Springer - Concurrency Theory Episode 9 ppt

As an example of these denotational semantics, consider the timed bundle event structure depicted in figure 10.7a.. 10.2 True Concurrency Semantics 315Because no causal or conflict relatio

10.2 True Concurrency Semantics 309The main part of the semantics is the interpretation of behaviour expres-sions Thus, in the rest of this section we assume that B  J B1 K(d) = Ψ1 =

ε1 , A1 , R1 with ε1 = (E1, #1, →1 , l1) and B  J B2 K(d) has a corresponding

format Furthermore, for B1 and B2 we assume that E1 ∩ E2=∅; in case of

name clashes, renaming can be used to obtain this property

10.2.3.1 Inaction, Successful Termination and Action Prefix

These are defined as follows

With regard to a I ; B1, a bundle is added from a new event e (labelled

a) to events in Ψ1 that are, either, initial (e will now causally precede these

events) or time-restricted For all such initial and time-restricted events, e say,the delay is now relative to e, so a time delay A1(e ) is associated with each

bundle { e } → e  and A(e ) becomesR+0; i.e e  becomes time-unrestricted.

In addition, I becomes the timing of e.

It is sufficient in the untimed case to introduce only bundles from e to the initial events of Ψ1; c.f Section 4.2 However, in the timed case, new bundles

to time-restricted events of Ψ1 are used to make delays relative to e Noticethat the above construction applies to both observable and internal events

As an example, Figure 10.6(b) provides the semantics of x [5, 6] ; P , where the semantics of P is given as Figure 10.6(a) The following behaviour would

yield an event structure consistent with figure 10.6(a)

P := ( ( y (2) ; z (8) ; ( w (2) ; stop ||| exit (18) ) )

|[w]| w [8, 25] ; stop )

||| i [12, 14] ; v ; stop

310 10 Semantic Models for tLOTOS

(a)

y 2

2 [8,25]

18 i

[12,14]

v

(b)

2 z 8 y 2 [5,6]

[12,14]

18 x

Fig 10.6.Semantics of Action Prefix

10.2.3.2 Delay, Hiding and Relabelling

The semantics for these constructs are as follows

B  J wait [d] B1K(d)
E1, #1, →1, l1, ((+d) ◦ A1), R1

B  J hide G in B1K(d)
E1, #1, →1 , l, A1 , R1 where ,

( l1(e) ∈ G =⇒ l(e) = i ) ∧ ( l1(e) ∈ G =⇒ l(e) = l1(e) )

B  J B1[H]K(d)
E1, #1, →1 , (H ◦ l1 ), A1 , R1

10.2 True Concurrency Semantics 311

Semantically, wait [d] B1 is identical toB  J B1K(d), but with event delays

in-cremented by d ( ◦ denotes function composition; i.e f ◦ g (x) = f(g(x))).

Bundle delays express relative delays between events, and, thus, are fected B  J hide G in B1K(d) simply takes B  J B1K(d) and turns events with

unaf-labels in G into internal events B  J B1[H]K(d) is identical toB  J B1K(d), but

with events relabelled according to H.

As an example of these denotational semantics, consider the timed bundle

event structure depicted in figure 10.7(a) After the hiding of actions y and v

the event structure of Figure 10.7(b) results

312 10 Semantic Models for tLOTOS

R = R1∪ R2∪ { ((exit(Ψ1), e), A2(e)) | e ∈ rin(Ψ2)}

Thus, the event set of B  J B1>> B2K(d) is the union of those forB  J B1K(d)and for B  J B2K(d) Component conflicts are inherited, with the addition ofconflicts between nonidentical successful termination events ofB  J B1K(d)(the

identity relation (Id) is subtracted in order to avoid generating self-conflicts).

