CHAPTER 7 VERIFICATION USING TIMED AUTOMATA Finite automata and temporal logics have been used extensively to formally ver- ify qualitative properties of concurrent systems. The properties include deadlock- or livelock-freedom, the eventual occurrence of an event, and the satisfaction of a pred- icate. The need to reason with absolute time is unnecessary in these applications, whose correctness depends only on the relative ordering of the associated events and actions. These automata-theoretic and temporal logic techniques using finite- state graphs are practical in a variety of verification problems in network protocols, electronic circuits, and concurrent programs. More recently, several researchers have extended these techniques to timed or real-time systems while retaining many of the desirable features of their untimed counterparts. In this chapter, we present two automata-theoretic techniques based on timed au- tomata. The Lynch–Vaandrager approach [Lynch and Vaandrager, 1991; Heitmeyer and Lynch, 1994] is more general and can handle finite and infinite state systems, but it lacks an automatic verification mechanism. Its specification can be difficult to write and understand, even for relatively small systems. The Alur–Dill approach [Alur, Fix, and Henzinger, 1994] is less ambitious and is based on finite automata, but it of- fers an automated tool for verification of desirable properties. Its dense-time model can handle time values selected from the set of real numbers, whereas discrete-time models such as those in Statecharts and Modecharts use only integer time values. 7.1 LYNCH–VAANDRAGER AUTOMATA-THEORETIC APPROACH [Heitmeyer and Lynch, 1994] advocate the use of three specifications to formally describe a real-time system. A specification consists of the description of one or more 187 Real-Time Systems: Scheduling, Analysis, and Verification. Albert M. K. Cheng Copyright ¶ 2002 John Wiley & Sons, Inc. ISBN: 0-471-18406-3 188 VERIFICATION USING TIMED AUTOMATA timed automata. First, an axiomatic specification specifies the system in a descriptive, axiomatic style without showing how it operates. Then, an operational specification describes the operation of the system. A formal proof is required to show that the operational specification implements the axiomatic specification. There are several ways to construct this proof. [Lynch and Attiya, 1992; Lynch and Vaandrager, 1991] have used assertional techniques for untimed, concurrent, and distributed systems, and thus propose adapting these techniques to verify tim- ing properties of real-time systems. In particular, the method of simulations is used to establish the relationships (such as implementation) between two specifications described by two corresponding timed automata. Here, the concept of simulations includes special cases such as refinement mappings, backward and forward simula- tions,andhistory and prophecy mapping. Several definitions exist for a general timed automaton. One variation proposed by Lynch and Vaandrager is as follows [Lynch and Vaandrager, 1991]. Timed Automaton: Formally, a timed automaton A is a general labeled transition system with four components: states(A) is a set of states. start(A) is a nonempty set of start states. acts(A) is a set of actions. Actions can be internal or external. Internal actions are within the system. External actions include visible actions (which can be input or output actions) and special time-passage actions v(t),wheret is a positive real number. steps(A) is a set of steps (usually known as transitions in other definitions of automata). The number of states can be finite or infinite. To improve readability, the notation s π −→ A s  is used instead of (s,π,s  ) ∈ steps(A),whereA is a timed automaton. The subscript A is often omitted when no ambiguity exists. 