Automated Predicate Abstraction for Real-Time Models

(1)

F

% %DGEDQ 6 /HXH -* 6PDXV 7KLV ZRUN LV OLFHQVHG XQGHU WKH

&UHDWLYH &RPPRQV $WWULEXWLRQ /LFHQVH

$XWRPDWHG 3UHGLFDWH $EVWUDFWLRQ IRU 5HDO7LPH 0RGHOV

%DKDUHK %DGEDQ 6WHIDQ /HXH

'HSDUWPHQW RI &RPSXWHU DQG ,QIRUPDWLRQ 6FLHQFH 8QLYHUVLW\ RI .RQVWDQ] *HUPDQ\

-DQ*HRUJ 6PDXV

,QVWLWXW IXU ,QIRUPDWLN 8QLYHUVLWDW )UHLEXUJ *HUPDQ\

,QWURGXFWLRQ 0RGHO FKHFNLQJ KDV EHHQ ZLGHO\ VXFFHVVIXO LQ YDOLGDWLQJ DQG GHEXJJLQJ KDUGZDUH GHVLJQV DQG FRPXQLFDWLRQ SURWRFROV +RZHYHU VWDWHVSDFH H[SORVLRQ LV DQ LQ WULQVLF SUREOHP ZKLFK OLPLWV WKH DSSOLFDELOLW\ RI PRGHO FKHFNLQJ WRROV 7R RYHUFRPH WKLV OLPLWDWLRQ VRIWZDUH PRGHO FKHFNHUV KDYH VXJJHVWHG GLIIHUHQW DSSURDFKHV DPRQJ ZKLFK DE VWUDFWLRQ PHWKRGV KDYH EHHQ KLJO\ HVWHHPHGPRGHUQ WHFKQLTXHV $PRQJ RWKHUV SUHGLFDWH DEVWUDFWLRQ LV D SURPLQHW WHFKQLTXH ZKLFK KDV EHHQ ZLGHO\ XVHG LQ PRGHUQ PRGHO FKHFNLQJ 7KLV WHFKQLTXH KDV EHHQ VKRZQ WR HQKDQFH WKH HIIHFWLYHQHVV RI WKH UHDFKDELOLW\ FRPSXWDWLRQ WHFKQLTXH LQ LQI QLWHVWDWH V\VWHPV ,Q WKLV WHFKQLTXH DQ LQI QLWHVWDWH V\VWHP LV UHSUHVHQWHG DEVWUDFWO\ E\ D I QLWHVWDWH V\VWHP ZKHUH VWDWHV RI WKH DEVWUDFW PRGHO FRUUHVSRQG WR WKH WUXWK YDOXDWLRQV RI D FKRVHQ VHW RI DWRPLF SUHGLFDWHV

3UHGLFDWH DEVWUDFWLRQ ZDV I UVW LQWURGXFHG LQ >@ DV D PHWKRG IRU DXWRPDWLFDOO\ GHWHU PLQLQJ LQYDULDQW SURSHUWLHV RI LQI QLWHVWDWH V\VWHPV 7KLV WHFKQLTXH LQYROYHV DEVWUDFWLQJ D FRQFUHWH WUDQVLWLRQ V\VWHP XVLQJ D VHW RI IRUPXODV FDOOHGpredicates ZKLFK XVXDOO\ GHQRWH VRPH VWDWH SURSHUWLHV RI WKH FRQFUHWH V\VWHP

7KH SUDFWLFDO DSSOLFDELOLW\ RI SUHGLFDWH DEVWUDFWLRQ LV LPSHGHG E\ WZR SUREOHPV )LUVW SUHGLFDWHV QHHG WR EH SURYLGHG PDQXDOO\ > @ 7KLV PHDQV WKDW WKH VHOHFWLRQ RI DSSURSULDWH DEVWUDFWLRQ SUHGLFDWHV LV EDVHG RQ D XVHUGULYHQ WULDODQGHUURU SURFHVV 7KH KLJK GHJUHH RI XVHU LQWHUYHQWLRQ DOVR VWDQGV LQ WKH ZD\ RI D VHDPOHVV LQWHJUDWLRQ LQWR SUDFWLFDO VRIWZDUH GHYHORSPHQW SURFHVVHV 6HFRQG YHU\ RIWHQ WKH DEVWUDFWLRQ LV WRR FRDUVH LQ RUGHU WR DOORZ UHOHYDQW V\VWHP SURSHUWLHV WR EH YHULI HG 7KLV FDOOV IRU DEVWUDFWLRQ UHI QHPHQW >@ RIWHQ IROORZLQJ D FRXQWHUH[DPSOH JXLGHG DEVWUDFWLRQ UHI QHPHQW VFKHPH > @

