Paper Title (use style: paper title)

6 downloads 0 Views 549KB Size Report
Checking [11, 10] is one of the most automated and powerful technique, used when .... automatic teller machine (ATM) system and we succinctly present the tool ...
Forward Reachability of Time Automata with Action Durations

Souad GUELLATI

Ilham KITOUNI

Riadh MATMAT

Djamel Eddine SAIDOUNI

MISC Laboratory, Constantine 2 University Constantine, 25000, Algeria {guellati, kitouni , matmat, saidouni}@misc-umc.org

Abstract—Timed automata are widely used to model real-time systems. In this paper we are concerned by durational actions timed automata (daTA) which is a timed automata handling action durations and true concurrency. Our aim is to compute efficiently the state space of (daTA) in order to verify quantitative timing requirements and preserve the true concurrency property. We have designed a new zone graph under the maximality semantics, named Maximality-based Symbolic Graph (MSG), for describing symbolic execution of daTA. An algorithm based on the symbolic and on-the-fly forwards reachability analysis algorithm for durational actions timed automata is presented. In the implemented tool TaMaZG, daTA description is compiled into a MSG and represented symbolically using the Difference Bounded Matrices data structure (DBM). Keywords- Real-time systems, maximality semantics, (durational actions) timed automata, zone graph, Forward analysis algorithm, DBM.

I.

INTRODUCTION

Nowadays, formal verification becomes increasingly used as a part of the design process. There is a growing need to deal with real aspects of systems in efficient tool. Model Checking [11, 10] is one of the most automated and powerful technique, used when designing and debugging critical reactive systems. It has been extended to real-time systems in which quantitative (timed) requirements are essential. Timed automata (TA) was proposed to specify quantitative requirements expressed by timed constraints [2], they are an extension of finite state automata with a finite number (but arbitrary) clocks in continuous time. TA are very suitable for modeling and verifying real-time systems, indeed they ensure a good balance between expressiveness and tractability and they are supported by many verification tools. Its decidability has been proved using the so-called region graph construction. Region graph provides timed abstraction for the behavior of timed automata, but it is not used for implementing practical tools because of the complexity of size and algorithms. A zone graph was proposed as an alternative efficient implementation of timed automata based on an adapted data structures like Difference Bound Matrices (DBM) [11]. Most real-time model checking tools like UPPAAL [16] and Kronos [20] apply zones, which are much more practical and efficient symbolic states.

Timed automata assume a “global clock” semantics, i.e., all clocks advance simultaneously and at the same rate (and there is a common initial instant). All possible executions of TA are then represented by a transition system. The underlying semantic said interleaving semantics is adopted in which actions are instantaneous, time can elapse in states and constraints are temporal formula on clocks, used to manage execution of edges. In real world systems, actions are not instantaneous, but have durations. This realistic characteristic is important in many cases. The durational actions timed automata (daTA) [17] [15] [3] are a form of timed automata that admit a more natural representation of action durations and advocates carrying true concurrency. It’s based on maximality semantics [18]. Maximality semantics has been proved necessary and sufficient for both the refinement process and duration of actions [18]. In [19] a real-time process language D-LOTOS is proposed supporting maximality semantics. In [17] daTA model has been defined and a nice characterization of the model was presented in [15]. More recently, daTA is defined as a semantic support of temporally timed Petri nets [3]. Interleaved interpretations of concurrency are justified by assumption that all actions are atomic a direct consequence is that no two actions can occur simultaneously. In the opposite, models based on maximality semantics present concurrent actions differently from choice. So daTA model allows i) to carry durations of actions, which is realistic assumption for specifying in a natural way systems and ii) to consider true concurrency. To model duration of actions, every edge of the automaton is annotated by constraints on clocks which implicitly enclose them, of course those that are already started. A single clock is reset on every edge. When clock is reset it corresponds to the beginning of event. The termination of action will be captured by information on locations of the automaton, precisely on the destination location of transition, a set of temporal formulas identify actions in execution at state. In fact, the duration of an action is either in the constraint of the following edge, if there is dependence between the following actions, otherwise it is in the next locations and that means: action is not over yet. This elegant way to capture the durations is the effect of the maximality semantics. Another important aspect of real time systems is the urgency i.e., actions whose execution cannot be delayed beyond a certain time bound, in daTA model urgency is represented by deadlines as proposed in [7] [13].

