Thời gian thực - hệ thống P7

A time of occurrence is associated with each instance of a state or action in a timed execution.. admis-7.1.2 Timed Traces A timed trace of any timed execution is the sequence of visible

ver-In this chapter, we present two automata-theoretic techniques based on timed tomata The Lynch–Vaandrager approach [Lynch and Vaandrager, 1991; Heitmeyerand Lynch, 1994] is more general and can handle finite and infinite state systems, but

au-it lacks an automatic verification mechanism Its specification can be difficult to wrau-iteand understand, even for relatively small systems The Alur–Dill approach [Alur,Fix, and Henzinger, 1994] is less ambitious and is based on finite automata, but it of-

fers an automated tool for verification of desirable properties Its dense-time model can handle time values selected from the set of real numbers, whereas discrete-time

models such as those in Statecharts and Modecharts use only integer time values

7.1 LYNCH–VAANDRAGER AUTOMATA-THEORETIC APPROACH

[Heitmeyer and Lynch, 1994] advocate the use of three specifications to formallydescribe a real-time system A specification consists of the description of one or more

187

Copyright ¶ 2002 John Wiley & Sons, Inc.

ISBN: 0-471-18406-3

timed automata First, an axiomatic specification specifies the system in a descriptive, axiomatic style without showing how it operates Then, an operational specification

describes the operation of the system A formal proof is required to show that the

operational specification implements the axiomatic specification.

There are several ways to construct this proof [Lynch and Attiya, 1992; Lynchand Vaandrager, 1991] have used assertional techniques for untimed, concurrent,and distributed systems, and thus propose adapting these techniques to verify tim-ing properties of real-time systems In particular, the method of simulations is used

to establish the relationships (such as implementation) between two specificationsdescribed by two corresponding timed automata Here, the concept of simulations

includes special cases such as refinement mappings, backward and forward tions, and history and prophecy mapping.

simula-Several definitions exist for a general timed automaton One variation proposed

by Lynch and Vaandrager is as follows [Lynch and Vaandrager, 1991]

Timed Automaton: Formally, a timed automaton A is a general labeled transition

system with four components:

states(A) is a set of states.

start(A) is a nonempty set of start states.

acts(A) is a set of actions Actions can be internal or external Internal actions are

within the system External actions include visible actions (which can be input oroutput actions) and special time-passage actionsv(t), where t is a positive real

number

steps(A) is a set of steps (usually known as transitions in other definitions of

automata)

The number of states can be finite or infinite To improve readability, the notation

s−→π A sis used instead of(s, π, s) ∈ steps(A), where A is a timed automaton The subscript A is often omitted when no ambiguity exists.

7.1.1 Timed Executions

Having defined the concept of a timed automaton, we next consider its behavior byobserving its execution from one point in time to another A timed execution is a se-quence of internal, visible, and time-passage actions, connected by their interveningstates, and augmented with the notion of trajectories for each time-passage action A

trajectory indicates the state changes during time-passage steps To formally define

a time execution, we first define the notion of a timed execution fragment

Timed Execution: A timed execution fragment is a finite or infinite alternating

se-quence

α = ω0π1ω1π2ω2 ,

where (1) each ω i is a trajectory and each π i is a non-time-passage action, and(2) eachπ i+1connects the final state s of the preceding trajectory ω i with the initial

state sof the succeeding trajectoryω i+1, that is, s −→s πi+1 .

If the first state of the first trajectory,ω0, of a timed execution fragment is a start

state, then this fragment is a timed execution.