5HDO WLPH PRGHOV DUH RQH H[DPSOH RI V\VWHPV ZLWK D ODUJH VWDWH VSDFH DV WLPH DGGV PXFK FRPSOH[LW\ WR WKH V\VWHP ,Q WKLV HYHQW UHFHQWO\ WKHUH KDYH EHHQ LQFUHDVLQJ QXPEHU RI UHVHDUFK WR SURYLGH D PHDQV IRU WKH DEVWUDFWLRQ RI VXFK PRGHOV ,W LV WKH REMHFWLYH RI WKLV SDSHU WR SURYLGH VXSSRUW IRU DQ DXWRPDWHG SUHGLFDWH DEVWUDFWLRQ WHFKQLTXH IRU FRQFXUUHQW GHQVH UHDOWLPH PRGHOV DFFRUGLQJ WR WKH WLPHG DXWRPDWRQ PRGHO RI >@ :H SURSRVH D PHWKRG WR JHQHUDWH DQ HII FLHQW VHW RI SUHGLFDWHV WKDQ D PDQXDO DGKRF SURFHVV ZRXOG EH DEOH WR SURYLGH :H XVH WKH UHVXOWV IURP RXU UHFHQW ZRUN >@ WR DQDO\]H WKH EHKDYLRU RI WKH V\VWHP XQGHU YHULI FDWLRQ WR GLVFRYHU LWV ORFDO VWDWH LQYDULDQWV DQG WR UHPRYH WUDQVLWLRQV WKDW FDQ QHYHU EH WUDYHUVHG :H WKHQ GHVFULEH D PHWKRG WR FRPSXWH D SUHGLFDWH DEVWUDFWLRQ EDVHG RQ WKHVH VWDWH LQYDULDQWV :H XVH LQIRUPDWLRQ UHJDUGLQJ WKH FRQWURO VWDWH ODEHOV DV ZHOO DV WKH QHZO\ FRPSXWHG LQYDULDQWV LQ WKH FRQVLGHUHG FRQWURO VWDWHV ZKHQ GHWHUPLQLQJ WKH DEVWUDFWLRQ SUHGLFDWHV :H KDYH GHYHORSHG D SURWRW\SH WRRO WKDW LPSOHPHQWV WKH LQYDULDQW GHWHUPLQDWLRQ :RUN LV XQGHU ZD\ WR DOVR LPSOHPHQW WKH FRPSXWDWLRQ RI D SUHGLFDWH DEVWUDFWLRQ EDVHG RQ

Accepted for publication in: International Workshop on Verification of Infinite-State Systems (INFINITY 2009) EPTCS 10, 2009, pp. 36–43

Konstanzer Online-Publikations-System (KOPS) URN: http://nbn-resolving.de/urn:nbn:de:bsz:352-opus-105997

URL: http://kops.ub.uni-konstanz.de/volltexte/2010/10599/

(2)

RXU SURSRVHG PHWKRG :H SODQ WR HPEHG RXU DSSURDFK LQWR D FRPSUHKHQVLYH DEVWUDFWLRQ DQG UHI QHPHQW PHWKRGRORJ\ IRU WLPHG DXWRPDWD

5HODWHG :RUN $Q LQWHUDFWLYH PHWKRG IRU SUHGLFDWH DEVWUDFWLRQ RI UHDOWLPH V\VWHPV ZKHUH D VHW RI SUHGLFDWHV FDOOHGbasisLV SURYLGHG E\ WKH XVHU LV SUHVHQWHG LQ >@ 7KH PDQXDO FKRLFH RI WKH DEVWUDFWLRQ EDVLV GHSHQGV RQ WKH XVHU¶V XQGHUVWDQGLQJ RI WKH V\VWHP 7KH ZRUN SUHVHQWHG LQ > @ SURSRVHV DQ DEVWUDFWLRQ PHWKRG ZKLFK LV EDVHG RQ LGHQWLI\LQJ D VHW RI SUHGLFDWHV WKDW LV I QH HQRXJK WR GLVWLQJXLVK EHWZHHQ DQ\ WZR FORFN UHJLRQV DQG ZKLFK FUHDWHV D VWURQJO\ SUHVHUYLQJ DEVWUDFWLRQ RI WKH V\VWHP 7KH EDVLV SUHGLFDWHV DUH GLVFRYHUHG E\ VSXULRXV SDWKV REWDLQHG WKURXJK PRGHOFKHFNLQJ RI WKH V\VWHP $OVR LQ WKLV DSSURDFK WKH FKRLFH RI WKH RULJLQDO VHW RI SUHGLFDWHV UHOLHV RQ WKH XVHU¶V XQGHUVWDQGLQJ RI WKH V\VWHP DV ZHOO DV RQ WKH FRXQWHUH[DPSOH JHQHUDWLRQ H[SHULPHQWV 7R WKH EHVW RI RXU NQRZOHGJH DW WKH WLPH RI ZULWLQJ WKHUH KDV EHHQ QR UHVHDUFK GRQH RQautomaticallyJHQHUDWLQJ LQYDULDQWV SUHGLFDWHV IRU GHQVH UHDO WLPH PRGHOV ZKLFK ZLOO EH WKH FHQWUDO FRQWULEXWLRQ RI RXU SDSHU ,Q WKH IXQFWLRQDO VHWWLQJ WKH &(*$5 PHWKRGRORJ\ EDVHG RQ WKH VHPLQDO SDSHU >@ KDV EHHQ UDWKHU LQI XHQWLDO LQ WKH GHYHORSPHQW RI KDUG DQG VRIWZDUH YHULI FDWLRQ PHWKRGRORJLHV HJ >@ $EVWUDFWLRQ SUHGLFDWH GLVFRYHU\ EDVHG RQ WKH DQDO\VLV RI VSXULRXV FRXQWHUH[DPSOHV LV DW WKH KHDUW RI WKH ZRUN LQ >@ 7KH DSSURDFKHV SUHVHQWHG LQ > @ DQG LQ >@ XVH LQWHU SRODWLRQ WR GHWHFW IHDVLELOLW\ RI DQ DEVWUDFW WUDFH >@ LQWURGXFHV D SURRIEDVHG DXWRPDWLF SUHGLFDWH DEVWUDFWLRQ

