Quantitative Robustness Analysis of Flat Timed Automata

HAL Id: hal-00534896

https://hal.archives-ouvertes.fr/hal-00534896

Preprint submitted on 10 Nov 2010

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Quantitative Robustness Analysis of Flat Timed Automata

Remi Jaubert, Pierre-Alain Reynier

To cite this version:

Remi Jaubert, Pierre-Alain Reynier. Quantitative Robustness Analysis of Flat Timed Automata.

2010. �hal-00534896�

Quantitative Robustness Analysis of Flat Timed Automata

R´emi Jaubert^✍, Pierre-Alain Reynier LIF, Universit´e Aix-Marseille & CNRS, France

{remi.jaubert,pierre-alain.reynier}@lif.univ-mrs.fr

Abstract. Whereas formal verification of timed systems has become a very ac- tive field of research, the idealized mathematical semantics of timed automata cannot be faithfully implemented. Recently, several works have studied a para- metric semantics of timed automata related to implementability: if the specifica- tion is met for some positive value of the parameter, then there exists a correct implementation. In addition, the value of the parameter gives lower bounds on sufficient resources for the implementation. In this work, we present a symbolic algorithm for the computation of the parametric reachability set under this se- mantics for flat timed automata. As a consequence, we can compute the largest value of the parameter for a timed automaton to be safe.

1 Introduction

Verification of real-time systems.In the last thirty years, formal verification of reactive, critical, or embedded systems has become a very active field of research in computer science. It aims at checking that (the model of) a system satisfies (a formula expressing) its specifications. The importance of taking real-time constraints into account in verifi- cation has quickly been understood, and the model of timed automata [AD94] has be- come one of the most established models for real-time systems, with a well studied un- derlying theory, the development of mature model-checking tools (UPPAAL[BDL04], KRONOS[BDM 98], ...), and numerous success stories.

Implementation of real-time systems.Implementing mathematical models on physical machines is an important step for applying theoretical results on practical examples.

This step is well-understood for many untimed models that have been studied (e.g., finite automata, pushdown automata). In the timed setting, while timed automata are widely-accepted as a framework for modelling real-time aspects of systems, it is known that they cannot be faithfully implemented on finite-speed CPUs [CHR02]. Studying the

“implementability” of timed automata is thus a challenging issue of obvious theoretical and practical interest.

A semantical approach. Timed automata are governed by a mathematical, idealized semantics, which does not fit with the digital, imprecise nature of the hardware on which they will possibly be implemented. Animplementation semantics has been de- fined in [DDR05] in order to take the hardware into account: that semantics models a

✍Funded by a doctoral grant of “Conseil R´egional Provence-Alpes-Cˆote d’Azur”.

digital CPU which, everyδP time units (at most), reads the value of the digital clock (updated everyδLtime units), computes the values of the guards, and fires one of the available transitions. A timed automaton is then said to beimplementableif there exist positive values for those parameters (δP andδL) for which, under this new semantics, the behaviours of the automaton satisfy its specification. In order to study it efficiently, this semantics is over-approximated by theAASAPsemantics, which consists in “en- larging” the constraints on the clocks by some parameterδ. For instance, “xP ra, bs” is transformed into “xP ra✁δ, b δs”. Moreover, a formal link is drawn in [DDR05] be- tween these two semantics: as soon asδ→4δ_P 3δ_L, theAASAPsemantics simulates the semantics of the implementation. As a consequence, implementability can be en- sured by establishing the existence of some positiveδfor which theAASAPsemantics meets the specification.

Robustness problems. We call the above problem (existence of some positive δ) the qualitative problem of robustness. This problem was proven decidable for different kind of properties: the problem isPSPACE-complete for safety properties [Pur00,DDMR08]

andLTLformula [BMR06]. It isEXPTIME-complete for a fragment of the timed logic MTL[BMR08]. In addition, for safety properties, it is proven in [Pur00,DDMR08] that if there exists a safe positive value ofδ, then the system is also safe for a specific value of the form 1④2^⑤A⑤. While this allows to deduce a correct value for the parameter δ, computing the largest value ofδfor which theAASAPsemantics meets the specifica- tion was still an open problem. We are interested here in this last problem, which we call thequantitative problem of robustnessfor safety properties.

Our contributions.In this paper, we prove that the quantitative robustness problem for safety properties is decidable for flat timed automata (i.e.where each location belongs to at most one cycle). In addition, we show that the maximal safe value ofδ is a ra- tional number. To this end, we solve a more general problem: we prove that it is pos- sible to compute the parametric reachability set for flat timed automata, and present a forward algorithm based on parametric zones (constraints on clocks). As a parametric forward analysis does not terminate for (flat) timed automata, we need some accelera- tion techniques. To solve the qualitative robustness problem, different algorithms have been proposed in [Pur00,DDMR08,DK06] which compute an enlarged reachability set corresponding to states reachable for any positive perturbation, and include an acceler- ation of cycles. The algorithm we propose can be understood as a parametric version of the symbolic algorithm proposed in [DK06] for flat timed automata. We then tackle two issues: the termination of our procedure and its correction. For the first aspect, as we are in a parametric setting, we need completely new arguments of termination (the number of parametric zones we compute cannot be bounded as it is the case for zones).

Considering a graph representation of zones introduced in [CJ99a], we obtain proofs of termination depending only on the number of clocks, and not on the constants appear- ing in the automaton. Up to our knowledge, this constitutes an original approach in the context of timed automata. Regarding correctness, we identify under which conditions the enlarged reachability set coincides with the standard reachability set, and propose a modification of the algorithm to obtain the computation of the parametric reachability set (and not of the parametric enlarged reachability set).

Related work.Since its definition in [Pur00,DDR05], the approach based on theAASAP semantics has received much attention, and other kind of perturbations, like the drift of clocks, have been studied [DDMR08,ALM05,Dim07]. In the case of safety proper- ties and under some natural assumptions, this perturbation is equivalent to constraint enlargement and relies on similar techniques, as proved in [DDMR08]. Also, several works have considered variants of the robustness problem. In [SF07,SFK08], the case of systems with bounded life-time or regular resynchronization of clocks is considered, while in [Dim07], a symbolic algorithm is proposed to handle strict constraints.

Many other notions of “robustness” have been proposed in the literature in order to

relax the mathematical idealization of the semantics of timed automata [GHJ97,OW03,BBB 07].

Those approaches are different from ours, since they roughly consist in dropping “iso- lated” or “unlikely” executions, and are thus more related to language theoretical issues than to implementability issues.

