Are Timed Automata Updatable ?

HAL Id: hal-00350488

https://hal.archives-ouvertes.fr/hal-00350488

Submitted on 6 Jan 2009

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, Antoine Petit

To cite this version:

Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, Antoine Petit. Are Timed Automata Updat- able ?. 12th International Conference on Computer Aided Verification (CAV’2000), 2000, Chicago, United States. pp.464-479, �10.1007/10722167_35�. �hal-00350488�

In Proc. 12th Int. Conf. Computer Aided Verification (CAV’2000), Chicago, IL, USA, July 2000.

volume 1855 of Lecture Notes in Computer Science, pages 464−479. Springer, 2000.

Are Timed Automata Updatable ?

PatriiaBouyer,CatherineDufourd,

EmmanuelFleury,andAntoine Petit

?

LSV,CNRSUMR8643,ENSdeCahan,

61Av.duPrésidentWilson,

94235CahanCedex,Frane

{bouyer, dufourd, fleury, petit}lsv.ens-ahan.f r

Abstrat. Inlassial timed automata,asdenedbyAlurand Dill

[AD90,AD94℄ and sine widely studied, the only operation allowed to

modifytheloksistheresetoperation.Forinstane,alokanneither

beset to anon-null onstant value, norbe set tothe value ofanother

loknor,inanon-deterministiway,tosomevaluelowerorhigherthan

agivenonstant.Inthispaperwestudyindetailssuhupdates.

Weharaterizeinathinwaythefrontierbetweendeidabilityandun-

deidability.Ourmainontributionsarethefollowing:

- Weexhibitmanylassesofupdatesforwhihemptinessisundeid-

able.These lassesdependonthelokonstraintsthatare used

diagonal-freeornotwhereasitiswellknownthatthesetwokinds

ofonstraintsareequivalentforlassialtimedautomata.

- We proposea generalizationof theregion automaton proposed by

Alurand Dill, allowing to handle largerlasses of updates. The

omplexityofthedeisionproedureremainsPspae-omplete.

1 Introdution

SinetheirintrodutionbyAlurand Dill[AD90,AD94℄,timedautomataare

oneofthemoststudiedmodelsforreal-timesystems.Numerousworkshavebeen

devotedtothetheoretial omprehension oftimedautomata andtheirexten-

sions(amongalotofthem,see[ACD +

92℄,[AHV93℄,[AFH94℄,[ACH94℄,[Wil94℄,

[HKWT95℄, [BD00℄, [BDGP98℄) and several model-hekers are now available

(HyTeh 1

[HHWT95,HHWT97℄,Kronos 2

[Yov97℄,Uppaal 3

[LPY97℄).These

workshaveallowedtotreatalotofasestudies(seethewebpagesofthetools)

anditispreiselyoneofthemtheABRprotool[BF99,BFKM99℄whihhas

motivated thepresentwork.Indeed,themostsimpleand naturalmodelization

of theABRprotool usesupdates whihare notallowedinlassialtimedau-

tomata,wheretheonlyauthorizedoperationsonloksareresets.Thereforewe

?

ThisworkhasbeenpartlysupportedbythefrenhprojetRNRTCalife

1

http://www-ad.ees.be rk ele y. ed u/ ta h/ Hy Te h/

2

http://www-verimag.ima g. fr/ TE MP OR ISE /k ro nos /

3

haveonsideredupdatesonstrutedfromsimpleupdatesofoneofthefollowing

forms:

x: j x:y+; where x;y areloks,2Q

+

; and 2f<;;=;6=;;>g

More preisely,wehavestudied the(un)deidability ofthe emptiness problem

fortheextendedtimedautomata onstrutedwithsuh updates.Weallthese

newautomata updatable timed automata.We have haraterizedina thin way

the frontier betweenlasses ofupdatable timed automata forwhih emptiness

isdeidableornot.Ourmainresultsarethefollowing:

- Weexhibit many lassesof updates forwhih emptiness is undeidable. A

surprisingresultisthattheselassesdependonthelokonstraintsthatare

used diagonal-free(i.e.wheretheonlyallowedomparisonsarebetweena

lokanda onstant)ornot(wherethediereneoftwo loksan alsobe

omparedwitha onstant). Thispointmakesanimportantdierenewith

lassial timedautomata forwhih it iswellknownthat these two kinds

ofonstraintsareequivalent.

- WeproposeageneralizationoftheregionautomatonproposedbyAlurand

Dill,whihallowstohandlelargelassesofupdates.Wethusonstrutan

(untimed) automatonwhihreognizestheuntimedlanguage oftheonsid-

ered timedautomaton. The omplexity of this deision proedure remains

Pspae-omplete.

Notethatthesedeidablelassesarenotmorepowerfulthanlassialtimed

automata in the sense that for any updatable timedautomaton of suh a

lass,alassialtimedautomaton(with" transitions)reognizingthesame

language and even mostoften bisimilar an beeetivelyonstruted.

But in most ases, an exponential blow-up seems unavoidable and thus a

transformationinto a lassialtimedautomatonan notbeused toobtain

aneientdeisionproedure.Theseonstrutionsofequivalentautomata

areavailablein[BDFP00b℄.