A state of a timed automaton A is reachable if it is the final state of the final trajectory in some finite-timed execution of A A time of occurrence is associated

with each instance of a state or action in a timed execution This is done by summingall the preceding time-passage values Note that this notion of time of occurrence issimilar to that of the occurrence in real-time logic (RTL)

Given a timed automaton A, of practical interest is the set atexecs (A) of sible timed executions in which the total amount of time passage is ∞ Next, wedefine timed traces to represent the visible behavior of timed automata for solvingverification problems

admis-7.1.2 Timed Traces

A timed trace of any timed execution is the sequence of visible events that occur inthe timed execution, paired with their times of occurrence This sequence has theform

Example Consider a traffic semaphore with three light signals Initially, there is no

light when the system is off Once it is turned on at time 0, the event turn green makes the green light turn on Next, the event turn yellow, occurring 20 s later, turns the green light off and then the yellow light on Next, the turn red event occurring 5 s later turns the yellow light off and then the red light on Next, the event turn green,

occurring 15 s later, turns the red light off and then the green light on This sequence

is repeated infinitely often The timed trace of this timed execution is

(turn green, 0), (turn yellow, 20), (turn red, 25), (turn green, 40),

Operations on automata exist that allow the definitions of complex automata bycombining simpler automata These operations include projection and parallel com-position

7.1.3 Composition of Timed Automata

To model a complex system, we need to combine several automata representing

dif-ferent parts of the system through composition Two timed automata A and B are compatible iff they have no common output actions and the internal actions of A are different from those of B Then the composition of A and B, written as A × B, is the

timed automaton with:

states(A × B) = states(A) × states(B) start(A × B) = start(A) × start(B) acts(A × B) = acts(A) ∪ acts(B).

Step (s A , s B )−→π A ×B (sA , sB ) exists iff s A−→π A sA if π ∈ acts(A), else

s A = sA , and s B−→π B sBifπ ∈ acts(B), else s B = sB.

This means that A and B can execute jointly on a common input or time-passage

action, or on an output of one that is an input of the other

7.1.4 MMT Automata

The above definition of a timed automaton is very general To allow more efficientverification via simulations, a more specialized automaton is introduced A Merritt–Modugno–Tuttle (MMT) automaton [Merritt, Modugno, and Tuttle, 1991] is an I/Oautomaton augmented with upper and lower bounds on time between specific ac-tions The MMT automaton model can be used to represent many types of timedautomata An I/O automaton is a labeled transition system for representing an un-timed asynchronous system Its internal and output actions are grouped into tasks

I/O Automaton: An I/O automaton A has the following components:

states (A) is a set of states.

start(A) is a nonempty subset of start states.

acts(A) is a set of actions Actions can be internal or external External actions

can be input or output actions

steps(A) is a set of steps (usually known as transitions in other publications) This

is a subset of states (A) × acts(A) × statesA).

part (A) is a partition of the locally controlled (internal and output) actions into at

most countably many equivalence classes

Note that the definition of a basic timed automaton is basically that of an I/O

automaton extended with the notion of time for steps (A) To define an MMT

au-tomaton, [Lynch and Attiya, 1992; Lynch and Vaandrager, 1991] extend the I/Oautomaton model with lower and upper time bound information More precisely,

an MMT automaton is an I/O automaton with only finitely many partition classes;

and for each class C, lower and upper time bounds are defined and denoted lower (C)

and upper (C), where 0 ≤ lower(C) < ∞ and 0 < upper(C) ≤ ∞ In other words,

the lower bounds cannot be infinite and the upper bounds cannot be 0

Since an MMT automaton can represent the time differences between certain tions in the modeled system or its component, the execution of the MMT automatonshows the behavior of the modeled system over time A timed execution of an MMT

ac-automaton is an alternating sequence of the form s0, (π1, t1), s1, , where the πs

can be input, output, or external actions For each i , s i

π j+1

−→s j+1must hold such that

the successive times are nondecreasing and are required to satisfy the specified lower and upper time bound requirements.

The points at which the bounds for a class C begin to be measured are called initial indices Index i is defined as an initial index for a class C enabled in state s i,

and one of the following must hold: i = 0, C is not enabled in s j−1, orπ i ∈ C With this definition, the following conditions must hold for every initial index i for

a class C:

1 If upper = ∞, there exists k > i, t k ≤ t i + upper(C), such that either π k ∈ C

or C is not enabled in state s k

2 There does not exist k > i, t k < t i + lower(C), and π k ∈ C.

Condition (1) is the upper bound requirement; an upper bound of∞ means thatactions in the corresponding class may never occur Condition (2) is the lower bound

requirement The condition of admissibility must also hold; that is, if the sequence is

infinite, then the times of actions approach∞

7.1.5 Verification Techniques

A problem P can be formulated as a set of finite or infinite sequences of actions with corresponding times Then a timed automaton A is said to solve P if all its admissible timed traces are in P Since we can express P as the set of admissible timed traces of another timed automaton B, the concept of admissible timed traces induces a preorder on timed automata The notation A ≤ B means that the set of admissible timed traces of A is a subset of the set of admissible timed traces of B.