Finally, our work is somewhat related to parametric timed automata. It is proven in [WT99] that emptiness is already undecidable for timed automata with three clocks and one parameter. In our setting, decidability results follow from strong restrictions on the use of the parameter. They correspond to the notion of upper parameter intro- duced in [HRSV02], but the problems we consider are different. In addition, to obtain termination, we introduce acceleration techniques based on [CJ99a]. Two recent works [BIL06,BIK10] also rely on [CJ99a] to propose acceleration techniques, but these con- cern parametric flat counter automata, and their parameter takes its values in natural numbers.

Organisation of the paper.In Section 2, we introduce standard definitions. We present in Section 3 the definition of the enlarged reachability set, and a modification of the algorithm of [DK06] for its computation. In Section 4, we first recall the graph repre- sentation of constraints, then present how we use it to obtain a new acceleration tech- nique, and finally we present our parametric algorithm and its proof of termination and of correction.

2 Definitions

2.1 Timed Automata, Zones

LetX ✏ tx1, . . . , xn✉be a finite set ofclockvariables. We extend it with a fictive clock x0, whose value will always be0, and denoteX the setX ❨ tx0✉. Anatomic (clock) constraintonX is of the formx✁y↕k, wherex✘y PX andk PQ. Note that we only consider non-strict inequalities. This makes sense as we will later enlarge these constraints. We say that the constraint isnon-diagonalif the comparison involves the clockx0. We denote byG♣Xq(resp.G_nd♣Xq) the set of(clock) constraints(resp.non- diagonal constraints) defined as conjunctions of atomic constraints (resp. non-diagonal atomic constraints).

A(clock) valuationvforXis an element ofR^X_➙0. A valuationvPR^X_➙0is extended toR^X_➙0byv♣x0q ✏0. IfvPR^X_➙0andtPR_➙0, we writev tfor the valuation assigning v♣xq tto every clockxPX. Ifr❸X,vrrÐ0sdenotes the valuation assigning0to every clock inrandv♣xqto every clock inX③r. Whether a valuationvPR^X_➙0satisfies

a constraintgPG♣Xq, writtenv⑤ùg, is defined inductively as follows: the conjunction is handled naturally, andv⑤ùx✁y↕kiffv♣xq ✁v♣yq↕k(recall thatv♣x0q ✏0). The set of valuations satisfying a constraintgis denotedJgK.

Azone Z over X is a convex subset of R^X_➙0 which can be defined as the set of valuations satisfying a clock constraint,i.e.there existsg PG♣Xqsuch thatZ ✏JgK.

We noteZones♣Xqthe set of zones onX. The zoneR^X_➙0is denoted❏.

Definition 1 (Timed Automaton).ATAis a tupleA ✏ ♣L, ℓ0,X, Σ, TqwhereLis a finite set of locations,ℓ0 PLis an initial location,X is a finite set of clocks,Σis a finite set of actions, andT ❸L✂G_nd♣Xq ✂Σ✂2^X✂Lis a finite set of transitions.

We define the semantics ofAas a timed transition systemJAK ✏ ①S, S0, Σ,Ñ②.

The setS of states ofJAKisL✂R^X_➙0 andS0 ✏ t♣ℓ0, v0q ⑤v0♣xq ✏ v0♣yq, ❅x, y P X✉. A transition in JAK is composed either of a delay move ♣ℓ, vq ÝÑ ♣ℓ, v^d dq, withd P R_➙0, or of a discrete move♣ℓ, vq ÝÑ ♣ℓ^{σ ✶}, v^✶qwhen there exists a transition

♣ℓ, g, σ, r, ℓ^✶q P T withv ⑤ù g, andv^✶ ✏vrr Ð0s. The graphJAKis thus an infinite transition system. ArunofJAKis a finite or infinite sequence♣ℓ0, v0qÝÑ ♣^σ1 ℓ1, v1qÝÑ^d1

♣ℓ1, v1 d1q ÝÑ ♣ℓ^σ2 2, v2q. . .where for eachi ➙1,di P R_➙0, and♣ℓ0, v0q P S0. A state♣ℓ, vqisreachableinJAKiff there exists a run from an initial state♣ℓ0, v0q PS0to

♣ℓ, vq; the set of reachable states is denotedReach♣Aq.

Note that standard definitions of timed automata also allow invariants on locations which restrict time elapsing. For the sake of simplicity, we do not consider this technical addition here, however all our results hold in presence of invariants.

Acycle of A is a finite sequence of transitions corresponding to a cycle of the underlying finite state automaton. We say that a timed automaton isflatif each location belongs to at most one cycle. Aprogress cycleis a cycle where each clock is reset at least once. We sayAisprogressiveif it only contains progress cycles.

Assumptions.As our results rely on previous works on robustness in TA [Pur00,DDMR08], we assume that our TA are progressive, and that all the clocks are always bounded by some constant M. In addition, as the algorithm we propose in based on [DK06], we also require our timed automata to be flat.

ℓ0 ℓ1 ℓ2 Bad

x1✏1✟∆ x2:✏0

x1↕2 ∆ x1:✏0 x2➙2✁∆

x2:✏0

x1↕0 ∆

x2➙α✁∆ withα✏2,A♣δqavoidsBadiffδ↕0. withα✏3,A♣δqavoidsBadiffδ➔1④3.

Fig. 1: A timed automatonA, with its parametric semantics.

2.2 Parametric objects

We define the parametric semantics introduced in [Pur00] that enlarges the set of runs of timed automata. This semantics can be defined in terms of timed automata extended with one parameter, denoted∆, with syntactic constraints on the use of this parameter.

We denote byPG♣Xqthe set ofparametric (clock) constraints generated by the grammar¹g ::✏g❫g⑤x✁y↕k b∆, wherex✘y PX,k PQandbPN. Given a parametric constraint g andδ P Q_➙0, we denote by g♣δq the constraint obtained by evaluating the parameter ∆ inδ. As the parameter helps in “relaxing” the clock constraint, we have thatδ↕δ^✶impliesJg♣δqK❸Jg♣δ^✶qK.