In daTA deadlines replace invariants as time progress conditions (TPC). Deadlines are clock constraints associated directly with edges in the automaton, which express the set of states where the corresponding action is expected to be executed without delay. An essential question about verification purposes on timed automata is to decide on the emptiness of timed automata named the emptiness problem. This problem is equivalent to the reachability problem which tests whether a state can be reached in a timed automaton. In the literature the emptiness problem is proved to be decidable for timed automata [2] [21]. This result is based on the construction of region graph which is an timed abstraction of timed transition states. The region graph construction suffers from a combinatory explosion of the space state. However, in practice, the research algorithms are implemented through a symbolic reachability graph based on zones. Zones are convex polyhedra called [1] (a zone can be represented by a conjunction of clock constraints in 𝐶𝑋 ). When considering durational actions timed automata model we investigate maximality-based semantics on the zones graph. Our contribution. In order to preserve all achievements of the maximality semantics namely duration of actions and true concurrency, when creating the zone graph we have to preserve maximality information delivered by the daTA specification. We think it'll be benefit us to keep the maximality semantics even on the symbolic representation of executions of daTA. The fundamental interest of this new approach is to propose a structure based on zone (i.e implementable) for the reachability analysis all other validation needs of concurrent real-time systems (possibly distributed). We propose an adaptation of the classical forward analysis algorithm based on the maximality semantics and performed on the symbolic graph. We also explain how this algorithm is implemented using the DBM data structure. Note that it is adapted to the implementation of algorithms for timed automata, is also very useful for proving properties of timed automata To illustrate the idea we present a simple example of automatic teller machine (ATM) system and we succinctly present the tool developed in Misc Laboratory to handle different facets of formal validation based on maximality semantics. Paper outlines. Section 2 recalls some basic definitions about durational actions timed automata model. Section 3 proposes the definition of Maximality-based Zone Graph (MZG). Section 4 describes the Difference Bound Matrices (DBM) data structure for representing the clock zone. Section 5 presents the construction algorithm of MZG and in Section 6 the implemented tool is described. Section 7 concludes the paper and gives some perspectives.

II.

TIMED AUTOMATA WITH MAXIMALITY SEMANTICS

The durational actions timed automata (daTA) model is a form of timed automata that admit a more natural representation of action duration and urgent actions. daTA model was proposed and used for describing semantics of DLOTOS [17] and durational timed Petri nets (DTPN) models [3]. Several characteristics and good properties of daTA model are established in [15] such as determinization and expressiveness. In reality, this model extends the timed automata model by the maximality semantics [18]. Another interesting particularity of the daTA model is the fact that only a single clock is reset on transitions. The reset clock models the beginning of action. The action terminates when the associated clock attains the action duration. Consequently, each action has its own (associated) clock. This clock will be used in the construction of the timing constraints as guards of the transitions. 𝑙0 : ∅

𝑎 𝑥≔0 𝑙1 : {𝑥 ≥ 5}

𝑏 𝑔:𝑥 ≥5 𝑑:𝑥≥8 𝑦≔0

𝑐 𝑔 :𝑥 ≥ 5 𝑑 : 𝑓𝑎𝑙𝑠𝑒 𝑦≔0

Figure 1. A daTA (A).

Figure 1 depicts a daTA (A) in which, first the system performs the action 𝑎 at any moment and reset the clock 𝑥 to 0. As time progresses, the value of 𝑥 increases and when it takes value 5 action 𝑏 and 𝑐 becomes enabled. This is controlled by guard 𝑔 ∶ 𝑥 ≥ 5. At any point after 𝑥 takes value 5 , those transitions may take place, but as time continues to progress and 𝑥 exceeds 8, the deadline 𝑑 ∶ 𝑥 ≥ 8 obliges the execution of the transition of the 𝑏 transition. The temporal formulas {𝑥 ≥ 5}, {𝑦 ≥ 14} and {𝑦 ≥ 10} on locations, represent information over the duration of actions 𝑎, 𝑏 and 𝑐 respectively. Another important aspect raised by the durational actions timed automata model (daTA) is the urgency. daTA admits a more natural representation of urgent actions, named deadlines, which are clock constraints associated directly with edges in the automaton (for illustration see Fig.1 (b)). A. Some Notations In the following we consider ℝ+ a set of nonnegative real numbers. Clocks are real variables take values from ℝ+ . Let 𝑋 be a set of clocks, a clock valuation over 𝑋 is a function that assigns a nonnegative real number to every clock. 𝑉𝑋 is the set of total valuation functions from 𝑋 to ℝ+ . A valuation is noted 𝑣 ∈ 𝑉𝑋 , and for 𝑑 ∈ ℝ+ , 𝑣 + 𝑑 maps every clock 𝑥