Example The following MMT automaton describes the behavior of the pedals of

a simplified automobile, which has been specified in Statecharts in chapter 4 The

automobile can be in one of three states: stop, move, or slow The inputs are ply accelerator, apply brake, and apply hand brake The nontrivial time bounds are speed up: [0, t speedup ], slow: [0, t speedup ], and stop: [0, t speedup ], where t speedup , t slow,

ap-and t stopare the upper bounds on the time for the car to speed up, slow, and stop,

re-spectively The state components now, latest(speedup), latest(slow), and latest(stop)

are also needed to add timing specifications to each state

As in the Statecharts specification, the MMT automaton shows that (1) the sition from the state “stop” to the state “speed up” occurs when the accelerator isapplied; (2) the transition from the state “speedup” to the state “slow” occurs when

tran-the brake is applied; (3) tran-the transition from tran-the state “slow” to tran-the state “speedup” curs when the accelerator is applied; and (4) the transitions from the states “speedup”and “slow” to the state “stop” occur when the hand brake is applied.

oc-Automaton C: car’s pedals system

States:

status ∈ stop, slow, speedup, initially stop

now, a non-negative real, initially 0

7.1.6 Proving Time Bounds with Simulations

By including lower and upper time bounds on classes of the specification automaton,the Larch Prover [Garland and Guttag, 1991] has been used to perform simple simu-lation proofs for verifying timing properties of real-time and distributed systems

7.2 ALUR–DILL AUTOMATA-THEORETIC APPROACH

To verify that an implementation of a system satisfies the specification of the system,

we first represent or encode the specification as a Buchi automaton A Sand the

imple-mentation as a Buchi automaton A I Then we check that the implementation meets

the specification iff L (A I ) ⊆ L(A S ), or check for the emptiness of L(A I )∩ L(A S ) C

;that is, the intersection of the languages accepted by the implementation and the lan-guages accepted by the complement of the specification (negation of the specifica-tion) is empty

Alur and Dill extend timed automata with a finite set of real-valued clocks toexpress timing constraints on non-clock variables Clocks are like timers (or stop-watches) and thus can be reset (set to time 0) Clock values increase uniformly withtime; that is, at any instant the value of a clock is equal to the time elapsed sincethe last time it was reset Each transition in a timed automaton is labeled, in addition

to the input symbol, with either a clock value assignment or a clock constraint Atransition with a clock constraint is enabled only if the current values of the clockssatisfy this timing constraint We begin the discussion by reviewing untimed tracesand then extend these to timed traces

7.2.1 Untimed Traces

A trace is a linear sequence of the observable events of a process In general, each

process has a set of observable events and the behavior of this process can be modeled

by the set of its traces For example, a traffic light turning green is an event in a traffic

light system, as is the opening of a valve in a fuel system A trace is a linear sequence

of sets of events in the Alur–Dill model A trace and a process are defined formally

Example Consider a traffic semaphore with three light signals Initially the green

light is on Next, the green light turns off and then the yellow light turns on Next, the yellow light turns off and then the red light turns on Next, the red light turns off and then the green light turns on This sequence is repeated infinitely often By treating green, yellow, and red as events, the only possible trace is:

ρ P = {green}, {yellow}, {red}, {green}, {yellow}, {red},

Keeping the notations simple by removing the set symbols,{ }, this infinite sequence

is denoted as

green yellow red green yellow red · · · = (green yellow red) ω

Process P is denoted by ({green,yellow,red}, (green yellow red) ω ).

Operations on processes exist that allow the definitions of complex processes bycombining simpler processes These operations include projection and parallel com-position

7.2.2 Timed Traces

In the Alur–Dill model, a real-valued time is associated with each symbol in a word

to form a timed word.