Definition 2 (Parametric Zone).Aparametric zone Z overX is a partial mapping from Q_➙0 to zones over X, which satisfies the following properties:♣iq its domain dom♣Zqis an interval with rational bounds, and♣iiqit can be defined as the parametric satisfiability set of a parametric clock constraint,i.e.there existsgPPG♣Xqsuch that for allδ P dom♣Zq,Z♣δq ✏ Jg♣δqK. We denote byPZones♣Xqthe set of parametric zones onX.²

By default the considered domain for a parametric zone isQ_➙0. Given a rational interval I, we denote Z_⑤I the parametric zone whose domain is restricted to I i.e., dom♣Z_⑤Iq ✏dom♣Zq ❳I, and which coincides withZondom♣Z_⑤Iq. GivenZ,Z^✶ P PZones♣Xq, we defineZ ❸Z^✶ if, and only if, we havedom♣Zq ❸dom♣Z^✶q, and for anyδPdom♣Zq,Z♣δq ❸Z^✶♣δq. We say that a parametric zoneZis non-empty if there existsδ P dom♣Zqsuch thatZ♣δq ✘∅. LetZ be a non-empty parametric zone. As the mapping represented byZ is monotone, we defineδ_✥∅♣Zq ✏ inftδ➙0⑤Z♣δq ✘

∅✉the minimal value of the parameter for the zone it denotes to be nonempty. AsZ only involves non-strict linear inequalities,δ_✥∅♣Zqis a rational number and we have Z♣δ_✥∅♣Zqq ✘∅(provided thatδ_✥∅♣Zq Pdom♣Zq).

Definition 3 (Parametric Semantics [Pur00,DDMR08]).LetA ✏ ♣L, ℓ0,X, Σ, Tq be a TA. The parametric semantics of A consists in replacing each constraint g P G_nd♣Xqappearing in some transition ofAby the parametric constraint obtained by en- larging it with the parameter∆. Formally, each atomic constraint of the formx✁y↕k is replaced by the parametric constraintx✁y↕k ∆.

Givenδ PQ_➙0, the instantiation of all constraints ofAinδleads to a timed automa- ton that we denote byA♣δq. The semantics used implies the following monotonicity property:δ↕δ^✶ñReach♣A♣δqq ❸Reach♣A♣δ^✶qq. An example of timed automaton is shown in Figure 1.

2.3 Symbolic computations using (parametric) zones

Asymbolic stateis a pair♣ℓ, Zq PL✂Zones♣Xq. Consider a transitiont✏ ♣ℓ, g, σ, r, ℓ^✶q P T of a TAA. We define the operatorPost^tcomputing the symbolic successors overt starting from the zone Z, withZ P Zones♣Xq, by Post^t♣Zq ✏ tv^✷ P R^X_➙0 ⑤ ❉v P Z,❉dPR_➙0:♣ℓ, vqÝÑ ♣ℓ^{σ ✶}, v^✶qÝÑ ♣ℓ^{d ✶}, v^✶ dqandv^✷✏v^✶ d✉. It is well known that Post^t♣Zqis still a zone. We define similarly the operatorPre^tfor the set of predecessors byt. Given a sequence of transitions̺, we define the operatorsPost^̺ andPre^̺as the compositions of these operators for each transition of̺. We define the set of successors

1Compared with L/U TA introduced in [HRSV02], our parameter is “upper”.

2In the sequel,ZandY denote a zone, whileZandYdenote a parametric zone.

from a symbolic state bySucc♣ℓ, Zq ✏ t♣ℓ^✶, Z^✶q PL✂Zones♣Xq ⑤ ❉t✏ ♣ℓ, g, σ, r, ℓ^✶q P T s.t.Z^✶✏Post^t♣Zq✉.

In order to perform parametric computations, we will use parametric zones. Our parametric constraints are less expressive³than those considered in [AAB00]. In par- ticular, we can perform the operations of intersection, time elapsing, clock reset, inclu- sion checking... and extend operatorsPost^̺andPre^̺to a parametric setting. We denote these extensions byPPost^̺ andPPre^̺.We also define the operatorSucc♣ℓ,Zq, where ZPPZones♣Xq, using thePPostoperator.

3 The enlarged reachability set Reach

♣ A q

Definition of Reach^✝♣Aq. We are interested here in the quantitative problem of ro- bustness for safety properties: given a set of states Badto be avoided, compute the maximal value of δ for the system to be safe, i.e. the valueδmax ✏ suptδ ➙ 0 ⑤ Reach♣A♣δqq ❳Bad✏∅✉(recall the monotonicity ofReach♣A♣δqqw.r.t.δ). Note that the valueδmaxmay be safe or not (see Examples in Appendix B.4).

In this paper, we propose an algorithm that computes a representation of the para- metric reachability set of a flat timed automaton. It is then easy to derive the optimal valueδmax. A standard forward parametric analysis does not terminate in general for timed automata. Such a phenomenon is due to cycles: it can be the case that a state

♣ℓ, vqis reachable for anyδ→0, but the length of paths allowing to reach♣ℓ, vqinA♣δq diverges whenδconverges to0.

Example 1. Consider the timed automaton represented on Figure 1. State♣ℓ2, vqwith v♣x1q ✏0andv♣x2q ✏2is reachable inJA♣δqKfor anyδ→0. Let denote byt1(resp.

t2) the transition fromℓ1toℓ2(resp. fromℓ2toℓ1), and let̺✏t1t2. InJA♣δqK, this state is reachable only afterr_2δ¹siterations of the cycle̺(see Figure 2).

after one iteration ofPost^̺:

0

x1

x2

1 1

2 2

1✁δ 1 2δ

ℓ2

ℓ1

after two iterations:

0

x1

x2

1 1

2 2

1✁3δ 1 4δ

ℓ2

ℓ1

after three iterations:

0

x1

x2

1 1

2 2

1✁5δ 1 6δ

ℓ2

ℓ1

Fig. 2: Reachable states during the parametric forward analysis ofA♣δq.

3Note that in our setting, one can define a data structure more specific than parametric DBMs considered in [AAB00]. Indeed, we do not need to split DBMs as the constraints only involve conjunctions. Moreover, we can perform basic operations (future, reset, intersection with an atomic constraint) in quadratic time, as for DBMs, see [Jau09].

This difficulty has first been identified by Puri in [Pur00] when studying the qual- itative robustness problem, and solved by computing the enlarged reachability set de- fined asReach^✝♣Aq^def✏ ➇

δPQ_→0

Reach♣A♣δqq. It is the set of states of the automaton reachable by an arbitrarily small value of the parameter. While [Pur00] proposed an algorithm based on the region graph, we use an algorithm proposed in [DK06] which relies on zones, as it is better suited for a parametric setting. The drawback of [DK06]

is that it requires the timed automaton to be flat.