These mutual conflicts between successful termination events ensure thatnewly introduced bundles really are bundles, i.e have mutually in conflictenabling sets These new bundles are introduced from the successful termina-tion events ofB  J B1K(d)to the initial and time-restricted events ofB  J B2K(d).Bundles to the initial events of B  J B2K(d) reflect that B2 can only start if

B  J B1K(d)has successfully terminated In a similar way as with action prefix,new bundles to time-restricted events of B  J B2K(d) are required to enforcethat event delays become relative to the termination of B  J B1K(d) Finally,

in standard fashion, successful termination events ofB  J B1K(d)are relabelled

10.2 True Concurrency Semantics 313The exact reason whyB  J Q K (d)generates the enabled structure, shown to theleft of the equals in Figure 10.8 becomes clear when we discuss the semantics

of parallel composition However, for the moment, the main point to note ishow the enabling event structure is appended on the front of the enabled event

structure Notice also that e z is an initial event ofB  J Q K (d) , whereas e w is atime-restricted event ofB  J Q K (d)

5

2 i

Fig-Firstly, the events ofB  J B1 |[G]| B2K(d) comprise events arising throughthe pairing of (i) the symbol ∗ with events of B  J B1K(d) or B  J B2K(d) that

do not need to synchronise (E1f and E2f, respectively), and (ii) events labelled

with actions in G ∪ {δ} with identically labelled events in the other process (as determined by E s

1 and E s2) Thus, parallel composition events are synchronising component events paired with ∗ and synchronising events of

non-B  J B1K(d)andB  J B2K(d) paired with each other E s and E k f (for k ∈ {1, 2})

were defined in Section 4.4

Events are put in conflict if (i) any of their components are in conflict or(ii) distinct events have a common proper component (i.e other than∗) The

latter case arises if a number of events in one process synchronise with thesame event in the other process

With regard to causality, bundles in the parallel composition are such that,

if a projection on B1 (or B2) of all events in the bundle is taken, a bundle in

B  J B1K(d)(orB  J B2K(d)), respectively, results Labelling is straightforward.The new clauses are the last two, which were originally highlighted by Ka-toen [107] Firstly, the event timing function is the intersection of componentevent timings, with * events yielding null timing constraints Secondly, bundletimings are defined to be the intersection of the time sets associated with the

bundles obtained by projecting on the events of B1 (or B2), subject to the

314 10 Semantic Models for tLOTOS

requirement that this projection yields a bundle inB  J B1K(d)(orB  J B2K(d)),respectively

Fig 10.9.TBES Semantics for Parallel Composition

Our first illustration of parallel composition (see Figure 10.10) highlightshow events are constructed when there is no synchronisation Note, in contrast

to earlier event structure depictions in this chapter, event labels are explicitlyrepresented This is required to avoid ambiguity, because here, multiple events

have the same label Events are denoted e, f , g etc and their primed versions.

The following tLOTOS behaviour could yield the event structures shown inFigure 10.10

P ||| Q where

P := x ; z [2, 10] ; stop and

Q := ( y ; z (5) ; stop ) [] ( w ; stop )

10.2 True Concurrency Semantics 315Because no causal or conflict relationships cross component event structures,the parallel composition yields two disconnected and, thus, independentlyevolving, event structures.

x [2,10] z

z

= e

The example shows how bundles can result from synchronisation In

par-ticular, because two in conflict events (e and f ) both labelled x in the left component event structure are synchronised with a single event (e ) labelled

x in the right-hand component, a single bundle is generated of the form, { (e, e  ), (f, e )} → (∗, g ).

In addition, this example demonstrates how event timings are intersected ing parallel composition For example,A (S |[x]| T ) ( (f, e ) ) =A S (f ) ∩ A T (e ).

dur-316 10 Semantic Models for tLOTOS

z (e,*)

[2,5] f

10.2 True Concurrency Semantics 317

(P := B) ∈ d and

F j

B(⊥)
F B(F B( . F B( ⊥) ))

with j repetitions of F B on the right-hand side

However, this belies a good deal of theoretical complexity, which is required inorder to support this statement This complexity is focused on the derivation

of a suitable fixed point theory to handle recursive process definitions As wasthe case for the other denotational semantics we have considered, the tracesemantics of Chapter 3 and the (untimed) bundle event structure semantics

of Chapter 4, it is beyond the scope of this book to present the necessary fixedpoint theory in full detail However, the required semantic constructions arevery closely related to those presented in [107], have similarities to those given

in [32] and are presented in detail in [46] To give an informal perspective onthis theory, the mathematical constructions in [46] ensure that the above defi-nition characterises the (unique) least timed bundle event structure, according

to a complete partial order, denoted, that satisfies Ψ = F B (Ψ ).