7.1.1 Timed Executions Having defined the concept of a timed automaton, we next consider its behavior by observing its execution from one point in time to another. A timed execution is a se- quence of internal, visible, and time-passage actions, connected by their intervening states, and augmented with the notion of trajectories for each time-passage action. A trajectory indicates the state changes during time-passage steps. To formally define a time execution, we first define the notion of a timed execution fragment. Timed Execution: A timed execution fragment is a finite or infinite alternating se- quence α = ω 0 π 1 ω 1 π 2 ω 2 ., LYNCH–VAANDRAGER AUTOMATA-THEORETIC APPROACH 189 where (1) each ω i is a trajectory and each π i is a non-time-passage action, and (2) each π i+1 connects the final state s of the preceding trajectory ω i with the initial state s  of the succeeding trajectory ω i+1 , that is, s π i+1 −→ s  . If the first state of the first trajectory, ω 0 , of a timed execution fragment is a start state, then this fragment is a timed execution. A state of a timed automaton A is reachable if it is the final state of the final trajectory in some finite-timed execution of A.Atime of occurrence is associated with each instance of a state or action in a timed execution. This is done by summing all the preceding time-passage values. Note that this notion of time of occurrence is similar to that of the occurrence in real-time logic (RTL). Given a timed automaton A, of practical interest is the set atexecs(A) of admis- sible timed executions in which the total amount of time passage is ∞. Next, we define timed traces to represent the visible behavior of timed automata for solving verification problems. 7.1.2 Timed Traces A timed trace of any timed execution is the sequence of visible events that occur in the timed execution, paired with their times of occurrence. This sequence has the form (π 1 , t 1 ), (π 2 , t 2 ), (π 3 , t 3 ), ., where the πs are non-time-passage actions and the ts are non-negative real-valued times. The notation ttrace(α) denotes the timed trace of the timed execution α. The timed traces obtained from all the admissible timed executions of a timed automaton A constitute the set attraces(A) of admissible timed traces of A. Example. Consider a traffic semaphore with three light signals. Initially, there is no light when the system is off. Once it is turned on at time 0, the event turn green makes the green light turn on. Next, the event turn yellow, occurring 20 s later, turns the green light off and then the yellow light on. Next, the turn red event occurring 5 s later turns the yellow light off and then the red light on. Next, the event turn green, occurring 15 s later, turns the red light off and then the green light on. This sequence is repeated infinitely often. The timed trace of this timed execution is (turn green, 0), (turn yellow, 20), (turn red, 25), (turn green, 40), Operations on automata exist that allow the definitions of complex automata by combining simpler automata. These operations include projection and parallel com- position. 190 VERIFICATION USING TIMED AUTOMATA 7.1.3 Composition of Timed Automata To model a complex system, we need to combine several automata representing dif- ferent parts of the system through composition. Two timed automata A and B are compatible iff they have no common output actions and the internal actions of A are different from those of B. Then the composition of A and B, written as A × B, is the timed automaton with: states(A × B) = states( A) × states(B) start(A × B) = start( A) × start(B) acts(A × B) = acts(A) ∪ acts(B). Step (s A , s B ) π −→ A×B (s  A , s  B ) exists iff s A π −→ A s  A if π ∈ acts(A),else s A = s  A ,ands B π −→ B s  B if π ∈ acts(B),elses B = s  B . This means that A and B can execute jointly on a common input or time-passage action, or on an output of one that is an input of the other. 7.1.4 MMT Automata The above definition of a timed automaton is very general. To allow more efficient verification via simulations, a more specialized automaton is introduced. A Merritt– Modugno–Tuttle (MMT) automaton [Merritt, Modugno, and Tuttle, 1991] is an I/O automaton augmented with upper and lower bounds on time between specific ac- tions. The MMT automaton model can be used to represent many types of timed automata. An I/O automaton is a labeled transition system for representing an un- timed asynchronous system. Its internal and output actions are grouped into tasks. I/O Automaton: An I/O automaton A has the following components: states(A) is a set of states. start(A) is a nonempty subset of start states. acts(A) is a set of actions. Actions can be internal or external. External actions can be input or output actions. steps(A) is a set of steps (usually known as transitions in other publications). This is a subset of states( A) × acts( A) × states