Algorithm 1Computation ofReach^✝♣Aq.

Require: a progressive flat timed automatonAwith bounded clocks.

Ensure: the setReach^✝♣Aq.

1: ComputeνY.Pre^̺♣Yq,νY.Post^̺♣Yq, for each cycle̺inA.

2: Wait✏ t♣ℓ0, Z0q✉; // Initial states

3: Passed✏∅; 4: while Wait✘∅ do 5: -pop♣ℓ, Zqfrom Wait ;

6: -if❅♣ℓ, Z^✶q PPassed,Z❺Z^✶ then

7: - -if there exists a cycle̺around locationℓ then 8: - - -if Z❳νY.Pre^̺♣Yq ✘∅ then

9: - - - -Wait✏Wait❨Succ♣ℓ, νY.Post^̺♣Yqq; 10: - - - -Passed✏Passed❨ t♣ℓ, νY.Post^̺♣Yqq✉;

11: - -Wait✏Wait❨Succ♣ℓ, Zq; 12: - -Passed✏Passed❨ t♣ℓ, Zq✉; 13: return Passed ;

A new procedure for the computation ofReach^✝. We present Algorithm 1 which is a modification of the algorithm proposed in [DK06] to computeReach^✝. This modifica- tion allows us in the next section to prove the termination of a parametric version of this algorithm.

The original algorithm proposed in [DK06] (see Appendix A) relies on the notion ofstable zoneof a cycle̺. This zone represents states having infinitely many prede- cessors and successors by̺, and is defined as the intersection of two greatest fixpoints:

W_̺ ✏νY.Post^̺♣Yq ❳νY.Pre^̺♣Yq. Then, the algorithm is obtained by the following modifications of the standard forward analysis of the timed automaton: for each new symbolic state♣ℓ, Zqconsidered, if there exists a cycle̺around locationℓ, and ifZ intersects the stable zoneW_̺, then the stable zone is marked as reachable. The cor- rection of this algorithm relies on the following property of the stable zone: given two valuationsv, v^✶ PW_̺, for anyδ→0, there exists a path inJA♣δqKfrom state♣ℓ, vqto state♣ℓ, v^✶q(while such a path may not exist inJAK). The addition of the stable zone can be viewed as the acceleration of cycle̺.

Our new algorithm is obtained as follows:♣iqat line8, we test the intersection ofZ withνY.Pre^̺♣Yqinstead ofW̺, and♣iiqat line9and10, instead of declaringW̺as reachable, we declareνY.Post^̺♣Yqreachable. We state below that this modification is correct.

Theorem 1. Algorithm 1 is sound and complete.

Proof. We show that Algorithm 1 is equivalent to that of [DK06]. AsW_̺ is included in both greatest fixpoints, the completeness of the algorithm is trivial. To prove the soundness, let us consider the region graph construction (see for instance [AD94]). We do not recall this standard construction as it will only be used in this proof. As there are finitely many regions, it is easy to verify that if a region is included inνY.Pre^̺♣Yq, it has infinitely many successors by̺and then one of them is included inW̺. In other terms, the test of line 8 of intersection with νY.Pre^̺♣Yq instead ofW̺ simply anticipates the acceleration of the cycle̺. Similarly, any region included inνY.Post^̺♣Yqis the successor of a region included inW̺. Thus, our modification can be understood as a

speed-up of the original algorithm of [DK06]. ❬❭

We also state the following Lemma whose proof follows from a similar reasoning:

Lemma 1. Let̺be a cycle of a TAA. Then we have:

νY.Pre^̺♣Yq ✘∅ôνY.Pre^̺♣Yq ❳νY.Post^̺♣Yq ✘∅ôνY.Post^̺♣Yq ✘∅

4 Parametric computation of Reach ♣ A ♣ δ qq

4.1 Representing constraints as a graph

In the sequel, we will use a representation of clock constraints as a weighted directed graph introduced in [CJ99a,CJ99b]. Due to lack of space, we recall here only succintly its definition. Intuitively, the value of a clock can be recovered from its date of reset and the current time. The vertices of the graph represent these values, with one duplicate for each fired transition. Constraints on clock values are expressed as weights on arcs.

More formally, we introduce a new variableτ representing the total elapsed time.

In addition, for each clockxi PX we let variableXi denoteXi ✏τ✁xi. Note that for xi P X,Xi thus represents last date of reset of clockxi. For the special case of x0, we haveX0 ✏ τ (asx0always has value0). We denoteÝÑ

V the vector defined as

♣τ, X1, . . . , X_nq. For a transitiont✏ ♣ℓ, g, σ, r, ℓ^✶q, we define the formulaT^t♣ÝÑV ,ÝÑ V^✶q which expresses the relationship between values of the variables before (represented by Ý

ÑV) and after the firing of the transition (represented byÝÑ

V^✶✏ ♣τ^✶, X₁^✶, . . . , X_n^✶q):

T^t♣ÝÑV ,ÝÑ V^✶q:✏

➞n i✏1

♣X_i↕τ❫X_i^✶↕τ^✶q ❫τ↕τ^✶

❫ ➞

xiPr

τ✏X_i^✶❫➞

xi❘r

Xi✏X_i^✶❫g

wheregis the constraintgwhere for anyi, clockxiis replaced byτ✁Xi.

Let̺ ✏t1. . . tmbe a sequence of transitions. Forj P t0, . . . , m✉, we denote by ÝÑV^j the vector♣τ^j, X₁^j, . . . , X_n^jq. Then we define formulaT^̺♣ÝÑ

V⁰,ÝÝÑ

V^mqexpressing the constraints between variables before and after the firing of the sequence̺as follows:

T^̺♣ÝÑ

V⁰,ÝÝÑV^mq ✏ ❉ÝÑ

V¹, . . . ,ÝÝÝÑ V^m✁1.

m✁➞1 j✏0

T^̺♣ÝÑ V^j,ÝÝÝÑ

V^{j 1}q

Definition 4 (GraphG^❏_̺).Let̺✏t1. . . tmbe a sequence of transitions. The weighted directed graphG^❏_̺ has a set of verticesS✏➈_m

j✏0V^j(whereV^j is the set associated with the vector ÝÑ

V^j). Given two vertices v, v^✶ P S and a weightc P Q, there is an arc fromv tov^✶ labelled byc if and only if constraintv✁v^✶↕c appears in formula T^̺♣ÝÑ

V⁰,ÝÝÑ V^mq.