B  J P K (d) for P := B is defined using standard fixed point theory A

complete partial order is defined (see [46]) on timed bundle event structures

with the empty event structure (i.e.B  J stop K (d)) as the least element, denoted

⊥ Then, for each definition P := B, a function F B is defined that substitutes

a timed bundle event structure for each occurrence of P in B, interpreting all operators in B as operators on timed bundle event structures (Due to the

compositionality of our semantics this approach is feasible.)

F B is shown to be continuous with respect to , which means that

B  J P K (d) can be defined as the least upper bound of the chain (under )

⊥, F B(⊥), F B(F B(⊥)), Such a chain reflects the unfolding of a recursive process definition, with the nth unfolding of the process definition being larger,

in the sense of , than the n−1 previous unfoldings Furthermore, [46] gives

318 10 Semantic Models for tLOTOS

t

t

tt

t

t

t

[2, 4]

Fig 10.13.Example Fixed Point Approximations

Figure 10.14 presents the true concurrency model resulting from this haviour The triangle informally denotes further recursive unfolding of theevent structure We have not included the interleaved interpretation, becausethe parallel interleaving of time and action transitions makes it too com-plicated to draw In fact, even without showing time transitions, the labelledtransition system is highly complex This example illustrates one of the majorbenefits of the true concurrency approach: avoidance of state-space explosion

be-10.2.4 Anomalous Behaviour

As noted in [47], some situations of degenerate behaviour that arise whentLOTOS is given an operational semantics (see Section 9.4) do not arise inthe true concurrency setting In particular, the direct link between unguardedrecursion and timelocks is lost when event structure semantics are considered

In addition, zeno processes can be given a natural interpretation in a ratherstraightforward way We discuss these issues in this section

Consider, for example the unguarded recursion introduced in Section 9.4

unguarded := ( x [2, 6] ; stop ) ||| unguarded

The interleaving semantics of tLOTOS generates a timelock for this behaviour

In contrast, the timed bundle event structure semantics for an instantiation

of unguarded,

10.2 True Concurrency Semantics 319

does not timelock This event structure allows (amongst others) a trace of

infinite length consisting of events all labelled with x that occur in the interval [2, 6] For unguarded ||| ( i (t) ; success ; stop ) and arbitrary t (t = ∞), the occurrence of success is not prevented: an event labelled i followed by an event labelled success can happen after any finite sequence of xs.

Notice the difference with the process,

unguarded  := hide x in unguarded

which leads to the timed bundle event structure,

Now, unguarded  ||| ( i (t) ; success ; stop ) only permits success to happen if

t ≤ 6 For t > 6 there exist an infinite number of urgent events that should occur before the right-hand side i.

Unguarded recursion is the only one of the anomalous behaviours ered in Section 9.4 that behave fundamentally differently in the true concur-rency setting However, timed bundle event structures yield compact repre-sentations for instant recursion and zeno behaviour For example, an instantrecursion, such as

consid-R := x (0) ; consid-R

which we discussed in Section 9.4, will give rise to the timed bundle eventstructure:

320 10 Semantic Models for tLOTOS

-

This structure can perform infinitely many events labelled x without passing

time, however, again, nothing forces the nontime-passing run, thus, this is not

a timelock

A zeno process, such as

zeno := zzeno(1) zzeno(k : nat) := x ; wait [2 −k ] zzeno(k+1)

which was introduced in Section 9.4, yields the timed noninterleaving tics,

The infinite sequence (e1, t1)(e2, t2) is a timed proving sequence of this

timed bundle event structure if t j+1≥ t j+ 2−j for all j ≥ 1 In particular, for

t1= 0 and t j+1 = t j+ 2−j we obtain a proving sequence in which infinitelymany events happen before time 1 However, zeno does not stop time.