3UHOLPLQDU\ 'HI QLWLRQV DQG RXU 3UHYLRXV 5HVXOWV

7LPHG $XWRPDWD DQG WKHLU 6HPDQWLFV 7R KDYH WKLV DUWLFOH VHOIFRQWDLQHG ZH QHHG WR EUHLI \ H[SODLQ VRPH RI WKH UHVXOWV LQ >@ $timed automaton > @FRQVLVWV RI D I QLWH VWDWH DXWRPDWRQ WRJHWKHU ZLWK D I QLWH VHW RI FORFN YDULDEOHV VLPSO\ FDOOHGclocks DQG D I QLWH VHW RI LQWHJHU YDULDEOHV ,Q WKH QRWDWLRQ ZH GLVWLQJXLVK FORFN DQG LQWHJHU YDULDEOHV RQO\ ZKHUH QHFHVVDU\ &ORFNV DUH QRQQHJDWLYH UHDO YDOXHG YDULDEOHV ZKLFK DOO LQFUHDVH DW WKH VDPH VSHHG ZKLOH LQWHJHUV FKDQJH RQO\ ZKHQ WKHUH LV DQ H[SOLFLW DVVLJQPHQW ,QLWLDOO\ DOO FORFNV DUH VHW WR $ FORFN PD\ EH UHVHW EXW DIWHUZDUGV LW LPPHGLDWHO\ VWDUWV UXQQLQJ DJDLQ 7KH I QLWH VWDWH DXWRPDWRQ GHVFULEHV WKH V\VWHPcontrolVWDWHV RI WKH V\VWHP ZKLFK DUH UHIHUUHG WR DV locations DV ZHOO DV LWV WUDQVLWLRQV EHWZHHQ ORFDWLRQV $ state RU FRQI JXUDWLRQ RI WKH V\VWHP KDV WKH IRUP hl,ui ZKHUH lLV WKH FXUUHQW FRQWURO ORFDWLRQ DQG uLV D YDOXDWLRQ IXQFWLRQ ZKLFK DVVLJQV WR HDFK YDULDEOH LWV FXUUHQW YDOXH )RUd∈R⁺ ZH GHQRWH E\u+d D YDOXDWLRQ WKDW DVVLJQV WR HDFK FORFNxWKH YDOXHu(x) +d LH LW LQFUHDVHV WKH YDOXH RI DOO FORFNV E\d ZKLOH WKH LQWHJHU YDULDEOHV UHPDLQ XQFKDQJHG G(X)GHQRWHV WKH VHW RI FORFN RU LQWHJHU constraints g IRU D VHW X RI FORFN YDULDEOHV (DFK g LV RI WKH IRUP g=x≤ t|t≤x| ¬g|g∧g,ZKHUHx∈X DQGt FDOOHGterm LV HLWKHU D YDULDEOH LQX RU D OLQHDU LQWHJHU H[SUHVVLRQ ZKLFK LV DQ H[SUHVVLRQ RI WKH IRUPc+∑ⁿ_i=c_i·x_iZKHUH WKHx_iDUH LQWHJHU YDULDEOHV DQGcDQGciDUH LQWHJHU FRQVWDQWV :H XVXDOO\ ZULWHs<tIRU¬t≤s %\var(g) ZH GHQRWH WKH VHW RI DOO FORFN YDULDEOHV DSSHDULQJ LQg $ WLPHG DXWRPDWRQ LV WKHQ IRUPDOO\

GHI QHG DV IROORZV

'HI QLWLRQ $ WLPHG DXWRPDWRQA LV D WXSOHhL,l,Σ,X,I,EiZKHUH LLV D I QLWH VHW RI(control) locations l∈LLV WKH LQLWLDO ORFDWLRQ ΣLV D I QLWH VHW RI ODEHOV FDOOHGeventsRUchannels

7KH UHVWULFWLRQ WR LQWHJHUV GRHV QRW FRQVWLWXWH D ORVV RI JHQHUDOLW\ > 6HFWLRQ @

(3)

XLV D I QLWH VHW RI YDULDEOHV

I L−→G(X)DVVLJQV WR HDFK ORFDWLRQ LQLVRPH FRQVWUDLQW LQG(X) E⊂L×Σ×^X×G(X)×LUHSUHVHQWVdiscreteWUDQVLWLRQV

7KH FRQVWUDLQW DVVRFLDWHG ZLWK HDFK ORFDWLRQl∈LLV FDOOHG LWVinvariant GHQRWHGI(l) :H ODWHU UHIHU WR WKHVH LQYDULDQWV DV WKH original LQYDULDQWV 7LPH FDQ SDVV LQ D FRQWURO ORFDWLRQ l RQO\ DV ORQJ DV I(l) UHPDLQV true LH I(l) PXVW KROG ZKHQHYHU WKH FXUUHQW ORFDWLRQ LVl

7KH VHPDQWLFV RI D QRQGHWHUPLQLVWLF WLPHG DXWRPDWRQA LV GHI QHG E\ Dtransition sys- temS_A 6WDWHV RU FRQI JXUDWLRQV RIS_A DUH SDLUVhl,ui ZKHUHl∈LLV D FRQWURO ORFDWLRQ RI A DQGuLV D YDOXDWLRQ RYHUX ZKLFK VDWLVI HVI(l) LH u|=I(l) hl,uiLV DQinitialVWDWH RIS_A LIlLV WKH LQLWLDO ORFDWLRQ RIA DQG IRU DOOx∈Xu(x) =

Transitions.)RU HDFK WUDQVLWLRQ V\VWHP WKH V\VWHP VWDWH FKDQJHV E\ WZR NLQGV RI WUDQVLWLRQV

• Delay transitionsZKLFK DOORZ WLPH d∈R⁺ WR HODSVH 7KH YDOXH RI DOO FORFNV LV LQ FUHDVHG E\ d OHDGLQJ WR WKH WUDQVLWLRQ hl,ui −→ hl,u^d +di 7KLV WUDQVLWLRQ FDQ WDNH SODFH RQO\ ZKHQ WKH LQYDULDQW RI ORFDWLRQ lLV VDWLVI HG DORQJ WKH WUDQVLWLRQ LH

∀d^′≤du+d^′|=I(l)

• Discrete transitions ZKLFK HQDEOH D WUDQVLWLRQ FI 'HI QLWLRQ $ WUDQVLWLRQ τ LV enabledZKHQ WKH FXUUHQW FORFN YDOXDWLRQ VDWLVI HVG_τ :KHQτ LV H[HFXWHG DOO YDUL DEOHV H[FHSW WKRVH ZKLFK DUH UHVHW UHPDLQ XQFKDQJHG 7KLV UHVXOWV LQ WKH WUDQVLWLRQ τ=hl,ui−→ hl^a,g,r ^′,u^′iZKHUHaLV DQ HYHQWgLV D JXDUG DQGrLV D UHVHW FRQVWUDLQW