to 𝑣 𝑥 + 𝑑. For 𝜆 ⊆ 𝑋, the valuation 𝑣 𝜆 ≔ 0 is defined by: 𝑣 𝜆 ≔ 0 𝑥 = 0 if 𝑥 ∈ 𝜆, 𝑣 𝑥 otherwise. The set 𝐶𝑋 of clock constraints 𝑔 is defined by the grammar: 𝑔 ∷= 𝑥~𝑐 𝑔 ∧ 𝑔 𝑡𝑟𝑢𝑒 , where 𝑥 ∈ 𝑋 , 𝑐 ∈ ℕ and ∼∈ {, =, ≤, ≥}. We write 𝑣 ⊨ 𝑔 when the valuation 𝑣 satisfies a clock constraint 𝑔 over 𝑋 iff 𝑔 evaluates to true according to the values given by 𝑣. B. Syntax and Semantics The formal description of durational actions timed automata is as follows. A daTA 𝐴 is a tuple 𝐿, 𝑙0 , 𝐴𝑐𝑡, 𝑀, 𝑋, 𝐸 where 𝐿 is a finite set of locations, 𝑙0 ∈ 𝐿 is an initial location, also 𝐿𝑓 is a subset of 𝐿 which are terminal locations (final locations). 𝐴𝑐𝑡 represents a set of actions (finite), 𝑋 is a finite set of clocks, 𝐸 ⊆ 𝐿 × 2𝐶𝑋 × 2𝐶𝑋 × 𝐴𝑐𝑡 × 𝑋 × 𝐿 is a finite set of edges. An edge 𝑒 = (𝑙, 𝑔, 𝑑, 𝑎, 𝑥, 𝑙′) ∈ 𝐸 represents a transition from location 𝑙 to 𝑙’ that launch the execution of action 𝑎 whenever guard 𝑔 becomes true. In addition, deadline 𝑑 imposes an urgency condition by which, the transition cannot be delayed whenever 𝑑 is satisfied, 𝑥 is a clock to be reset at this transition. M: L → 2C X is a maximality function which decorates each location by a set of timed formulas named actions durations. These formulas indicate the status of action execution at the corresponding state. M(𝑙0 ) = ∅ means that no action is yet started. We define Action Label Occurrence 𝐴𝐿𝑂: 2𝐶𝑋 → 2𝐴𝑐𝑡 , as a function which gives clock names occurred in a given timed formulas, recursively by: 𝐴𝐿𝑂 ∅ = ∅ 𝐴𝐿𝑂 𝑥~𝑑(𝑎) = 𝑎 𝐴𝐿𝑂 𝐹1 , 𝐹2 , … 𝐹𝑛 =

𝐴𝐿𝑂 𝐹1 𝑖=1..𝑛 𝐶𝑋

Such as 𝐹i ∈ 2 , 𝑥 ∈ 𝑋, ∼∈ {=, , ≤, ≥} 𝑑(𝑎) ∈ ℝ+ for duration of action 𝑎.

and

The semantics of a daTA 𝐴 = 𝐿, 𝑙0 , 𝐴𝑐𝑡, 𝑀, 𝑋, 𝐸 is a Timed Transition System 𝑇𝑇𝑆𝐴 = 𝑄, 𝑞0 , → , where 𝑄 = 𝑙, 𝑣 𝑙 ∈ 𝐿 𝑎𝑛𝑑 𝑣 ∈ 𝑉𝑋 } , 𝑞0 = (𝑙0 , 𝑣0 ) such that ∀𝑥 ∈ 𝑋, 𝑣0 (𝑥) = 0 and the transition relation → ⊆ Q × (Act ∪ ℝ+ ) × Q consists of the discrete and continuous transitions:  The discrete transition is defined for all 𝑒 ∈ 𝐸 by R1 : 

𝑙,𝑔,𝑑,𝑎,𝑥,𝑙 ′ ∈ 𝐸 𝑣 ⊨ 𝐺 𝑎

(𝑙,𝑣) → 𝑙 ′ ,𝑣 𝑥 ≔ 0

The continuous transition is defined for all 𝑑 ∈ ℝ+ by 𝑑∈ℝ+ ∀𝑑 ′