A). part(A) is a partition of the locally controlled (internal and output) actions into at most countably many equivalence classes. Note that the definition of a basic timed automaton is basically that of an I/O automaton extended with the notion of time for steps(A). To define an MMT au- tomaton, [Lynch and Attiya, 1992; Lynch and Vaandrager, 1991] extend the I/O automaton model with lower and upper time bound information. More precisely, an MMT automaton is an I/O automaton with only finitely many partition classes; and for each class C, lower and upper time bounds are defined and denoted lower(C) LYNCH–VAANDRAGER AUTOMATA-THEORETIC APPROACH 191 and upper(C),where0≤ lower(C)<∞ and 0 < upper(C) ≤∞. In other words, the lower bounds cannot be infinite and the upper bounds cannot be 0. Since an MMT automaton can represent the time differences between certain ac- tions in the modeled system or its component, the execution of the MMT automaton shows the behavior of the modeled system over time. A timed execution of an MMT automaton is an alternating sequence of the form s 0 ,(π 1 , t 1 ), s 1 , ., where the πs can be input, output, or external actions. For each i , s i π j+1 −→ s j+1 must hold such that the successive times are nondecreasing and are required to satisfy the specified lower and upper time bound requirements. The points at which the bounds for a class C begin to be measured are called initial indices. Index i is defined as an initial index for a class C enabled in state s i , and one of the following must hold: i = 0, C is not enabled in s j−1 ,orπ i ∈ C. With this definition, the following conditions must hold for every initial index i for aclassC: 1. If upper =∞, there exists k > i, t k ≤ t i + upper(C), such that either π k ∈ C or C is not enabled in state s k . 2. There does not exist k > i, t k < t i + lower(C),andπ k ∈ C. Condition (1) is the upper bound requirement; an upper bound of ∞ means that actions in the corresponding class may never occur. Condition (2) is the lower bound requirement. The condition of admissibility must also hold; that is, if the sequence is infinite, then the times of actions approach ∞. 7.1.5 Verification Techniques A problem P can be formulated as a set of finite or infinite sequences of actions with corresponding times. Then a timed automaton A is said to solve P if all its admissible timed traces are in P. Since we can express P as the set of admissible timed traces of another timed automaton B, the concept of admissible timed traces induces a preorder on timed automata. The notation A ≤ B means that the set of admissible timed traces of A is a subset of the set of admissible timed traces of B. Example. The following MMT automaton describes the behavior of the pedals of a simplified automobile, which has been specified in Statecharts in chapter 4. The automobile can be in one of three states: stop, move, or slow. The inputs are ap- ply accelerator, apply brake,andapply hand brake. The nontrivial time bounds are speed up: [0, t speedup ], slow: [0, t speedup ],andstop: [0, t speedup ],wheret speedup , t slow , and t stop are the upper bounds on the time for the car to speed up, slow, and stop, re- spectively. The state components now, latest(speedup), latest(slow),andlatest(stop) are also needed to add timing specifications to each state. As in the Statecharts specification, the MMT automaton shows that (1) the tran- sition from the state “stop” to the state “speed up” occurs when the accelerator is applied; (2) the transition from the state “speedup” to the state “slow” occurs when 192 VERIFICATION USING TIMED AUTOMATA the brake is applied; (3) the transition from the state “slow” to the state “speedup” oc- curs when the accelerator is applied; and (4) the transitions from the states “speedup” and “slow” to the state “stop” occur when the hand brake is applied. Automaton C: car’s pedals system States: status ∈ stop, slow, speedup, initially stop now, a non-negative real, initially 0 Transitions: apply accelerator Precondition: s.status ∈ stop, slow Effect: s  .status = to speedup s  .latest(speedup) = now + t speedup s  .latest(stop) =∞ s  .latest(slow) =∞ apply brake Precondition: s.status = speedup Effect: s  .status = to slow s  .latest(slow) = now + t slow s  .latest(speedup) =∞ s  .latest(stop) =∞ apply hand brake Precondition: s.status ∈ speedup, slow Effect: s  .status = stop s  .latest(stop) = now + t stop s  .latest(speedup) =∞ s  .latest(slow) =∞ speedup Precondition: s.status = speeding up Effect: s  .status = speedup s  .latest(speedup) =∞ ALUR–DILL AUTOMATA-THEORETIC APPROACH 193 slow Precondition: s.status = slowing Effect: s  .status = slow s  .latest(slow) =∞ stop Precondition: s.status = stopping Effect: s  .status = stop s  .latest(stop) =∞ 7.1.6 Proving Time Bounds with Simulations By including lower and upper time bounds on classes of the specification automaton, the Larch Prover [Garland and Guttag, 1991] has been used to perform simple simu- lation proofs for verifying timing properties of real-time and distributed systems. 7.2 ALUR–DILL AUTOMATA-THEORETIC APPROACH To verify that an implementation of a system satisfies the specification of the system, we first represent or encode the specification as a Buchi automaton A S and the imple- mentation as a Buchi automaton A I . Then we check that the implementation meets the specification iff L( A I ) ⊆ L( A S ), or check for the emptiness of L(A I )∩ L(A S ) C ; that is, the intersection of the languages accepted by the implementation and the lan- guages accepted by the complement of the specification (negation of the specifica- tion) is empty. Alur and Dill extend timed automata with a finite set of real-valued clocks to express timing constraints on non-clock variables. Clocks are like timers (or stop- watches) and thus can be reset (set to time 0). Clock values increase uniformly with time; that is, at any instant the value of a clock is equal to the time elapsed since the last time it was reset. Each transition in a timed automaton is labeled, in addition to the input symbol, with either a clock value assignment or a clock constraint. A transition with a clock constraint is enabled only if the current values of the clocks satisfy this timing constraint. We begin the discussion by reviewing untimed traces and then extend these to timed traces. 7.2.1 Untimed Traces A trace is a linear sequence of the observable events of a process. In general, each process has a set of observable events and the behavior of this process can be modeled by the set of its traces. For example, a traffic light turning green is an event in a traffic 194 VERIFICATION USING TIMED AUTOMATA light system, as is the opening of a valve in a fuel system. A trace is a linear sequence of sets of events in the Alur–Dill model. A trace and a process are defined formally as follows. Untimed Trace: Given a set E of events, an untimed trace or simply a trace ρ = ρ 1 ρ 2 ρ 3 ···is an infinite word over the set of nonempty subsets of E. A word is also known as a string in descriptions of automata and languages (chap- ter 2). Untimed Process: An untimed process is a pair (E, S) where E is the set of the observable events of the process and S is the set of the possible traces of the process. Example. Consider a traffic semaphore with three light signals. Initially the green light is on. Next, the green light turns off and then the yellow light turns on. Next, the yellow light turns off and then the red light turns on. Next, the red light turns off and then the green light turns on. This sequence is repeated infinitely often. By treating green, yellow,andred as events, the only possible trace is: ρ P ={green}, {yellow}, {red}, {green}, {yellow}, {red}, Keeping the notations simple by removing the set symbols, {}, this infinite sequence is denoted as green yellow red green yellow red ··· = (green yellow red) ω . Process P is denoted by ({green,yellow,red},(green yellow red) ω ). Operations on processes exist that allow the definitions of complex processes by combining simpler processes. These operations include projection and parallel com- position. 