$QexecutionRI D V\VWHP LV D SRVVLEO\ LQI QLWH VHTXHQFH RI VWDWHV hl,uiZKHUH HDFK SDLU RI WZR FRQVHFXWLYH VWDWHV FRUUHVSRQGV WR HLWKHU D GLVFUHWH RU D GHOD\ WUDQVLWLRQ

,Q WKH VHTXHOτDQGdGHQRWH GLVFUHWH DQG GHOD\ WUDQVLWLRQV UHVSHFWLYHO\ :H PD\ GHQRWH D GLVFUHWH WUDQVLWLRQτDVhl,ui−→ hl^τ ^′,u^′iZKHQa,g,rGR QRW QHHG WR EH FODULI HG

&UHDWLQJ 1HZ ,QYDULDQWV E\ WKHCIPM$OJRULWKP +HUH ZH H[SODLQ EULHI \ WKHCIPM DOJRULWKP IURP >@ 7KLV DOJRUWLKP VWUHQJWKHQV WKH JLYHQ RULJLQDO LQYDULDQWV LQ HDFK FRQWURO ORFDWLRQ E\ DQDO\VLQJ WKH LQFRPLQJ GLVFUHWH WUDQVLWLRQV WR WKDW VSHFLI F FRQWURO ORFDWLRQ ,W DOVR UHGXFHV WKH VL]H RI WKH PRGHO E\ SUXQLQJ DZD\ WKRVH WUDQVLWLRQV ZKLFK FDQ QHYHU EH WUDYHUVHG 7KH LQSXW RI WKH CIPMDOJRULWKP LV D WLPHG DXWRPDWRQ A WKH RXWSXW LVA¶V SUXQHG YHUVLRQ WRJHWKHU ZLWK D VHW RI QHZ LQYDULDQWV IRUA

$ GLVFUHWH WUDQVLWLRQτhl,ui−→hl^′,u^′iLV FDOOHGidleLI LW FDQ QHYHU EH HQDEOHG $PRQJVW RWKHU UHDVRQV D WUDQVLWLRQ FDQ EH LGOH ZKHQ WKH FRQVWUDLQW RYHU WKH WUDQVLWLRQ LV XQVDWLVI DEOH RU ZKHQ WKH YDOXDWLRQ IXQFWLRQ REWDLQHG IURP WKH WUDQVLWLRQ GRHV QRW VDWLVI\ WKH LQYDULDQW RI WKH WDUJHW ORFDWLRQ ZKLFK PHDQV WKDWu^′6|=I(l^′) )RU LQVWDQFH LIτ LV WKH GLVFUHWH WUDQVLWLRQ hl,ui−→ hl^x≤y ^′,u^′i ZKHUHx>y+ LV WKH LQYDULDQW LQ ORFDWLRQ l WKHQ WKLV WUDQVLWLRQ LV LGOH VLQFH WKH FRQVWUDLQWx≤yLV QHYHU IXOI OOHG DV ORQJ DV ZH DUH LQl

$W HDFK FRQWURO ORFDWLRQ li WKH CIPM DOJRULWKP I UVW FROOHFWV WKH VHW I(li) RI DOO WKH RULJLQDO LQYDULDQWV DQG WKHQ DFFXPXODWHV DOO LWV LQFRPLQJ WUDQVLWLRQV LQⁱⁿtrans(l_i,A) 7KH LGOH WUDQVLWLRQV ZLWKLQ WKHVH VHWV DUH LGHQWLI HG DQG DUH GHOHWHG IURP WKH PRGHO

)RU HDFK QRQLGOHτ LQⁱⁿtrans(li,A) WKH DOJRULWKP QH[W FRPSXWHV DOO SURSDJDWHG FRQ VWUDLQWV LQWRl_i 6LQFHl_iPD\ DOVR KDYH VRPH RULJLQDO LQYDULDQW WKH QHZ LQYDULDQW LHI_A(l_i)

5HFDOO WKDW WKH LQWHJHU YDULDEOHV UHPDLQ XQFKDQJHG

(4)

LV WKH FRQMXQFWLRQ RI WKH RULJLQDO LQYDULDQW DQG DOO RI WKH SUHYLRXVO\ FRPSXWHG LPSRVHG FRQ VWUDLQWV RQ li &RPSXWLQJ I_A(li) PD\ UHQGHU VRPH RI WKH RXWJRLQJ WUDQVLWLRQV RI li LGOH 7KHUHIRUH WKH DOJRULWKP QH[W FKHFNV DOO RXWJRLQJ WUDQVLWLRQV RI l_i IRU LGOHQHVV DJDLQ ,W WKHQ UHPRYHV DOO WUDQVLWLRQV GHWHFWHG DV EHLQJ LGOH 7ZR WLPHG DXWRPDWD A DQG A DUH equivalent GHQRWHGA=ÚA LI WKH\ GLIIHU RQO\ LQ VRPH LGOH WUDQVLWLRQV

7KHRUHP TheCIPMalgorithm is terminating, and has the following properties as well:

• ifCIPM(A) = (A,I_A)thenA=ÚA.

• IfCIPM(A) = (A,I_A), then u|=I_A(l), for each reachable statehl,uiinS_A. In other words,I_A(l)is invariant in l.

