought to model itthrough a continuous problem, and then, trying to apply efficient methods to solve this kind of problemsin order to reduce the variables domains just to the neighborhood of the found approximation. In [16]some issues to take into account in order to model combinatorial problems using continuous problemsare showed.

The first experiment was made using the n-queens problem. We modelled it as a CSP problem withanalytic constraints in such a way that if a constraint from the discrete CSP is satisfied, then the value ofits associated constraint in the continuous CSP is equal to zero.

The associated non-linear optimization problem was built by minimizing the penalized sum of everycontinuous constraint, and adding box constraints (the variable domains). From [20, 6] we have an effi-cient program to solve this kind of problems (L-BFGS-B). It is clear to see that if we choose penalizationcoefficients big enough, the minimum value will be reached in a feasible solution of the associated CSP.

Once an approximated solution is found, the next step is restricting the domain of each variable to adiscrete neighborhood of its value.

3.2 Domain Split

As written above, a way to tackle huge combinatorial problems in parallel is to split the search space(problem subdivision). In this section, the problem subdivision approach is adopted in order to divide thedomain of a given problem, and in this particular case to solve the k-medoids problem in parallel 1.

In [2], two main techniques are presented for domain partitioning: first, space-filling curves, used toreduce any N-dimensional representation into a one-dimension space; and second, k-Means algorithm,one of the most popular clustering algorithms. None of these used techniques for domain partitioningtake into account the number of clients associated to each new sub-domain. This results in an unbalanceddistributions of workload phenomenon, and our our goal was to design some ideas to face this problem.

The main idea of our proposed algorithm is to take a set of R2 points (representing the locations ofthe clients) and return a partition of size K. Such a set of points is called a domain and the partition asub-domain. At each intermediate step, we have a set (list) of sub-domains. The algorithm takes the most

1This work falls within the framework of the Ulysses project between France and Ireland

169

New parallel algorithms for Combinatorial Optimization 5

populated one, splits it into two new sub-domains (fallowing some split strategy) and includes them inthe list. The stop condition will depend on the applied approach.

We focused in two different approaches in order to split the domain: i) splitting the domain takinginto account the number of available cores and ii) taking into account the number of clients we want toplace in the system. In the article of A. Arbelaez and L. Quesada [2] a domain split taking into accountthe number of available cores for parallel calculus is proposed. In our approach we intend to extend thisidea keeping in mind also the number of clients to allocate.

3.3 PARAMILS to tune Adaptive Search

Another work in progress right now is to apply the PARAMILS tool in order to find the optimum pa-rameter configuration to Adaptive Search solver. PARAMSILS (version 2.3) is a tool for parameter opti-mization for parametrized algorithms [14]. It is an open source program (project) in Ruby, and the publicsource include some examples and a detailed and complete User Guide with a compact explanation abouthow to use it with a specific solver [13]. The first thing we did was building a wrapper to be able to usethe tool. This wrapper was coded in C++ language.

In March 2014 we started experimenting with the Costas Array problem, using different sizes astraining instances set.

Tacking advantage of the fact that we have already built a wrapper to our solver, the next step can betuning more interesting problems and after that, using the tool to tune the solver but not only to find thebest parameter configuration for a specific problem, but also the best parameter configuration to solveany of the benchmarking (a general parameter configuration).

4 Conclusions

In this work we have exposed some ideas still in the development phase, with the purpose of finishingthem in the near future. As we have discussed, they are works with very specific objectives, but point-ing towards a more general goal: to design a framework for modelling/solving CSPs in parallel, usingefficient auto-tuning algorithms and proper inter-process communication techniques.

References

[1] Krzysztof R. Apt. From Chaotic Iteration to Constraint Propagation. In 24th International Colloquium onAutomata, Languages and Programming (ICALP’97), pages 36–55, 1997.

[2] Alejandro Arbelaez and Luis Quesada. Parallelising the k-Medoids Clustering Problem Using Space-Partitioning. In Sixth Annual Symposium on Combinatorial Search, pages 20–28, 2013.