Here we describe a simple model that nevertheless suffices to explain theconcepts underlying timed automata frameworks This model basically corre-

sponds to that of Safety Timed Automata [91], but communication between

automata follows a CCS-style [148] binary synchronisation In this sense, themodel can be seen as a timed extension of finite state communicating au-tomata (Chapter 8) Furthermore, the reader will find that many results anddiscussions offered in this chapter particularly apply to Uppaal, and in manycases are also based on Uppaal developments in recent years

A timed automaton is a finite automaton (i.e a set of locations and

tran-sitions) extended with clocks, which allows for the representation of

quan-titative timed behaviour For example, timed automata can describe that a

1http://www.uppaal.com

2Uppaal’s channels play a similar role to half actions in process calculi.

322 11 Timed Communicating Automata

system cannot remain for more than five time units in a given state, or thattwo actions cannot be executed more than three time units apart Clocks arevariables inR+0which increment synchronously, thus representing the passage

of time Time can only pass in locations; transitions are considered

instan-taneous Transitions are annotated with guards, these are clock constraints

which determine when the transition is enabled Transitions may also include

a reset set, which corresponds to a set of clocks whose values are set to zero

when the transition is performed

Timed automata are a natural extension of communicating automata(chapter 8) to model real-time systems Complex systems can be represented

as a network of timed automata executing in parallel Concurrency is elled by interleaving, and communication is synchronous, where synchroni-sation between components is modelled through half actions The semantics

mod-of the network correspond to those mod-of the product automaton (which resultsfrom parallel composition) At any given time, either (a) a completed action

is performed, in some component automaton; or (b) two synchronising halfactions are performed simultaneously, yielding a completed action; or (c) sometime passes without any transition being performed

Notice that, unlike in (untimed) communicating automata, it is not anteed that enabled transitions in timed automata are eventually executed Inmany applications, though, it is necessary to model actions that must be ex-ecuted in some time interval (provided they are enabled) In order to expressthis kind of situation, locations in a timed automaton can be annotated with

guar-clock constraints called invariants, with the following (informal) semantics:

at any location, time progress is allowed only as long as the resulting clockvaluations satisfy the corresponding invariant In a network, time progressmust satisfy the invariant of the current location in every component (i.e theconjunction of all current invariants) Thus, when time cannot pass any longer

in a given location (invariants usually express upper bounds), enabled

tran-sitions will be considered urgent and performed (if possible) without delay This modelling of urgency gives rise to the occurrence of timelocks in timed

automata specifications For example, if some invariant prevents time frompassing any further, and no transition is enabled at that point (possibly by amismatched synchronisation), control will remain in that location indefinitely,and (semantically) time stops Worryingly, a timelock originating in one com-ponent will propagate globally, bringing any possible execution to a halt Thisissue is discussed in detail later, in Chapter 12

This chapter is organised as follows The timed automata model is formallydefined in Section 11.2 This includes syntax, semantics and some explanatoryexamples Then, Section 11.3 elaborates on automatic verification of timedautomata (real-time model-checking); symbolic states, forward reachability,and techniques adopted by Uppaal and Kronos are discussed Throughout thechapter, the multimedia stream protocol (Section 9.3.2) is used as a runningexample

11.2 Timed Automata – Formal Definitions 323

11.2 Timed Automata – Formal Definitions

This section formally defines the syntax and semantics of timed automata.The model presented here has some differences with others frequently found

in the literature For example, the CCS-like synchronisation adopted in ourmodel closely resembles that of Uppaal, but is different from the multiwaysynchronisation adopted by Kronos Nevertheless, the reader will find thatour timed automata model represents all the main elements of the theory,and that other models can be easily studied by taking this as a starting point.Before we concern ourselves with formal definitions, let us first present anintroductory example Figure 11.1 shows a network composed of two timedautomata, and its corresponding product automaton Initial locations are dis-tinguished with a double circle; the initial value for clocks is assumed to be