1HWZRUNV RI 7LPHG $XWRPDWD CIPM FDQ DOVR EH XVHG WR WUHDW QHWZRUNV RI WLPHG DX WRPDWD LQ ZKLFK VHYHUDO SDUDOOHO DXWRPDWD V\QFKURQL]H ZLWK RQH DQRWKHU YLD V\QFKURQRXV PHVVDJH SDVVLQJ 7UDQVLWLRQV DVVRFLDWHG ZLWK HPLWWLQJ RU UHFHLYLQJ D PHVVDJH RI W\SHaDUH ODEHOHG ZLWK aRU "a UHVSHFWLYHO\ 7KH LQWXLWLYH VHPDQWLFV RI D V\QFKURQRXV PHVVDJH SDVV LQJ LV VXFK WKDW WKH PHVVDJH VHQGLQJ DQG WKH PHVVDJH UHFHLYLQJ SULPLWLYHV DUH EORFNLQJ DQG H[HFXWHG LQ D UHQGH]YRXV PDQQHU

)RUPDOO\ WKH VHPDQWLFV RI WKLV NLQG RI V\QFKURQL]DWLRQ LV GHI QHG DV IROORZV /HWA= hL,Ā lĀ,Σ,X,I,Ei EH D SDUDOOHO FRPSRVLWLRQ RI n WLPHG DXWRPDWD A, . . . ,A_n GHQRWHG E\

A =Ak. . .kA_n ZKHUH A_i =hL_i,l_i,Σi,X_i,I_i,E_ii IRU HDFK ≤i≤n DQG IRU HDFK WZR QRQHTXDO iDQG j X_i∩X_j = )RUAZH KDYHX =^S_≤i≤nX_i Σ=^S_≤i≤nΣi DQGI(l) =Ā V≤i≤nI(l_i)IRU Āl= (l, . . . ,l_n) 7KH LQLWLDO ORFDWLRQ LV GHQRWHG E\ Āl= (l, . . . ,l_n) $ VWDWH RI WKH QHWZRUN LV D FRQI JXUDWLRQhl,uiĀ ZKHUHhli,uiiLV D FRQI JXUDWLRQ LQA_i DQGu(x) =ui(x) IRU HDFK x∈X_i DQG ≤i≤n Āl[l_i/l_i^′] GHQRWHV WKH UHSODFHPHQW RI l_i E\ l_i^′ LQ Āl ZKLFK LV l[lĀ_i/l_i^′] = (l, . . . ,l_i−,l_i^′,l_i+, . . . ,l_n) 7KH WUDQVLWLRQV DUH GHI QHG E\

• Delay transitions: )RUd∈R⁺ hl,uiĀ −→ h^d l,uĀ +di LV D GHOD\ WUDQVLWLRQ LI ∀d^′≤d ui+d^′|=I(li)

• Discrete transitions: ,Ihl_i,u_ii−→ hl^a,g,r _i^′,u^′_iiWKHQτ=hl,uiĀ −→ h^a,g,r l[lĀ_i/l_i^′],u^′iLV D GLVFUHWH WUDQVLWLRQ LQ WKH QHWZRUN PRGHO LIu^′(x)=u^′_i(x)IRUx∈X_iDQGu^′(x)=u(x)IRUx∈/Xi

• Synchronization transitions: ,I hl_i,u_ii^a,g,r−→ hl_i^′,u^′_ii DQGhl_j,u_ji^"a,g,r−→ hl^′_j,u^′_jiWKHQ τ = hl,ui−→hĀ l[lĀ_i/l_i^′,l_j/l^′_j],u^′iLV D GLVFUHWH WUDQVLWLRQ LQ WKH QHWZRUN PRGHO LIu^′(x) =u^′_k(x) IRUk∈ {i,j}DQGx∈Xk DQGu^′(x) =u(x)IRUx∈/Xk

:H I UVW UXQ WKHCIPMDOJRULWKP RYHU HDFK DXWRPDWRQ LQGLYLGXDOO\ :H WKHQ FRPSRVH WKH SUXQHG DXWRPDWD WR REWDLQ D SUXQHG QHWZRUN &RQMXQFWLQJ WKH QHZO\ JHQHUDWHG LQYDUL DQWV ZLWKLQ WKH LQGLYLGXDO DXWRPDWD \LHOGV QHZ LQYDULDQWV IRU WKH QHWZRUN

7KHRUHP AssumeA =Ak. . .kA_nis a network of timed automata whereCIPM(A_i) = (A^′

i,I_A^′

i) for each ≤i≤n, and A^′ =A^′k. . .kA^′

n. Then we will have A=ÚA^′ and V≤i≤nI_A^′

i(li)is invariant inlĀ= (l, . . . ,ln).

([DPSOHV

([DPSOH )LJXUHV DQG VKRZ DQ H[DPSOH RI D WLPHG DXWRPDWRQA LQ > @ DOVR WKH RXWFRPH RI DSSO\LQJCIPMRQ LW

(5)

x=

y≤

y<x l

l

l y>x

x=

y=

y<x

)LJXUH ([DPSOH IURP >@

x=

x≤y

l l

x= y>x y=

l y≤

y<x

)LJXUH $IWHU DSSO\LQJCIPM

([DPSOH 7KH H[DPSOH GHSLFWHG LQ )LJXUH LQFOXGHV V\QFKURQL]DWLRQ 5XQQLQJ WKHCIPM DOJRULWKP RQA ZRXOG UHVXOW LQ WKH DXWRPDWRQA GHSLFWHG LQ )LJXUH 7KH DOJRULWKP ZRXOG QRW FKDQJHB +RZHYHU WKH SDUDOOHO FRPSRVLWLRQ RIADQGBZRXOG OHDG WR WKH SDUDOOHO DXWRPDWD LQ )LJXUH 7KLV LV EHFDXVH E\ 7KHRUHP AkB=AÚ kBDQG DFFRUGLQJ WR WKH GHI QLWLRQ RI V\QFKURQL]DWLRQ WUDQVLWLRQVAkB=AÚ kB $V WKH I JXUH GHSLFWV DQ\