For any pathp, we writew♣pqthe total weight of the path. Suppose now that there is no cycle of negative weight in graphG^❏_̺. Let P_beg^̺ (resp.P_end^̺ ) denote the set of minimal weighted paths between vertices inV⁰(resp. inV^⑤̺⑤). We define the following mapping which interprets these shortest paths as clock constraints:

Letα✏0.❅pPP_beg^̺ , C♣pq ✏xl✁xi↕w♣pqifpstarts inX_i^αand ends inX_l^α. MappingCis defined similarly onP_end^̺ , usingα✏ ⑤̺⑤.

From Propositions 12 and 13 of [CJ99b], we have the following properties:

Proposition 1. Let̺be a sequence of transitions. Then we have:

– there exists a cycleγwithw♣γq ➔0inG^❏_̺ ôPost^̺♣❏q ✏∅ôPre^̺♣❏q ✏∅ – if there is no cycle of negative weight, then:

J➍

pPP_beg^̺ C♣pqK✏Post^̺♣❏qandJ➍

pPP_end^̺ C♣pqK✏Pre^̺♣❏q

More generally, given a zoneZ, we define the graph denotedG^Z_̺ by adding the con- straints ofZon the vertices inV⁰. MappingCapplied on paths inP_beg^̺ then defines the zonePost^̺♣Zq. Similarly, the zonePre^̺♣Zqcan be represented by adding constraints ofZon vertices inV^⑤̺⑤.

It is easy to verify that this construction extends to a parametric setting: consider- ing parametric constraints on arcs, we obtain a graph representation of the parametric computation of symbolic successors or predecessors. Note that a pathpin this context will have a weight of the formk b∆, whereb PNrepresents the number of atomic constraints of the TA used inp. In particular, while the value of a path depends on the value of∆, its existence does not.

1

✁1 X2⁰

τ⁰ X1⁰

2

X2¹

τ¹ X1¹

✁2

X2²

τ² X1²

Example 2. Consider the sequence of transitions ̺ ✏ t1t2 in the TA of Figure 1 defined in Example 1. The graph depicted on the left-side figure with plain arcs rep- resents G^❏_̺ (arcs without label have weight 0). For in- stance, the arc from vertex X₂² to vertex τ², labelled by ✁2, represents the lower bound for the clock x2

in t2 which means: x2 ➙ 2. Consider now the zone Z ✏Jx1✁x2 ✏1K(it corresponds to the set of reach- able valuations after firing transitionℓ0 Ñℓ1), then ad- ditional dotted arcs allow to representG^Z_̺.

Given a zone defined as the result of the firing of a sequence of transitions, this representation allows to recover how the constraints are obtained. Thus, the graph stores the complete history of the constraints.

In the sequel, we use this construction in the particular case of the iteration of a cycle

̺, given as a sequence of transitions of a TA. LetZinitbe a zone. We consider two se- quences of zones♣Z_k^❏qk➙0(resp.♣Z_k^initqk➙0) defined byZ₀^❏✏ ❏(resp.Z₀^init✏Zinit) andZ_k^✝ ₁✏Post^̺♣Z_k^✝q(where^✝denotes either^❏or^init). Note that by monotonicity of Post^̺, the sequence♣Z_k^❏qk➙0is decreasing and converges towardsZ_✽^❏✏νY.Post^̺♣Yq.

According to previous definitions,G^❏_̺k(resp.G^init_̺k ) denotes the graph associated with the zoneZ_k^❏(resp.Z_k^init). As the cycle̺will be clear from the context, we will omit to mention it in the subscript, and use notationsG^❏_k andG^init_k respectively.

Moreover, we will only be interested in vertices at the frontier between the different copies of the graph of̺. Then, given a clockxi P X and an indexj ↕ k,vertexX_i^j now denotes the date of reset of clockxiafter thej-th execution of̺(this notation is a shorthand for the notationX_i^j✂⑤̺⑤, as this last notation will never be used anymore).

Definition 5. LetN ✏ ⑤X⑤². Areturn pathis a pairr✏ ♣p1, p2qof paths in the graph G^❏_N such that there exist two clocksx_u, x_v P X and two indices0 ↕ i ➔ j ↕ N verifying:

– p1andp2are included in the subgraph associated withi-th toj-th copies of̺, – p1is a shortest path from vertexX_u^jto vertexX_uⁱ,

– p2is a shortest path from vertexX_vⁱto vertexX_v^j.

Theweight ofris defined asw♣rq ✏w♣p1q w♣p2q. The set of return paths is finite and is denotedR.

4.2 Accelerating computations of greatest fixpoints

Let̺be a cycle. In this subsection, we only consider the operatorPost^̺, but all our results also apply to the operatorPre^̺. We consider the decreasing sequence♣Z_k^❏qk➙0

converging towardsZ_✽^❏ ✏νY.Post^̺♣Yq ✏➇

k➙0Z_k^❏. We prove the following lemma which provides a bound for termination only dependant on the number of clocks. Note that this result does not require the cycle̺to be progressive neither the clocks to be bounded.

Lemma 2. LetN ✏ ⑤X⑤², andk➙N. IfZ_k^❏ ₁❼Z_k^❏, then we haveZ_✽^❏✏∅.

Proof. First, we prove thatZ_k^❏ ₁ ❼ Z_k^❏implies that there existsr PRused in some shortest path ofZ_k^❏ ₁witness of the disequality. Indeed, asZ_k^❏ ₁ ❼Z_k^❏, there exists a bound b ✏ ”xp ✁xq ↕ ☎” with 0 ↕ p ✘ q ↕ n, whose constraint is strictly smaller in Z_k^❏ ₁ than in Z_k^❏. In Z_k^❏ ₁, the constraint onb is obtained as a shortest path between verticesX_p^{k 1} andX_q^{k 1} in the graphG^❏_{k 1}. Letc be such a path. By definition ofG^❏_k andG^❏_{k 1}, the pathc must use arcs inG^❏₁ (otherwisec would also exist inG^❏_k). The graphG^❏_{k 1}is the concatenation ofk 1copies of the graph of̺. For each occurrence of̺,cgoes through a pair of vertices when it enters/leaves it. Finally, ask 1→N ✏ ⑤X⑤², there exists a pair that occurs twice, we denote these two clocks xuandxv. Thusccontains a return pathr P R(see Figure 3 representing the graph G^❏_{k 1}and the return pathrin the shortest pathc).