Time Sequence: A time sequence τ = τ1, τ2, τ3 , where τ i is a positive realnumber, is an infinite sequence of time values such that (1) the sequence increasesstrictly monotonically and (2) for every real number, there is aτ jwith a larger value.Note that condition 2 prevents an infinite number of events to occur within a finiteperiod of time

Timed Word: A timed word over an alphabet is a pair (ρ, τ) where ρ is an

infi-nite word andτ is a time sequence.

Timed Language: A timed language over an alphabet is a set of timed words

over.

Using these definitions, if each symbolρ i denotes the occurrence of an event, thecorresponding time valueτ i indicates the time of occurrence of this event

define a timed language L consisting of all timed words (ρ, τ) such that there is no

ok after time 10.5; that is, the event timeout definitely becomes true at time 10.5 but

may be true earlier Formally, the language is:

L = {(ρ, τ) | ∀i((τ i > 10.5) → (ρ i = timeout))}.

This concept of a time value associated to an event occurrence is similar to thetime value given by the occurrence function in real-time logic (chapter 6) and thechronos variable in time ER nets (chapter 8) An occurrence function assigns atime to the occurrence of an instance of an event A variable chronos assigns a time-stamp to the production of a token in a Petri net

The following Untime operation is a projection of a timed trace (ρ, τ) on the first

component, the sequence of event occurrencesρ This operation effectively deletes

the time values corresponding to the event occurrence symbols and is useful when

we do not need the absolute time values

Untime Operation: Given a timed language L over an alphabet , Untime(L) is

theω-language with words ρ such that (ρ, τ) ∈ L for some time sequence τ.

Example We apply the Untime operation to the above language L:

Untime (L) = ω-language with words containing only finitely many oks.

Timed Trace: A time trace over a set E of events is a pair (ρ, τ) where ρ is a (untimed) trace over the set E and τ is a time sequence.

Timed Process: A timed process is a pair(E, L) where E is a (finite) set of events and L is a set of timed traces over the set E

in Figure 2.13 (chapter 2) To simply this example, we focus on the events in theheater section Assume that the initial instances of the events occur at fixed times andthat subsequent instances of the corresponding events occur at fixed time intervals

The event turn on heater happens 10 s after the event cold occurs, followed by the

event comfort 5 s later, followed by the event turn off heater 5 s later, followed by the event cold 30 s later Suppose the event cold first occurs at time 0 This process

is represented by a timed process:

P T = ({cold,turn on heater,comfort,turn off heater}, {ρ P })

and it has a single time trace

ρ P = (cold, 0), (turn on heater, 10), (comfort, 15), (turn off heater, 20), (cold, 50), (turn on heater, 60), (comfort, 65), (turn off heater, 70), (cold, 100)

Again, the Untime operation can be used to delete the time values corresponding to

events

Untime Operation for a Process: Given a timed process P = (E, L), Untime [(E, L)] is the untimed process where E is the event set and the trace set with traces

ρ such that for some sequence ρ, (ρ, τ) ∈ L.

Example Automaton α1: Consider again the example of the automatic air

condi-tioning and heating system (Figure 2.13) in chapter 2, which specifies the operations

of a climate control system according to changes to a room temperature The tomaton representing this system can only specify relative ordering of the events butcannot specify when these events should occur Hence, it cannot be used to verify

au-a timing-dependent climau-ate control system Now we introduce timing constrau-aints tothe transitions of this automaton, yielding the timed automaton shown in Figure 7.1

Two clocks (clock variables) are present in the transition table, c1and c2 Suppose

the automaton starts in state s0and reads the input symbol cold, then it takes the

tran-sition (indicating that the room temperature falls below 68◦F) and moves to state s

5

S

6S

state s4, clock c1shows the time passed since the reading of the input symbol cold (the occurrence of the event cold).

The automaton can move from state s4to state s5only if this clock value is less

than 10 (seconds) In other words, this transition is enabled only if c1is less than 10(indicated by(c1 < 10)? along the transition) This timing constraint can be consid- ered as the maximum delay for the turn on heater event to happen after detecting the cold event This is the same as saying the deadline for the occurrence of the turn on heater event is less than 10 since the cold event is detected.