0 Transition a!3 has a guard 3 < x ≤ 5, meaning that it is enabled in the time interval (3, 5] As we have discussed in the timed process calculus set- ting, this does not imply that a! must be performed at some point in that

interval; in fact, an execution where the automaton remains permanently in

location 1 is possible Synchronisation between a! and a? results in transition

a in the product automaton, with guards conjoined Location 2 is assigned the invariant x ≤ 6, meaning that time is allowed to pass in that location only

as long as the value of x is less than 6 If the value of x reaches 6 while in location 2, transition b becomes urgent and must be performed without delay.

Notice that (immediate) interleaving with other actions is still possible: for

example, even if b is urgent, transition c can be performed before b, although time would not be able to pass until b is performed This can be seen in the

product automaton, if the lowest branch 2, 5 c 2, 6 b 3, 6 is executed when the value of x reaches 6 in 2, 5 (at any location vector, the invariant

results from conjoining the invariants of the component locations) Finally,

note that x is reset in b, and so its value is zero when location 3 is entered.

x:=0 b

Fig 11.1.A Simple Network of Timed Automata, and Its Product Automaton

3In this, and following chapters, we depart from our process calculus notation and

use a, b, etc to denote action labels (either for completed actions or half actions), and x, y, etc to denote clocks.

324 11 Timed Communicating Automata

11.2.1 Syntax

Basic Sets and Notation TA denotes the set of all timed automata The

sets CAct (completed actions), HAct (half actions), and Act (all actions) are

defined as for communicating automata (Section 8.2.2.2).C is the set of clocks,all of which take values inR+0 CC is a set of clock constraints, whose syntax

is given by

φ ::= false | true | x ∼ c | x − y ∼ c | φ ∧ φ

where c ∈ N, x, y ∈ C, φ ∈ CC and ∼ ∈ {<, >, =, ≤, ≥} Clocks(φ) is the set

of clocks occurring in φ ∈ CC Let C ⊆ C denote the set of clocks of a given timed automaton CC C is the set of constraints over clocks in C Similarly,

V : C → R+0 is the space of possible clock valuations, and VC : C → R+0

the space of valuations restricted to clocks in C.

Given φ a clock constraint and v a valuation, we use v |= φ to denote that v satisfies φ (or, equivalently, that v is in the solution set of φ) If r is a reset set, and d ∈ R+0 a delay, we define v + d to be the valuation such that

(v + d)(c) = v(c) + d, for all c ∈ C Also, we use r(v) to denote the valuation that results from v by resetting to zero all clocks in r, i.e r(v) = v , where

v  (c) = 0 whenever c ∈ r and v  (c) = v(c) otherwise.

Timed Automata A timed automaton A ∈ TA is a tuple (L, TL, T, l0 , C, I),

where

• L is a finite set of locations;

• C ⊆ C is a finite set of clocks;

• TL ⊆ Act is a finite set of transition labels;

• T ⊆ L × TL × CC C × P(C) × L is a transition relation, where transitions (l, a, g, r, l )∈ T are usually denoted,

l −−−−→ l a,g,r 

where a ∈ TL is the action, g ∈ CC C is the guard and r ∈ P(C) is the reset set;

• l0 ∈ L is the initial location; and

• I : L → CC C is a mapping which associates invariants with locations

11.2.1.1 Example: A TA Specification for the Multimedia Stream

Let us revisit the example of the multimedia stream, introduced in

Sec-tion 9.3.2 (see Figure 9.1) The Source process generates a continuous sequence

of packets which are relayed by the Channel to a Sink process which displays

the packets Three basic interprocess communication actions support the flow

of data (see Figure 9.3.2 again), sourceOut, sinkIn and play, which respectively transfer packets from the Source to the Channel, from the Channel to the Sink and display them at the Sink Here we assume that the Channel is reliable;