[3] Mauro Birattari, Mark Zlochin, and Marrco Dorigo. Towards a Theory of Practice in Metaheuristics Design.A machine learning perspective. RAIRO-Theoretical Informatics and Applications, 40(2):353–369, 2006.

[4] Ilhem Boussaıd, Julien Lepagnot, and Patrick Siarry. A survey on optimization metaheuristics. InformationSciences, 237:82–117, 2013.

[5] Derek Bridge, Eoin O’Mahony, and Barry O’Sullivan. Case-Based Reasoning for Autonomous ConstraintSolving. In Autonomous Search, pages 73–95. Springer Berlin Heidelberg, 2012.

[6] Richard H Byrd, Peihuang Lu, Jorge Nocedal, and Ciyou Zhu. A limited memory algorithm for boundconstrained optimization. Technical Report NAM-08, 1994.

170

6 REYES-AMARO, A.

[7] Philippe Codognet and Daniel Diaz. Yet Another Local Search Method for Constraint Solving. In StochasticAlgorithms: Foundations and Applications, pages 73–90. Springer Verlag, 2001.

[8] Daniel Diaz, Florian Richoux, Philippe Codognet, Yves Caniou, and Salvador Abreu. Constraint-Based LocalSearch for the Costas Array Problem. In Learning and Intelligent Optimization, pages 378–383. SpringerBerlin Heidelberg, 2012.

[9] Youssef Hamadi, Said Jaddour, and Lakhdar Sais. Control-Based Clause Sharing in Parallel SAT Solving. InAutonomous Search, pages 245–267. Springer Berlin Heidelberg, 2012.

[10] Youssef Hamadi, Eric Monfroy, and Frederic Saubion. An Introduction to Autonomous Search. In Au-tonomous Search, pages 1–11. Springer Berlin Heidelberg, 2012.

[11] Mark D. Hill. What is scalability? ACM SIGARCH Computer Architecture News, 18(4):18–21, 1990.[12] Holger H. Hoos. Automated algorithm configuration and parameter tuning. In Autonomous Search, pages

37–71. Springer Berlin Heidelberg, 2012.[13] Frank Hutter. Updated Quick start guide for ParamILS, version 2.3. Technical report, Department of Com-

puter Science University of British Columbia, Vancouver, Canada, 2008.[14] Frank Hutter, Holger H Hoos, and Kevin Leyton-brown. ParamILS: An Automatic Algorithm Configuration

Framework. Journal of Artificial Intelligence Research, 36(1):267–306, 2009.[15] Eric Monfroy, Frederic Saubion, and Tony Lambert. On Hybridization of Local Search and Constraint Prop-

agation. In Logic Programming, pages 299–313. Springer Berlin Heidelberg, 2004.[16] Panos M Pardalos, Oleg A Prokopyev, and Stanislav Busygin. Continuous Approaches for Solving Discrete

Optimization Problems. In Handbook on Modelling for Discrete Optimization, pages 39–60. Springer US,2006.

[17] Mohamed Rezgui and Arnaud Malapert. Embarrassingly Parallel Search. In Principles and Practice ofConstraint Programming, pages 596–610. Springer Berlin Heidelberg, 2013.

[18] Barbara M Smith. Modelling for Constraint Programming. Lecture Notes for the First International SummerSchool on Constraint Programming, (September), 2005.

[19] Charlotte Truchet, Florian Richoux, and Philippe Codognet. Prediction of parallel speed-ups for las vegasalgorithms. In Conference on Parallel Processing (ICPP), 2013.

[20] Ciyou Zhu, Richard H Byrd, Peihuang Lu, and Jorge Nocedal. L–BFGS–B. Fortran subroutines for large-scale bound constrained optimization. ACM Transactions on Mathematical Software (TOMS), 23(4):550–560, 1997.

171

Collective Adaptive Systems: a language, a model, anapproximation technique

Marco TinacciIMT

Lucca, [email protected]

Research area

Adaptive agents are systems that interact with the external environment and react taking decisions atrun-time relying on the achieved knowledge. This kind of agents are nowadays used for many real-worldapplications [4]. In robotics, for instance, agents that are capable of taking decisions autonomouslyare applied for deep-space navigation, deep-ocean exploration and interplanetary rovers, but also forhazardous missions like bomb disposal, land-mine clearing, toxic waste clean-up and radioactive materialhandling. A robot is typically unaware of all the information of the problem and has to use sensorsand actuators, respectively, to get information from the environment and to perform actions. A rewardfunction is usually employed to define what is good and what is bad for the agent defining in this waywhat are his targets.