FRQI JXUDWLRQ RI WKH IRUPh(li,sj),uiIRUi= RU j= LV XQUHDFKDEOH LQAkB 7KHUHIRUH DFFRUGLQJ WR 7KHRUHP DQ\ VXFK FRQI JXUDWLRQ LV DOVR XQUHDFKDEOH LQAkB

x=

B

"A

"B A

x<y

x<y+

y=

x=

y<x l

l l

A x=

l l

B s s x<

y=

)LJXUH 3DUDOOHO FRPSRVLWLRQ

x=

s x<y

y=

x≤y x=

y<x l

l

A

l l

l

B s

x=

y= x<

x≤y

x≥y+

)LJXUH $IWHU DSSO\LQJCIPM

3UHGLFDWH $EVWUDFWLRQ 1HZ 5HVXOWV DQG WKH 2QJRLQJ :RUN

,Q WKLV VHFWLRQ ZH LQWURGXFH D PHWKRG IRU XVLQJ WKH LQYDULDQWV JHQHUDWHG E\CIPMLQ RU GHU WR EXLOG DQ RYHUDSSUR[LPDWLQJpredicate abstraction RI WKH RULJLQDO WLPHG DXWRPDWRQ :H FRQVLGHU WKH DEVWUDFW VWDWHV QRW DV %RROHDQ YHFWRUV RYHU WKH GHVLJQDWHG VHW RI DEVWUDF WLRQ SUHGLFDWHV EXW UDWKHU DVpairsRI FRQWURO ORFDWLRQV DQG FRQMXQFWHG SRVLWLYH RU QHJDWLYH SUHGLFDWHV ,Q WKH VHTXHO ZH ZLOO H[SODLQ WKLV LQ PRUH GHWDLO

$cube qRYHUP={p, ...,pn} FDOOHG DmintermLQ >@ LV D FRQMXQFWLRQ^V_≤i≤np×iRYHU WKH HOHPHQWV RIPDQG WKHLU QHJDWLRQV LH HDFK ×piLV HTXLYDOHQW WR HLWKHUpiRU LWV QHJDWLRQ Āpi )RU H[DPSOHx<∧y>∧z= LV D FXEH RYHU{x≥,y≤,z=}cube(P)GHQRWHV WKH VHW RI DOO FXEHV RYHUP ,Q WKH VHTXHO ZH DVVXPH WKDWCIPM(A) = (A,I_A)IRU D UHDO WLPH PRGHOA DQG RXU LQWHQWLRQ LV WR H[SODLQ KRZ WR JHQHUDWH D SUHGLFDWH DEVWUDFWLRQ IRUA :LWKRXW ORVV RI JHQHUDOLW\ LQ WKH UHPDLQGHU RI WKH SDSHU ZH XVHI_A(l_i)IRUatom(I_A(l_i))

(6)

6WDWHV RIabst_A 7KH VHWI =^S_≤i<kAkI_A(l_i) LV D FROOHFWLRQ RI DOO LQYDULDQWV I_A(l_i) 2XU SUHGLFDWH DEVWUDFWLRQ RYHU(A,I_A) GHQRWHG abst_A LV D I QLWH VWDWH DXWRPDWRQ ZKHUH VWDWHV DUH SDLUV OLNH(l_i,^V_p∈I_A(li)p∧^V_p∈I\I_A(li)p)× IRU ≤i<kAk

6SXULRXV FRXQWHUH[DPSOHV ZKHQ VHDUFKLQJ LQ WKH DEVWUDFW VWDWH VSDFH DUH RIWHQ GXH WR LQYDULDQW YLRODWLRQV LQ WKH FRQFUHWH PRGHO ,Q RUGHU WR UHGXFH WKH ULVN RI JHQHUDWLQJ VSXUL RXV FRXQWHUH[DPSOHV ZH DVVRFLDWH ZLWK HDFK FRQWURO ORFDWLRQl_iLWV LQYDULDQW DV JHQHUDWHG E\

CIPM 7KHVH LQYDULDQWV DUH JDWKHUHG LQI_A(li) :H I UVW SDLU XS HDFK FRQWURO ORFDWLRQ WR LWV RZQ LQYDULDQW 7KHQ ZH DGG WKH UHVW RI WKH FXEHV IURPI\I_A(l_i)WR WKH SDLU 'XULQJ FRQ VWUXFWLRQ RI WKH DEVWUDFWLRQ HDFK FRQI JXUDWLRQhl_i,uiIURP WKH FRQFUHWH PRGHO LV DEVWUDFWHG WR D DEVWUDFW VWDWH LQ ZKLFKI_A(li)KROGV

/HW XV FRQVLGHU cube_i DV WKH VHW RI DOO FXEHV RYHU I\I_A(l_i) ZKLFK DUH VDWLVI DEOH LQ FRQMXQFWLRQ ZLWK WKH SUHGLFDWHV LQI_A(l_i)

cube_i={q|q∈cube(I\I_A(l_i))DQG( ^{^}

p∈I_A(li)

p)∧qLV VDWLVI DEOH}.

)RU HDFKq∈cube_iZH GHQRWH E\[li,q]WKH DEVWUDFW VWDWH(li,(^V_p∈I_A(li)p)∧q)[li,q]DEVWUDFWV DOO FRQI JXUDWLRQVhl_i,u_iiLQ WKH FRQFUHWH PRGHOA ZKRVH YDOXDWLRQu_iVDWLVI HVq LHu_i|=q ([DPSOH /HW XV FRQWLQXH ZLWK WKH I UVW H[DPSOH )LJXUH $FFRUGLQJ WR WKH H[DPSOH ZH KDYH I_A(l) = {y ≤} I_A(l) = {x≤ y} I_A(l) = {y <x} DQG KHQFH I = S≤i<kAkI_A(l_i) ={y≤,x≤y,y<x} :H XVH p_i WR GHQRWH WKH LQYDULDQW FRUUHVSRQG LQJ WR WKH ORFDWLRQ li WKHUHIRUH cube(I\I_A(l)) ={p∧p,pĀ∧p,p∧pĀ,pĀ∧pĀ} cube(I\I_A(l)) ={p∧p,pĀ∧p,p∧pĀ,pĀ∧pĀ}cube(I\I_A(l)) ={p∧p,pĀ∧ p,p∧pĀ,pĀ∧pĀ}6RPH RI WKHVH FRPELQDWLRQV DUH XQVDWLVI DEOH IRU LQVWDQFH p∧p $I WHU UHPRYLQJ VXFK FRPELQDWLRQV DQG HOLPLQDWLQJ WKH ¶∧¶ V\PERO IRU VLPSOLFLW\ ZH REWDLQ cube={pĀp,ppĀ}cube={ppĀ,pĀpĀ} DQGcube={ppĀ,pĀpĀ} $V LOOXVWUDWHG LQ )LJXUH WKHVH WKUHH VHWV EXLOG DQ DEVWUDFW PRGHOabst_A ZKLFK FRQVLVWV RI VL[ VWDWHV IRU H[