In state s5, if the automaton reads the input symbol comfort, then it takes the

tran-sition (indicating that the room temperature is at least 68◦F) and moves to state s6.

The clock c1is again reset (set to 0 by the assignment c1:= 0) along this transition

In state s6, clock c1 shows the time passed since the reading of the input symbol

comfort (the occurrence of the event comfort).

The automaton can move from state s6back to state s0only if this clock value is

less than 2 (seconds) In other words, this transition is enabled only if c1is less than

2 (indicated by(c1 < 2)? along the transition) As before, this timing constraint can

be considered as the maximum delay for the turn off heater event to happen after tecting the comfort event This is the same as saying the deadline for the occurrence

de-of the turn de-off heater event is less than 2 since the comfort event is detected The behavior of the automaton starting from the initial state s0if the input symbol

hot (indicating that the room temperature is above 78◦F) is read is similar exceptthat the air conditioner will be turned on and the deadlines are different Note thatdifferent clocks can be reset or restarted at different times and they are independent(need not be synchronized) In this example, we can use a single clock to impose thetiming constraints since either the heater or the air conditioner can be activated butnot both at the same time This automaton accepts the language:

L1= {((cold turn on heater comfort turn off heater

∪ hot turn on ac comfort turn off ac) ω , τ)

|∀x((τ 4x+5< τ4x+4+ 10)(τ 4x+7< τ4x+6+ 2) (τ4x+2< τ4x+1+ 5)(τ 4x+4< τ4x+3+ 2))}.

automaton (Figure 7.2) representing the receiving of two messages (msg1 and msg2) and their corresponding acknowledgments (ack1 and ack2) ack1 must be sent 2 s after receiving msg1, and ack2 must be sent within 5 s of receiving msg2 ack1 must be sent before sending ack2 This last condition effectively requires that ack1 must be sent 2 s after receiving msg1 and within 5 s of receiving msg2

so that ack2 can be sent within 5 s of receiving msg2 This automaton has two clocks

and accepts the language:

L2= {((msg1 msg2 ack1 ack2) ω , τ)|∀x((τ4x+3> τ4x+1+2)(τ 4x+4< τ4x+2+5))}.

Having described two examples, we now define the types of comparisons allowed

in specifying a clock constraint

2 3

i := 0

j := 0 (j < 5)?

Figure 7.2 Automatonα2for message sending and acknowledgment

Clock Constraints: An atomic constraint is of the form c operator t, where c is a

clock variable, t is a time constant (a nonnegative rational number), and operator is

either< or ≤ A clock constraint is an atomic constraint or a conjunction of atomic

constraints

Next we define an assignment of values to clocks, called a clock interpretation

Clock Interpretation: A clock interpretation for a set of clocks is an assignment

of a positive real value to each clock A clock constraint may contain one or moreclocks A clock interpretationv for a set C of clocks is said to satisfy a clock con-

straintδ over C iff the assignment of the values in v to these clocks makes δ true Given a positive real t , the expression v + t is a clock interpretation that assigns the

valuev(c) + t to every clock c.

We are now ready to define a state extended with a clock interpretation

Extended State: Given a timed transition table, an extended states, v is a state

s ∈ S extended with a clock interpretation v for C.

7.2.3 Alur–Dill Timed Automata

Alur and Dill extend theω-automata to accept timed words, yielding a theory of

timed regular languages The definition of a timed Buchi automaton is based on aBuchi automaton extended with a finite set of clocks and clock constraints

Timed Transition Table: A timed transition table A is a 5-tuple , S, S0, C, E,where is a finite alphabet, S is a finite set of states, S0 ⊆ S is a set of start states,

C is a finite set of clocks, and E is a set of transitions A transition on input symbol

α s, s, α, λ, δ is represented by an edge from state s to state s.λ is the finite set of

clocks to be reset with this transition.δ is a clock constraint over C.

The corresponding region automaton R (A) for a timed transition table A =

, S, S0, C, E is a transition table over the alphabet .