Second, asZ_k^❏₁ ❼Z_k^❏, we havew♣rq ➔0. By contradiction, ifw♣rq →0thenc would not be a shortest path and ifw♣rq ✏0thencwould also exist inG^❏_k.

Finally, the existence of a return pathr P Rsuch that w♣rq ➔ 0 implies that Z_✽^❏ ✏∅♣✏νY.Post^̺♣Yqq. Whenkgrows, one can build new paths by repeating this return path. As its weight is negative, the weights of the paths we build diverge towards

✁✽. In particular, the constraint of the zoneZ_✽^❏on the clock differencex_p✁x_qcannot be finite (as it is the limit of a sequence diverging towards✁✽), and thus we obtain

Z_✽^❏ ✏∅. ❬❭

0 i j k 1→⑤X⑤²

̺ ̺ ̺ ̺ ̺ ̺

X_uⁱ

X_vⁱ

X_u^j

X_v^j

X_q^{k 1} X_p^{k 1}

Fig. 3: Pumping lemma : a path fromX_q^{k 1}toX_p^{k 1}using arcs inG^❏₁ exhibits a return path between pairs of vertices♣X_uⁱ, X_vⁱqand♣X_u^j, X_v^jq.

We can now compute, in the parametric setting, the greatest fixpoint ofPPost^̺for every cycle̺of the automaton. We first evaluate the parametric zonesZ✏PPost^̺N♣❏qand Z^✶ ✏PPost^̺♣Zq. Then, we determine the minimal valueδ0 ✏mintδ➙0⑤Z♣δq ✏ Z^✶♣δq✉. This definition is correct asZ^✶ ❸Z and there existsδfor which the greatest fixpoint is not empty. Finally the greatest fixpoint can be represented byZ_{⑤rδ0; ✽r}as Lemma 2 ensures that the fixpoint is empty for allδ➔δ0.

4.3 Parametric Forward analysis with acceleration

We present Algorithm 2 for the parametric computation of Reach♣A♣δqq. It can be understood as an adaptation in a parametric setting of Algorithm 1. First, at line1we perform parametric computation of greatest fixpoints using the procedure proposed in Section 4.2. Second, the test of intersection between the current zone and the greatest fixpoint ofPre^̺is realized in a parametric setting by the computation at line8ofδmin✏ δ_✥∅♣Z❳νY.PPre^̺♣Yqq. Finally, we split the domain of the current parametric zone into intervalsI1andI2. In intervalI1, no acceleration is done for cycles and thus the set Reach♣A♣δqqis computed. Acceleration techniques are used only for intervalI2, and for these values the algorithm computes the setReach^✝♣A♣δqq. We prove below that in this case, the equalityReach♣A♣δqq ✏ Reach^✝♣A♣δqqholds. Note that the test at line 9allows to handle differently the particular case of valueδminwhich does not always require to apply acceleration.

Theorem 2. Algorithm 2 terminates and is correct.

In the sequel, we denoteN ✏ ⑤X⑤²andδ^̺_✥∅✏δ_✥∅♣νY.PPre^̺♣Yqq ✏δ_✥∅♣νY.PPost^̺♣Yqq (by Lemma 1). Before turning to the proof, we state the following Lemma whose proof

Algorithm 2Parametric Computation of the Reachability Set.

Require: a progressive flat timed automatonAwith bounded clocks.

Ensure: the setReach♣A♣δqqfor allδPR_➙0.

1: ComputeνY.PPre^̺♣YqandνY.PPost^̺♣Yqfor each cycle̺ofA.

2: Wait✏ t♣ℓ0,Z0q✉; // Initial States

3: Passed✏∅; 4: while Wait✘∅ do 5: —pop♣ℓ,Zqfrom Wait ;

6: —if ❅♣ℓ,Z^✶q PPassed,Z❺Z^✶ then

7: — —ifthere exists a cycle̺around locationℓ then 8: — — —δmin✏δ_✥∅♣Z❳νY.PPre^̺♣Yqq; 9: — — —ifδmin✏δ_✥∅♣νY.PPre^̺♣Yqq then 10: — — — —I1✏ r0;δmins;I2✏sδmin; ✽r; 11: — — —else

12: — — — —I1✏ r0;δminr;I2✏ rδmin; ✽r;

13: — — —Wait✏Wait❨Succ♣ℓ,Z_⑤I1q ❨Succ♣ℓ,Z_⑤I2q ❨Succ♣ℓ, νY.PPost^̺♣Yq_⑤I2q; 14: — — —Passed✏Passed❨ ♣ℓ,Z_⑤I1q ❨ ♣ℓ,Z_⑤I2q ❨ ♣ℓ, νY.PPost^̺♣Yq⑤I2q;

15: — —else

16: — — —Wait✏Wait❨Succ♣ℓ,Zq; 17: — — —Passed✏Passed❨ ♣ℓ,Zq; 18: return Passed ;

is given in Appendix B.2. Intuitively, it establishes that when all return paths have a pos- itive weight, then either♣iqthe starting zone has finitely many successors and then it converges to the empty set after at mostNsteps, or♣iiqit has infinitely many successors and then it converges towardsνY.Post^̺♣Yq. In this last case, the enlarged reachability set corresponds to the standard reachability set. Its proof relies on pumping techniques presented in Section 4.2. To illustrate property♣iiq, let consider the timed automaton of Figure 1, for which the enlarged reachability set strictly contains the standard reacha- bility set. One can verify that there exists a return path associated with̺✏t1t2which has weight0.

Lemma 3. Let̺be such that for any return pathrPR, we havew♣rq →0. Then we have:

♣iq IfZinit❳νY.Pre^̺♣Yq ✏∅, thenZ_N^init ✏∅.

♣iiq IfZinit❳νY.Pre^̺♣Yq ✘∅, thenZ_✽^init ✏Z_✽^❏♣✏νY.Post^̺♣Yqq.

Unlike Lemma 2, we use the progess cycle assumption to prove this lemma (see the proof of Lemma 4 in Appendix B.1).

Recall that the TA we consider are flat. As a consequence, in the following proofs of termination and correctness, we will only consider a simple cycle̺.

Termination. Consider a parametric symbolic state♣ℓ,Zqand a cycle̺starting inℓ.

We have to prove that all the elements added to the Wait list have a finite number of suc- cessors. This is trivial for the successors of♣ℓ, νY.PPost^̺♣Yq_⑤I2qasνY.PPost^̺♣Yq_⑤I2

is by definition a fixpoint ofPPost^̺. We now focus on the successors of♣ℓ,Z_⑤I1qand

♣ℓ,Z_⑤I2q. Note that we haveδmin➙δ_✥^̺_∅.