11.2 Timed Automata – Formal Definitions 325

the Source transmits a packet every 50 ms; packets arrive at the Sink between

80 ms and 90 ms after their transmission (the latency of the Channel) and that whenever the Sink receives a packet, it needs 5 ms to process it, after

which it is ready to receive the next packet

Figure 11.24 shows a possible timed automata specification, where the

Channel is represented by two one-place buffers, Place1 and Place2 Notice,

in contrast to the tLOTOS specification in Section 9.3.2, that in timed tomata we cannot (directly) specify a channel with an unbounded number ofplaces Nevertheless, it can be shown5 that two one-place buffers represent

au-a sau-afe implementau-ation of au-an infinite-cau-apau-acity chau-annel, in the sense thau-at

syn-chronisation between Source and either Place1 or Place2 is always possible (in other words, a packet can always be put into the Channel).

Every component in the network includes a local clock: t1, t2, t3 and t4 The initial location in the Source, State0, is annotated with the invariant t1 = 0 to ensure that the first packet (sourceOut!) is sent immediately The guard t1 = 50 and reset t1 := 0 enable sourceOut! in location State1, once every 50 ms The invariant at State1, t1 ≤ 50, makes the sourceOut! urgent

as soon as it is enabled Notice that, because sourceOut! is a half action, it will only be performed if sourceOut? is enabled in either Place1 or Place2

(otherwise a timelock would occur) Now consider the model for a buffer, say

Place1 At location State1, transition sourceOut? is offered to synchronise with

a sourceOut! from the Source Should this happen (notice that the Source may nondeterministically synchronise with Place2 instead), the clock t4 is reset and the automaton moves to location State2 The value of t4 represents the time elapsed since the last packet was transmitted The invariant t4 ≤

90, together with the guard t4 ≥ 80 enabling transition sinkIn!, effectively represent the Channel’s latency: packets arrive at the Sink between 80 and 90

ms after they have been sent The Sink synchronises with the Channel (i.e with Place1/Place2) by offering a sinkIn? action The action play is performed

5 ms after a packet has arrived, representing the speed at which the Sink can

process and play packets

11.2.2 Semantics

The semantics of a timed automaton, say A = (L, TL, T, l0, C, I), can be

inter-preted in terms of a timed transition system (S, Lab, TS , s0), which describes

all possible executions of A S denotes a set of states6 of the form s = [l, v],

where l is a location in A and v a possible valuation for its clocks s0= [l0, v0]

is the starting state, where l0 is the initial location in A, and v0is the initial

valuation, which sets all clocks to 0 Lab = TL ∪ R+ is a set of transition

4This is based on a model presented in [43].

5A report on the verification of this and other correctness properties using Uppaal

can be found in [43]

6Also referred to as concrete states.

326 11 Timed Communicating Automata

State1

State2 t4<=90

State1

t1<=50

State1

State2 t3<=90

State1

State2 t2<=5

play t2=5

sourceOut ? t3:=0

sinkIn ? t2:=0 sinkIn !

t4>=80

sinkIn ! t3>=80

Fig 11.2.Timed Automata Specification of the Multimedia Stream

labels The transition relation TS ⊆ S × Lab × S represents the set of all sible executions of A (also called runs) For any (reachable) state, a transition

pos-denotes one possible step the current execution can take Thus, transitions

can be of one of two types: action transitions, e.g (s, a, s  ), where a ∈ Act, or time transitions, e.g (s, d , s  ), where d ∈ R+ and the passage of d time units

is denoted Transitions are denoted7

s −→ γ → s 

where γ ∈ Lab We use s γ

−→ → to denote ∃ s  s γ

−→ → s  Usually, we refer toaction transitions simply as actions.