Adaptivity is not the only issue addressed by this work, indeed, this problem is often bounded to largepopulations of agents, collective and self-organized behaviors. Swarm intelligence [2] is an approach tocollective behaviors that studies characteristics of social animals and exploits them to analyze and builddistributed strategies. Swarm intelligence may be applied to robotics (swarm robotics) considering alarge number of autonomous, cooperative and distributed robots that can perform only local sensingand communications. Some classes of collective behaviors emerge from the state of the art: spatialorganization (e.g., aggregation, pattern formation, clustering, assembling), navigation (e.g., collectiveexploration, coordinated motion, collective transport) and collective decision making (e.g., consensusachievement, task allocation). Two main layers to analyze and design behaviors can be distinguished:the microscopic level and the macroscopic level. The former focuses on optimal tactics for single agentsor small groups while the latter aim to handle collective strategies, for instance assigning different tasksto classes of agents.

We deal, then, with collective autonomous systems that are composed by a large number of agents.They have to cooperate in order to achieve a common goal with a limited knowledge about externalevents and the surrounding environment. Agents can act, interact and collect information observing theenvironment. Since the lack of information is an obstacle for achieving the target, controllers deployedon agents should not be trivially memoryless, but they should rely on history of gathered information. Ofcourse, handling a big number of agents is hard in terms of resources even without partial observability.To overcome this obstacle one could rely on the anonymity and the behavioral symmetries of agents. Wecould, for instance, describe the global status of a system composed by a million of agents distributedover a place as how many of them are in the central zone and how many in the periphery.

172

2 M. Tinacci

Direction of the work

Our first step is to propose a language to define what are the possible instances of the problem. We takeinspiration from SCEL [5]: a kernel language that takes a holistic approach to programming autonomiccomputing systems and aims at providing programmers with a complete set of linguistic abstractions forprogramming the behavior of Autonomic Components (ACs) and the formation of Autonomic Compo-nent Ensables (ACEs), and for controlling the interaction among different ACs. SCEL is a very powerfullanguage that give the possibility to model knowledge and behavior of every AC. It is also possible tomanage which information is publicly available and this possibility allow to perform selective groupcommunications. Every AC has a knowledge repository that manage application data and awarenessdata, respectively used to represent computation progress and information about the environment. Aninterface is used to publish and make available structural and behavioral information in the form ofattributes. Finally, a process coordinates interactions with the external environment and the internalrepository trough actions execution.

The idea is to start with a customized semantics of SCEL that is more specific to our cooperationproblem. Several models could be considered: concurrent games and their generalization to partial ob-servability are right for our case but many undecidability results has been proved [1]; Markov decisionprocesses [11] (MDPs) could be considered as well, but they suffer from the curse of dimensional-ity, which makes classical approach relying on Bellman equation poorly scalable in presence of manystates, as in our case. Some other quantified semantic models relying on continuous-time Markov chains(CTMC) are currently investigated to follow the same approach of the fluid flow approximation tech-nique applied to the semantic model of PEPA [7]. We want to investigate approximation techniquesthat are emerging from recent application of the mean field analysis [6], in order to extend them to oursemantic model, that can be a combination of the previously listed models. Another model to consider isthe partially observable Markov decision process [9] (POMDP) that extends the MDP model introducinguncertainty about the current state. POMDPs generalize games with imperfect information and explicitlyrequire an MDP as hidden model. Also in this case extending the model using approximation techniquesfor MDPs is worth to be considered.

Finally we want to put into practice the proposed analysis. jRESP is a Java run-time environmentfor SCEL. It provides the programmer with a framework for developing autonomic and adaptive systemsbased on SCEL concepts. A concepts that is worth to be mentioned is the lack of any centralized controlthat is respected in the framework design. Moreover, a set of classes for simulating jRESP programs arepresent, and a statistical model-checker is provided.