– Case of ♣ℓ,Z_⑤I2q: We prove property ♣✝q PPost^̺N♣Z_⑤I2q ❸ νY.PPost^̺♣Yq_⑤I2. Then the computation is stopped by the test of line6 as the greatest fixpoint has been added to the Passed list. To prove♣✝q, we prove it holds for any δ P I2. Fix some δ P I2 and define Z_init ✏ Z_⑤I2♣δq. We consider the two sequences

♣Z_i^✝qi➙0 w.r.t. cycle ̺enlarged by δ. Note that as δ ➙ δmin ➙ δ_✥^̺_∅, we have νY.PPost^̺♣Yq♣δq ✘ ∅. By Lemma 2, this entailsZ_N^❏ ✏νY.PPost^̺♣Yq♣δq. By monotonicity ofPost^̺,Z_N^init❸Z_N^❏holds. This yields the result.

– Case of♣ℓ,Z_⑤I1q:We distinguish two cases whetherδmin→δ_✥^̺_∅or not.

Ifδmin→δ^̺_✥∅: for anyδP rδ_✥^̺∅, δminr, Lemma 3.♣iqcan be applied on cycle̺en- larged byδ. This implies that for anyδP rδ^̺_✥∅, δminr, we havePPost^̺N♣Z_⑤I1q♣δq ✏

∅. Then this property also holds for anyδ P I1, by monotonicity of Z and PPost^̺.

Ifδmin✏δ^̺_✥∅: the complete proof of this last case is more technical and is com- pletely described in Appendix B.3. We only present here a sketch of proof.

First note that for any fixed value ofδ ➔δmin, as the zone does not intersect the greatest fixpoint ofPre^̺, the zone has finitely many successors. However, this argument cannot be lifted to a parametric setting as this number diverges whenδconverges towardsδmin. By definition ofδ_✥^̺_∅, some return paths, which we calloptimal, have a weight equal to0inδ_✥^̺_∅(and are thus strictly negative onr0, δ^̺_✥∅r). Our proof consists in first showing that there exists some integerk for which afterksteps, all shortest paths go through optimal return paths. Then, consideringqas the least common multiple of lengths of optimal return paths, we can prove the following inclusionPPost^{̺k q}♣Z_⑤I1q ❸PPost^̺k♣Z_⑤I1q. The algorithm stops by test of line6.

Correctness. As explained before, the algorithm is a standard forward analysis which may add some additional behaviours, according to test of line8. We distinguish three cases:

1. Forδ P r0, δminr : For these values, the algorithm simply performs a forward analysis. As a consequence, the correctness is trivial.

2. ForδPsδmin, ✽r:For all these values, the addition occurs, and then the algorithm is equivalent to Algorithm 1. By correction of Algorithm 1, this implies that it computes the setReach^✝♣A♣δqq. We will prove that for all these values, we have the equalityReach♣A♣δqq ✏Reach^✝♣A♣δqq. Therefore we need to prove that what has been added to obtainReach^✝♣A♣δqqwas already in Reach♣A♣δqq. Note that the only addition is the greatest fixpoint ofPost^̺. The property is then a direct consequence of Lemma 3.♣iiq as it states that the greatest fixpoint is reachable from the initial states. It is easy to verify that Lemma 3.♣iiqcan indeed be applied.

3. Forδ ✏ δmin:There are two cases, whetherδmin ✏ δ_✥^̺_∅ or not. If the equality holds, thenδminPI1and the reasoning developed at point1.also applies. Ifδmin→ δ_✥^̺_∅holds, thenδminPI2and we can apply reasoning of point2.as Lemma 3.♣iiq also applies because we haveδmin→δ^̺_✥∅.

4.4 Quantitative safety

Once the reachable state space of the automaton is computed by Algorithm2, it is easy to compute the maximal value of the parameter such that the system avoids some set of bad states. Simply compute the valueδ_✥∅ on each parametric zone associated with a bad location and keep the lower one:δmax✏mintδ_✥∅♣Zq ⑤ ❉ℓPBadsuch that♣ℓ,Zq P Passed✉. We thus obtain:

Theorem 3. The quantitative robustness problem for safety properties is decidable for flat progressive timed automata with bounded clocks. In addition, the valueδmax is a rational number.

5 Conclusion

In this paper, we considered the quantitative robustness problem for safety properties, which aims at computing the largest value of the parameter∆under which the TA is safe. We proposed a symbolic forward algorithm for the computation of the parametric reachability set for flat timed automata. We proved its termination by means of original arguments using a representation of zones by graphs. As a consequence, it allows us to compute the largest safe value of the parameter, and prove it is a rational number.

There are several extensions we want to investigate. First, we are implementing the algorithm using a data structure specific to the parametric zones used in our setting.

Second, we want to study the complexity of our algorithm. The difficulty is due to the argument of termination in the last case which leads to a large value and may be improved.

We also aim at enlarging the class of TA for which we can solve the quantitative robustness problem. For instance, if the parameter is not always introduced on guards with coefficient1, but with other coefficients inN_→0, we believe that our algorithm can also be applied. A challenging topic concerns the hypothesis of flatness: we plan to investigate a parametric extension of the algorithm introduced in [Dim07] which can be seen as an extension of that of [DK06] to non-flat TA.

Finally, we believe that it should be possible to solve the quantitative robustness problem for flat TA for other specifications like for instanceLTLproperties.

References

AAB00. A. Annichini, E. Asarin, and A. Bouajjani. Symbolic techniques for parametric rea- soning about counter and clock systems. InProc. CAV’00, vol. 1855 ofLNCS, pp.

419–434. Springer, 2000.

AD94. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994.

ALM05. R. Alur, S. La Torre, and P. Madhusudan. Perturbed timed automata. InProc.

HSCC’05, vol. 3414 ofLNCS, pp. 70–85. Springer, 2005.

BBB 07. C. Baier, N. Bertrand, P. Bouyer, Th. Brihaye, and M. Gr¨oßer. Probabilistic and topological semantics for timed automata. InProc. FSTTCS’07, vol. 4855 ofLNCS, pp. 179–191. Springer, 2007.

BDL04. G. Behrmann, A. David, and K. G. Larsen. A tutorial onUPPAAL. InProc. SFM- 04:RT, vol. 3185 ofLNCS, pp. 200–236. Springer, 2004.