DPSOH OLNH(l,pppĀ)(l,pppĀ) $V ZH VKDOO VHH ODWHU RQ WKH GDVKHG OLQH LQ WKLV I JXUH LGHQWLI HV XQUHDFKDEOH VWDWHV

7UDQVLWLRQV RIabst_A Inabst_A we execute a transition from a state[l_i,q]to a state[l_j,q^′] only when one of the following conditions holds in the concrete modelA:

• there are two valuations u_iand u_jand a non-idle transition hl_i,u_ii−→ hl^τ _j,u_jiwhere u_i|=q and u_j|=q^′, or

• lj is identical to li, and there is a delay transition hli,uii−→ hl^d i,ui+di for some valuation u_isuch that u_i|=q and u_i+d|=q^′.

/HWnext([li,q])GHQRWH WKH VHW RI DOO VXFFHVVRU VWDWHV RI[li,q]LQabst_A WKHQ ZLWK UHVSHFW WR GHI QLWLRQ DERYH

next([li,q])={[lj,q^′]| ∃τ RUd hli,uii−→ hl^τ^/d j,ujiVXFK WKDW ui|= ( ^{^}

p∈I_A(li)

p)∧q DQG uj |= ( ^{^}

p∈I_A(lj)

p)∧q^′}. () 5HFDOO WKDWτLV D GLVFUHWH DQGd LV D GHOD\ WUDQVLWLRQ

6LQFHabst_A LV DQ DEVWUDFWLRQ RIA HDFK RI LWV WUDQVLWLRQV VKRXOG KDYH D FRXQWHUSDUW LQ WKH RULJLQDO PRGHO A 7KLV PHDQV WKDW ZKHQHYHU [l_j,q^′]∈next([l_i,q]) WKHUH PXVW H[LVW D

(7)

pppĀ

l ppĀpĀ l

pppĀ

ppĀp l l

pppĀ

l

ppĀpĀ l

)LJXUH 7KH VWDWHV RIabst_A

l l

l ppĀpĀ l

pppĀ

pppĀ ppĀp

)LJXUH abst_A SUHGLFDWH DEVWUDFWLRQ RIA QRQLGOH WUDQVLWLRQ IURP DW OHDVW RQH RI WKH FRUUHVSRQGLQJ FRQFUHWH VWDWHV RI[l_j,q]WR WKDW RI [lj,q]^′) 6XFK D WUDQVLWLRQ QHHGV WR VDWLVI\ DOO WKH LQYDULDQWV RI WKH VRXUFH ORFDWLRQ DQG DOVR DOO WKH LQYDULDQWV RI WKH WDUJHW ORFDWLRQ $OVR LI WKHUH LV D UHVHW IRU VRPH YDULDEOH WKH QHZ YDOXH RI WKH UHVSHFWLYH YDULDEOH VKRXOG VDWLVI\ WKH LQYDULDQW RI WKH WDUJHW ORFDWLRQ

/HPPD Assume thatabst_A is an abstraction ofA with respect to some set of predi- cates P. There is a transition from[li,q]to[lj,q^′]inabst_A, i.e. [lj,q^′]∈next([li,q]), if and only if one of the conditions below holds:

1. there are two clock valuations u_iand u_j, and a non-idle transitionτhl_i,u_ii−→hl_j,u_ji in the concrete model such that:

(a) u_i|=q and u_j|=q^′.

(b) ifG_τ6=thenG_τ∧q is satisfiable, (c) ifG_τ_/R

τ 6=thenG_τ_/R

τ∧q^′is satisfiable, (d) ifR_τ 6=thenatom(R_τ)∧q^′is satisfiable,

(e) for all variables x∈/var(R_τ)∪var(G_τ), u_i(x) =u_j(x).

2. li=lj and∃d,ui hli,uii−→hli,ui+diwhere ui|=q and ui+d|=q^′.

7KH QH[W WKHRUHP VKRZV WKDW LQ RUGHU WR HVWDEOLVK D SUHGLFDWH DEVWUDFWLRQ IRU WKH RULJLQDO FRQFUHWH PRGHOALW LV HQRXJK WR GR VR IRU WKH SUXQHG HTXLYDOHQW YHUVLRQ REWDLQHG IURP DQ DSSOLFDWLRQ RI WKHCIPMDOJRULWKP

7KHRUHP IfCIPM(A) = (A,I_A), thenabst_A=Úabst_A

.