7.2.2 Timed Traces In the Alur–Dill model, a real-valued time is associated with each symbol in a word to form a timed word. Time Sequence: A time sequence τ = τ 1 ,τ 2 ,τ 3 ., where τ i is a positive real number, is an infinite sequence of time values such that (1) the sequence increases strictly monotonically and (2) for every real number, there is a τ j with a larger value. Note that condition 2 prevents an infinite number of events to occur within a finite period of time. ALUR–DILL AUTOMATA-THEORETIC APPROACH 195 Timed Word: A timed word over an alphabet  is a pair (ρ, τ) where ρ is an infi- nite word and τ is a time sequence. Timed Language: A timed language over an alphabet  is a set of timed words over . Using these definitions, if each symbol ρ i denotes the occurrence of an event, the corresponding time value τ i indicates the time of occurrence of this event. Example. A timed language: Given an alphabet with two events, {ok, timeout}, define a timed language L consisting of all timed words ( ρ,τ) such that there is no ok after time 10.5; that is, the event timeout definitely becomes true at time 10.5 but may be true earlier. Formally, the language is: L ={( ρ,τ) |∀i ((τ i > 10.5) → (ρ i = timeout))}. This concept of a time value associated to an event occurrence is similar to the time value given by the occurrence function in real-time logic (chapter 6) and the chronos variable in time ER nets (chapter 8). An occurrence function assigns a time to the occurrence of an instance of an event. A variable chronos assigns a time- stamp to the production of a token in a Petri net. The following Untime operation is a projection of a timed trace ( ρ,τ) on the first component, the sequence of event occurrences ρ. This operation effectively deletes the time values corresponding to the event occurrence symbols and is useful when we do not need the absolute time values. Untime Operation: Given a timed language L over an alphabet , Untime(L) is the ω-language with words ρ such that (ρ, τ) ∈ L for some time sequence τ . Example. We apply the Untime operation to the above language L: Untime(L) = ω-language with words containing only finitely many oks. Timed Trace: A time trace over a set E of events is a pair ( ρ,τ) where ρ is a (untimed) trace over the set E and τ is a time sequence. Timed Process: A timed process is a pair (E, L) where E is a (finite) set of events and L is a set of timed traces over the set E. Example. A timed process: Consider the climate control system example shown in Figure 2.13 (chapter 2). To simply this example, we focus on the events in the heater section. Assume that the initial instances of the events occur at fixed times and that subsequent instances of the corresponding events occur at fixed time intervals. The event turn on heater happens 10 s after the event cold occurs, followed by the 196 VERIFICATION USING TIMED AUTOMATA event comfort 5 s later, followed by the event turn off heater 5 s later, followed by the event cold 30 s later. Suppose the event cold first occurs at time 0. This process is represented by a timed process: P T = ({cold,turn on heater,comfort,turn off heater}, {ρ P }) and it has a single time trace ρ P = (cold, 0), (turn on heater, 10), (comfort, 15), (turn off heater, 20), (cold, 50), (turn on heater, 60), (comfort, 65), (turn off heater, 70), (cold, 100) . Again, the Untime operation can be used to delete the time values corresponding to events. Untime Operation for a Process: Given a timed process P = (E , L), Untime [(E, L)] is the untimed process where E is the event set and the trace set with traces ρ such that for some sequence ρ, (ρ, τ) ∈ L. Example. Automaton α 1 : Consider again the example of the automatic air condi- tioning and heating system (Figure 2.13) in chapter 2, which specifies the operations of a climate control system according to changes to a room temperature. The au- tomaton representing this system can only specify relative ordering of the events but cannot specify when these events should occur. Hence, it cannot be used to verify a timing-dependent climate control system. Now we introduce timing constraints to the transitions of this automaton, yielding the timed automaton shown in Figure 7.1. Two clocks (clock variables) are present in the transition table, c 1 and c 2 . Suppose the automaton starts in state s 0 and reads the input symbol cold, then it takes the tran- sition (indicating that the room temperature falls below 68 ◦ F)andmovestostates 4 . The clock c 1 is reset (set to 0 by the assignment c 1 := 0) along this transition. In S 1 S 3 S 2 (c < 10)? 1 (c < 2)? 1 c := 0 2 c := 0 2 c := 0 1 c := 0 1 (c < 5)? 2 (c < 2)? 2 4 S 5 S 6 S S cold hot comfort comfort turn_off_ac turn_on_ac turn_on_heater turn_off_heater 0 Figure 7.1 Automaton α 1 for automatic air conditioning and heating system. [...]