BDM 98. M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos: a model-checking tool for real-time systems. InProc. CAV’98, vol. 1427 ofLNCS, pp.

546–550. Springer, 1998.

BIK10. M. Bozga, R. Iosif, and F. Konecn´y. Fast acceleration of ultimately periodic relations.

InProc. CAV’10, vol. 6174 ofLNCS, pp. 227–242. Springer, 2010.

BIL06. M. Bozga, R. Iosif, and Y. Lakhnech. Flat parametric counter automata. InProc.

ICALP’06, vol. 4052 ofLNCS, pp. 577–588. Springer, 2006.

BMR06. P. Bouyer, N. Markey, and P.-A. Reynier. Robust model-checking of linear-time properties in timed automata. InProc. LATIN’06, vol. 3887 ofLNCS, pp. 238–249.

Springer, 2006.

BMR08. P. Bouyer, N. Markey, and P.-A. Reynier. Robust analysis of timed automata via channel machines. InProc. FoSSaCS’08, vol. 4962 ofLNCS, pp. 157–171. Springer, 2008.

CHR02. F. Cassez, Th. A. Henzinger, and J.-F. Raskin. A comparison of control problems for timed and hybrid systems. InProc. HSCC’02, vol. 2289 ofLNCS, pp. 134–148.

Springer, 2002.

CJ99a. H. Comon and Y. Jurski. Timed automata and the theory of real numbers. InProc.

CONCUR’99, vol. 1664 ofLNCS, pp. 242–257. Springer, 1999.

CJ99b. H. Comon and Y. Jurski. Timed automata and the theory of real numbers. Research Report LSV-99-6, Laboratoire Sp´ecification et V´erification, ENS Cachan, France, July 1999. 44 pages.

DDMR08. M. De Wulf, L. Doyen, N. Markey, and J.-F. Raskin. Robust safety of timed automata.

Formal Methods in System Design, 33(1-3):45–84, 2008.

DDR05. M. De Wulf, L. Doyen, and J.-F. Raskin. Almost ASAP semantics: from timed mod- els to timed implementations.Formal Aspects of Computing, 17(3):319–341, 2005.

Dim07. C. Dima. Dynamical properties of timed automata revisited. InProc. FORMATS’07, vol. 4763 ofLNCS, pp. 130–146. Springer, 2007.

DK06. C. Daws and P. Kordy. Symbolic robustness analysis of timed automata. InProc.

FORMATS’06, vol. 4202 ofLNCS, pp. 143–155. Springer, 2006.

GHJ97. V. Gupta, Th. A. Henzinger, and R. Jagadeesan. Robust timed automata. InProc.

HART’97, vol. 1201 ofLNCS, pp. 331–345. Springer, 1997.

HRSV02. T. Hune, J. Romijn, M. Stoelinga, and F. Vaandrager. Linear parametric model check- ing of timed automata.Journal of Logic and Algebraic Programming, 2002.

Jau09. R. Jaubert. Aspects quantitatifs dans la r´ealisation de contrˆoleurs temps-r´eels ro- bustes. M´emoire de Master Recherche, Master Informatique Fondamentale, Mar- seille, 2009.

OW03. J. Ouaknine and J. B. Worrell. Revisiting digitization, robustness and decidability for timed automata. InProc. LICS’03. IEEE Computer Society Press, 2003.

Pur00. A. Puri. Dynamical properties of timed automata.Discrete Event Dynamic Systems, 10(1-2):87–113, 2000.

SF07. M. Swaminathan and M. Fr¨anzle. A symbolic decision procedure for robust safety of timed systems. InProc. TIME’07, p. 192. IEEE Computer Society Press, 2007.

SFK08. M. Swaminathan, M. Fr¨anzle, and J.-P. Katoen. The surprising robustness of (closed) timed automata against clock-drift. InProc. TCS’08, vol. 273 ofIFIP, pp. 537–553.

Springer, 2008.

WT99. H. Wong-Toi. Analysis of slope-parametric rectangular automata. InProc. Hybrid Systems’97, vol. 1567 ofLNCS, pp. 390–413. Springer, 1999.

A Algorithm of [DK06] for Reach

♣ A q

We present the algorithm proposed in [DK06] for the computation of the setReach^✝♣Aq.

Algorithm 3Algorithm of [DK06] for the computation ofReach^✝♣Aq Require: a progressive flat timed automatonAwith bounded clocks.

Ensure: the setReach^✝♣Aq.

1: ComputeW̺✏νY.Pre^̺♣Yq ❳νY.Post^̺♣Yq, for each cycle̺inA.

2: Wait✏ t♣ℓ0, Z0q✉; // Initial States

3: Passed✏∅; 4: while Wait✘∅ do 5: -pop♣ℓ, Zqfrom Wait ;

6: -if❅♣ℓ, Z^✶q PPassed,Z❺Z^✶ then

7: - -ifthere exists a cycle̺around locationℓ then 8: - - -if Z❳W̺✘∅ then

9: - - - -Wait✏Wait❨Succ♣ℓ, W̺q; 10: - - - -Passed✏Passed❨ ♣ℓ, W̺q;

11: - -Wait✏Wait❨Succ♣ℓ, Zq; 12: - -Passed✏Passed❨ ♣ℓ, Zq; 13: return Passed ;

B Complements on Section 4

B.1 Preliminaries

In the following proofs, we will need to consider the weighted directed graph associated with a sequence of transitions in a parametric setting. The weight of an arc is then a parametric constraint (only arcs representing transitions of the TA are enlarged with the parameter). Given a pathpin such a graph and a valueδ➙0, we denote byw_δ♣pqthe weight obtained when evaluating the parameter∆in the valueδ. Given a return path rPR, thelength ofr, defined asj✁i(with respect to Definition 5) , is denoted⑤r⑤.

There exists a standard data structure for representing zones which is called Differ- ence Bound Matrix (DBM for short). We will not introduce its definition but assume the reader is familiar with it. Given a boundb✏”x✁y↕ ☎”and a non-empty zoneZ, we denote byZrbsthe value of the DBM in normal form associated withZ (which is either ✽or a relative number as all constraints are non-strict).

Finally, we prove the following lemma:

Lemma 4. Let̺be a progress cycle. We consider the sequences♣Z_k^initqk➙0and♣Z_k^❏qk➙0. Letk→Nandb✏”x✁y↕ ☎”be a bound. Then we haveZ_k^initrbs ➔ ✽if and only ifZ_k^❏rbs ➔ ✽.