Semantic transitions (time and action transitions, e.g s −→ a → s ) are not to

be confused with the syntactic transitions (or edges, e.g l −−−−→ l a,g,r ) in a timed

automaton graph Indeed, transitions and locations in a timed automaton arefinite On the other hand, the TTS describing the semantics of the automatonwill be, in most cases, infinite This is due to clocks taking valuations in adense space, R+ (a similar point was made in Section 10.1.1) In general,

whenever the automaton is allowed to remain in a given location l for d ∈ R+time units, the TTS contains infinitely many time transitions

[l, v] −→ d
→ [l, v + d ],

d  ∈ R+, 0 ≤ d  ≤ d Figure 11.3 below illustrates these concepts.

The timed automaton depicted in Figure 11.3(i) can remain in location 1

for 5 time units Transition a can be performed at any time in [2, 5], and is urgent when v(x) = 5 Once in location 2, any amount of time can pass be- fore transition b is executed Moreover, and unlike in untimed communicating

7In the presentation of TTS in Section 10.1.1 we have used − → and ; to denote,

respectively, action and time transitions Also, Section 10.1.3 introduced −→ → to

denote the union of these two types of transitions Here we use −→ → for the same

purpose, but we do not use − → and ; separately, to avoid confusion with syntactic

transitions (edges) in timed automata (denoted − → ).

11.2 Timed Automata – Formal Definitions 327

Fig 11.3.A Timed Automata (i) and (Part of) Its TTS (ii)

automata (chapter 8) here there is no guarantee that b is ever executed: the

timed automaton may remain in location 2 permanently This results in aninfinite TTS, part of which is sketched in Figure 11.3(ii) For example, thefollowing runs are two particular instances of the timed automaton’s execu-tion

ρ1= [1, 0] −→2→ [1, 2] −→ a → [2, 0] −→ 3.3 → [2, 3.3] −→ b → [3, 3.3] · · ·

ρ2= [1, 0] −→ 3.5 → [1, 3.5] −→ a → [2, 0] −→7→ [2, 7] · · ·

where, for every state [l, v], l denotes a location in the automaton and v the current value of x in that state The first run, ρ1, denotes a partial executionwhere the automaton remains in location 1 for 2 time units, takes transition

a, then remains for 3.3 time units in location 2 and takes transition b Another possible partial execution is represented by ρ2: the automaton takes a when

v(x) = 3.5 and then remains in location 2 for 7 time units without performing

any action

Some other aspects of timed automata semantics are worth observing

For example, the action transition [2, 3.3] −→ b → [3, 3.3] in ρ1 confirms the

in-stantaneous nature of transitions in a timed automaton: notice that x is not

incremented (which is consistent with all the models considered in this book)

Similarly, [1, 2] −→ a → [2, 0] illustrates the reset of x in transition a The time transition [1, 0] −→2→ [1, 2] in the same run shows that time only elapses in lo-

cations And, as we have mentioned before, time is allowed to progress only

as long as it does not invalidate the current invariant For example, a run like

ρ3 below is not possible because the invariant x ≤ 5 in location 1 would be

328 11 Timed Communicating Automata

invalidated by time-progress (equivalently, a must be performed before more

than 5 time units have elapsed in location 1):

diver-As we have mentioned, runs represent possible system executions ever, finite runs are considered valid executions only if they end in a statewhere no transition (either action or time passing) is enabled Notice thathere we drop the liveness hypothesis of finite state communicating automata(see our discussion in Section 8.2.4), where action transitions, if enabled, willeventually be performed Timed automata, on the contrary, can remain at anylocation for as long as the invariant in that location allows In this model, theintended (urgent) execution of actions must be indicated explicitly throughinvariants Moreover, one must be precise in quantifying the intended exe-cution time (through guards and invariants): there is no way to enforce theexecution of actions at some (unspecified) point in the future

How-11.2.2.2 Parallel Composition

The behaviour of a network can be defined in terms of the parallel composition

of the component automata Composition results in a single automaton, called

the product automaton, whose semantics correspond to that of the network.

The parallel composition of timed automata is just an extension of the sameoperation defined for (untimed) communicating automata (Section 8.2.2.2)

In addition, here we note that component guards and reset sets are conjoined