Obtained and expected results

For the moment we have extended the jRESP framework providing a procedure to automatically gen-erate an optimized controller for adaptive agents. We rely on a POMDP model to describe the worlddynamics and how the agent can perceive and interact with the environment. We analyze this model atdesign-time to provide the adaptive agent with a run-time controller that maximize a given reward struc-ture. As expected, this approach results very performant at run-time, when time saving is essential, butpoorly scalable in the design-time analysis. The POMDP analysis has been performed using the pomdpsolve tool [3] that implements some of the most recent algorithm to solve this kind of problem [9], butunfortunately the problem is PSPACE-complete [10] for finite horizon solutions and undecidable [8] forinfinite horizon solutions.

173

CAS: language, model and approximation technique 3

We want to investigate if the mean field approximation already applied to MDPs can be extended tocover POMDP models. The first step is to find a model that fits aspects required by the approximationmethod and, at the same time, is able to express partial observability. Since the model requires thepresence of several agents with the same behaviour, observation could be modeled as perception of otheragents, emphasizing the number of agents in a specific state.

Future work

We want to provide the final system designer of an instrument to express the global target he wants toachieve. In this case, taking inspiration from model checking and planning, we want to propose a highlevel logic in which only public information can be used to express targets. A very easy case studycan consist of a group of agents that have to cover uniformly a given area: sub-locations density, thus,has eventually to be equally leveled. The utility of this logic is two-folded: if we use it to define theglobal target we are aiming to generation and deployment of adaptive controllers on agents and we areadopting a planning approach, if we consider, instead, an already existing set of deployed controllers wecan adopt a model checking approach, expressing which properties we want to be verified by the givenarrangement.

References[1] Patricia Bouyer, Nicolas Markey, and Steen Vester. Nash equilibria in symmetric games with partial obser-

vation. In SR, volume 146 of EPTCS, pages 49–55, 2014.[2] Manuele Brambilla, Eliseo Ferrante, Mauro Birattari, and Marco Dorigo. Swarm robotics: a review from the

swarm engineering perspective. Swarm Intelligence, 7(1):1–41, 2013.[3] Anthony R. Cassandra. Partially Observable Markov Decision Processes. http://pomdp.org/.[4] Anthony R. Cassandra. A survey of POMDP applications. Working Notes of AAAI 1998 Fall Symposium on

Planning with Partially Observable Markov Decision Processes, pages 17–24, 1998.[5] Rocco De Nicola, Michele Loreti, Rosario Pugliese, and Francesco Tiezzi. A formal approach to autonomic

systems programming: the SCEL Language. ACM Transactions on Autonomous and Adaptive Systems:1–29, (In Press) 2014.

[6] Nicolas Gast, Bruno Gaujal, and Jean-Yves Le Boudec. Mean field for markov decision processes: Fromdiscrete to continuous optimization. IEEE Trans. Automat. Contr., 57(9):2266–2280, 2012.

[7] Jane Hillston. Fluid flow approximation of pepa models. In QEST, pages 33–43, 2005.[8] Omid Madani, Steve Hanks, and Anne Condon. On the undecidability of probabilistic planning and related

stochastic optimization problems. Artif. Intell., 147(1-2):5–34, 2003.[9] Nicolas Meuleau, Kee-Eung Kim, Leslie Pack Kaelbling, and Anthony R. Cassandra. Solving pomdps by

searching the space of finite policies. CoRR, abs/1301.6720, 2013.[10] Christos H. Papadimitriou. Computational complexity. Academic Internet Publ., 2007.[11] J.J.M.M. Rutten, P. Panangaden, and F. Van Breugel. Mathematical techniques for analyzing concurrent and

probabilistic systems, volume 23 of CRM Monograph Series. American Mathematical Society, 2004.

174

Documents

Steering Committee - MOVEP'14movep14.irccyn.ec-nantes.fr/files/proceedings-movep14.pdfSteering Committee Franck Cassez (National ICT Australia , Sydney, Australia) Thierry J eron (Inria