7KH FXEH pppĀ KDV FDXVHG WZR GLIIHUHQW DEVWUDFW VWDWHV LQ )LJXUH 7KLV LV EHFDXVH p DQG pDUH LQYDULDQWV RIlDQGl UHVSHFWO\ DQG WKHUHIRUH FRXSOHG ZLWK WKHP LQ WKH DEVWUDFW PRGHO 7KH GDVKHG OLQH LQ WKLV I JXUH GHSLFWV WKH VHW RI XQUHDFKDEOH DEVWUDFW VWDWHV RI WKH I UVW H[DPSOH 7KHVH VWDWHV DUH XQUHDFKDEOH VLQFH WKH\ FRUUHVSRQG WR VRPH XQUHDFKDEOH FRQFUHWH VWDWHV LQ A FI /HPPD 8VLQJ /HPPD WR FRPSXWH WKH WUDQVLWLRQV LQ WKH DEVWUDFW PRGHO RQH ZRXOG REWDLQ )LJXUH DV WKH LQLWLDO SUHGLFDWH DEVWUDFWLRQ RI A )RU LQVWDQFH IURP (l,ppĀp) WKHUH LV D WUDQVLWLRQ WR (l,pppĀ) EHFDXVH WKH WUDQVLWLRQ hl,ui−→ hl^x= ,u^′iIXOOI OV /HPPD

,Q WKH IROORZLQJ ZH JLYH D VLPSOH VXFFLQFWQHVV DQDO\VLV RI RXU DSSURDFK (DFK WLPHG DXWRPDWRQ KDV D I QLWH QXPEHU RI FRQWURO ORFDWLRQV kAk :H DVVRFLDWH ZLWK HDFK ORFD WLRQ li DW PRVW kcube_ik DEVWUDFW VWDWHV 7KLV ZD\ WKH QXPEHU RI WKH DEVWUDFW VWDWHV LV DW PRVWΣ_≤i<kAkkcube_ik LQ WKH ZRUVW FDVH ,Q WKH H[DPSOH GHSLFWHG LQ )LJXUH WKLV QXP EHU LV ++= %\ SUXQLQJ WKH RULJLQDO PRGHO XVLQJ CIPMDQG DOVR ZLWK UHVSHFW WR

(8)

/HPPD WKLV QXPEHU UHGXFHV WR DEVWUDFW VWDWHV VHH )LJXUH :LWK QHLWKHU GHWHFWLQJ WKH LGOH WUDQVLWLRQV QRU SDLULQJ WKH FRQWURO ORFDWLRQV ZLWK WKHLU LQYDULDQWV LQ WKH DEVWUDFWLRQ IDFHW RQH ZRXOG KDYH JRWWHQ ×= DEVWUDFW VWDWHV ZKHUH LV WKH QXPEHU RI GLVWLQJXLVKHG VDWLVI DEOH FXEHV DQG LV WKH QXPEHU RI FRQWURO ORFDWLRQV 7KLV QXPEHU ZRXOG KDYH HYHQ UDLVHG WR ×= DEVWUDFW VWDWHV LI QR VDWLVI DELOLW\ FKHFN RQ WKH FXEHV ZDV GRQH

5HIHUHQFHV

>@ 5 $OXU DQG '/ 'LOO $ WKHRU\ RI WLPHG DXWRPDWDTheoretical Computer Science

>@ % %DGEDQ 6 /HXH DQG -* 6PDXV $XWRPDWHG ,QYDULDQW *HQHUDWLRQ IRU WKH 9HULI FDWLRQ RI 5HDO7LPH 6\VWHPV :,1*

>@ 7 %DOO $ 3RGHOVNL DQG 6. 5DMDPDQL 5HODWLYH &RPSOHWHQHVV RI $EVWUDFWLRQ 5HI QHPHQW IRU 6RIWZDUH 0RGHO &KHFNLQJ ,QProc. TACAS

>@ % %HUDUG 0 %LGRLW $ )LQNHO ) /DURXVVLQLH $ 3HWLW / 3HWUXFFL DQG 3K 6FKQRHEHOHQ Systems and Software Verification: Model-Checking Techniques and Tools

>@ ( &ODUNH 2 *UXPEHUJ 6 -KD < /X DQG + 9HLWK &RXQWHUH[DPSOHJXLGHG DEVWUDFWLRQ UHI QHPHQW ,QProc. CAV

>@ 0 &RORQ DQG 7( 8ULEH *HQHUDWLQJ )LQLWH6WDWH $EVWUDFWLRQV RI 5HDFWLYH 6\VWHPV 8VLQJ 'HFLVLRQ 3URFHGXUHV ,QProc. CAV

>@ 6 'DV DQG '/ 'LOO &RXQWHUH[DPSOH EDVHG SUHGLFDWH GLVFRYHU\ LQ SUHGLFDWH DEVWUDFWLRQ ,Q Proc. FMCAD

>@ 6 *UDI DQG + 6DÕGL &RQVWUXFWLRQ RI DEVWUDFW VWDWH JUDSKV ZLWK 396 ,QCAV

>@ 7$ +HQ]LQJHU 5 -KDOD 5 0DMXPGDU DQG ./ 0F0LOODQ $EVWUDFWLRQV IURP SURRIV ,QPro.

POPL

>@ 5 -KDOD DQG . / 0F0LOODQ ,QWHUSRODQWEDVHG WUDQVLWLRQ UHODWLRQ DSSUR[LPDWLRQ ,Q Proc.

CAV

>@ 6. /DKLUL 7 %DOO DQG % &RRN 3UHGLFDWH $EVWUDFWLRQ YLD 6\PEROLF 'HFLVLRQ 3URFHGXUHV Logical Methods in Computer Science

>@ 6. /DKLUL 5 1LHXZHQKXLV DQG $ 2OLYHUDV 607 7HFKQLTXHV IRU )DVW 3UHGLFDWH $EVWUDFWLRQ ,QProc. CAV

>@ ./ 0F0LOODQ /D]\ $EVWUDFWLRQ ZLWK ,QWHUSRODQWV ,QCAV

>@ ./ 0F0LOODQ DQG 1 $POD $XWRPDWLF $EVWUDFWLRQ ZLWKRXW &RXQWHUH[DPSOHV ,QTACAS’03

>@ 02 0ROOHU + 5XH DQG 0 6RUHD 3UHGLFDWH $EVWUDFWLRQ IRU 'HQVH 5HDO7LPH 6\VWHP ENTCS

>@ 0DULD 6RUHD /D]\ $SSUR[LPDWLRQ IRU 'HQVH 5HDO7LPH 6\VWHPV ,Q Proc. of FORMATS- FTRTFT /1&6

,Q WKH JLYHQ H[DPSOHpLV HTXLYDOHQW WR Āp