... finite-state hardware systems It provides a Verilog front end and supports fair CTL model checking (described in chapter 4), language-emptiness checking, combinational and sequential equivalence checking, cycle-based simulation, and hierarchical synthesis More details about VIS can be found at http://www-cad.eecs.berkeley.edu/Respep/Research/vis/ HSIS [Aziz et al., 1994] is a binary decision tree (BDD)-based... TBAs with infinite extended states, corresponding region automata are introduced The verification algorithm can verify the correctness of finite-state real-time systems TBAs model finite-state real-time systems The objective is to check that the implementation of a real-time system meets the specification of this system Both the implementation and the specification are first represented by timed automata Then... extended states, corresponding region automata are introduced The verification algorithm to be described can verify the correctness of finitestate real-time systems TBAs model finite-state real-time systems The objective is to check that the implementation of a real-time system meets the specification of this system Both the implementation and the specification are first represented by TBAs Then we prove that... modelchecking algorithm that allows a symbolic representation of the infinite-state space by sets of linear constraints More details about Kronos can be found at http://www-verimag.imag.fr/TEMPORISE/kronos/ HyTech (HYbrid TECHnology Tool) [Alur, Henzinger, and Ho, 1996; Henzinger, Ho, and Wong-Toi, 1995; Henzinger, Ho, and Wong-Toi, 1997] is a tool for the analysis of embedded systems with continuous... job-shop scheduling Recently, [Larsen et al., 2001] studied efficient cost-optimal reachability analysis for priced timed automata [Dang, 2001] investigated the binary reachability analysis of pushdown timed automata with dense clocks 7.6 SUMMARY Qualitative properties of concurrent systems can be formally verified using finite automata and temporal logics These properties include deadlock- or livelock-freedom,... automata-theoretic and temporal logic techniques using finite-state graphs are practical in a variety of verification problems in network protocols, electronic circuits, and concurrent programs More recently, several researchers have extended these techniques to timed or real-time systems while retaining many of the desirable features of their untimed counterparts In this chapter, we present two automata-theoretic... http://www.research.compaq.com/SRC/larch/larch-home.html Several tools are available that allow the specification of real-time systems as finite-timed automata and perform verification 206 VERIFICATION USING TIMED AUTOMATA COSPAN (COordinated SPecification ANalysis) [Courcoubetis et al., 1992a; Alur, Henzinger, and Ho, 1996] is a verifier that supports automata-theoretic verification of coordinating processes... analysis A sample of these results includes [Abadi and Lamport, 1991; Lynch and Vaandrager, 1992; Shaw, 1992] The Lynch–Vaandrager automata-theoretic approach [Lynch and Vaandrager, 1991; Heitmeyer and Lynch, 1994] is very general and can handle finite- and infinite-state systems, but it lacks an automatic verification mechanism The Alur– Dill approach [Alur, Fix, and Henzinger, 1994] and is based on finite... Prover (LP) [Garland and Guttag, 1991] to perform simple simulations proof for verifying timing properties of real-time and distributed systems specified as MMT automata LP is an interactive theorem-proving system developed at MIT by Stephen J Garland and John V Guttag for multisorted first-order logic It is used to reason about concurrent algorithms, circuit designs, hardware, and software LP is intended... automatic algorithms for the early quantification problem More details about HSIS can be found at http://www-cad.eecs.berkeley.edu/Respep/Research/hsis/ Kronos [Yovine, 1997] is a tool for modeling the components of real-time systems using timed automata The correctness requirements are specified in the real-time temporal logic TCTL TCTL extends the CTL temporal logic (described in chapter 4) to provide quantitative . correctness of finite- state real-time systems. TBAs model finite-state real-time systems. The objective is to check that the implementation of a real-time system. 2 , t 2 ), (π 3 , t 3 ), ., where the πs are non-time-passage actions and the ts are non-negative real-valued times. The notation ttrace(α) denotes the