The paper isorganized as follows. Insetion 2, wepresentbasi denitions of

lokonstraints,updatesandupdatabletimedautomata,generalizinglassial

denitions of Alur and Dill. The emptiness problem is briey introdued in

setion3.Setion4isdevotedtoourundeidabilityresults.Insetion5,wepro-

pose a generalizationofthe regionautomatondened by Alurand Dill. We

thenusethis proedureinsetions6 (resp.7)to exhibitlargelassesofupdat-

abletimedautomatausingdiagonal-freelokonstraints(resp.arbitrarylok

onstraints) for whih emptiness is deidable. A short onlusion summarizes

ourresults.

For lak of spae, this paper does not ontain proofs whih an be found in

[BDFP00a℄.

2 About Updatable Timed Automata

Inthissetion,webrieyreallsome basidenitionsbeforeintroduinganex-

2.1 Timedwords and loks

IfZ isanyset,letZ

(resp.Z

!

)bethesetofnite (resp.innite)sequenesof

elementsinZ.AndletZ 1

=Z

[Z

!

.

In this paper, we onsider T as time domain, Q

+

as the set of non-negative

rational and as a nite set ofations. A timesequene over T is a nite or

innitenondereasing sequene =(t

i )

i1 2T

1

.Atimedword !=(a

i

;t

i )

i1

isanelementof (T) 1

,alsowrittenas a pair! =(;),where =(a

i )

i1

isa wordin 1

and =(t

i )

i1

atimesequeneinT 1

ofsamelength.

We onsider an at most ountable set X of variables, alled loks. A lok

valuationoverX isamappingv:X !T thatassignstoeahlokatimevalue.

The set of all lokvaluations overX is denoted T X

. Lett 2 T, the valuation

v+t isdenedby(v+t)(x)=v(x)+t,8x2X.

2.2 Clok onstraints

Givena subsetofloksX X,weintroduetwosetsoflokonstraintsover

X.Themostgeneralone,denotedbyC(X),isdenedbythefollowinggrammar:

'::=xjx yj'^'j:'jtrue

wherex;y2X;2Q

+

; 2f<;;=;6=;;>g

We will also use the proper subset of diagonal-free onstraints, denoted by

C

df

(X), where the omparison between two loks is not allowed. This set is

dened bythegrammar:

'::=xj'^'j:'jtrue;

wherex2X;2Q

+

and 2f<;;=;6=;;>g

Wewritevj='whenthelokvaluationv satisesthelokonstraint'.

2.3 Updates

An update is a funtion from T X

to P(T X

) whih assigns to eah valuation a

set ofvaluations. Inthis work, werestritourselvesto loalupdates whih are

dened inthefollowingway.

Asimple update overalokz hasone ofthetwo followingforms:

up::=z:jz:y+d

where2Q

+

;d2Q; y2X and 2f<;;=;6=;;>g

Letvbeavaluationandupbeasimpleupdateoverz.Avaluationv 0

isinup(v)

ifv 0

(y)=v(y)foranyloky6=z andifv 0

(z)veries:

v 0

(z) if up=z:

0

A loal update over a set ofloks X is a olletionup=(up

i )

1ik

ofsimple

updates, where eah up

i

is asimple updateoversomelokx

i

2X (note that

it ould happen that x

i

= x

j

for some i 6= j). Let v;v 0

2 T n

be two lok

valuations. Wehavev 0

2up(v)if andonly if,foranyi, thelok valuationv 00

dened by

v 0 0

(x

i )=v

0

(x

i )

v 0 0

(y) =v(y) foranyy6=x

i

veriesv 00

2up

i

(v).Theterminologyloalomesfromthefatthatv 0

(x)depends

onxonlyandnotontheothervalues v 0

(y).

Example 1. Ifwetaketheloalupdate (x:>y;x:<7), thenitmeansthatthe

valuev 0

(x)mustverify:v 0

(x)>v(y)^v 0

(x)<7.Notethatup(v)maybeempty.

Forinstane,theloalupdate(x:<1;x:>1)leadsto anemptyset.

For any subset X of X, U(X) is the set of loal updates whih are ol-

letions of simple updates over loks of X. In the following, we need

todistinguishthefollowingsubsetsofU(X):

- U

0

(X)istheset ofresetupdates.Aresetupdateupisanupdatesuh that

foreverylokvaluationsv,v 0

withv 0

2up(v)andanylokx2X,either

v 0

(x)=v(x) orv 0

(x)=0.

- U

st

(X)isthe set ofonstantupdates. A onstantupdate up isan update

suh that for every lok valuations v, v 0

with v 0

2 up(v) and any lok

x2 X, eitherv 0

(x) = v(x) or v 0

(x) is a rationalonstant independent of

v(x).

2.4 Updatabletimed automata

AnupdatabletimedautomatonoverT isatupleA=(;Q;T;I;F;R ;X),where

isanitealphabetofations,Qisa nitesetofstates,X X isanite set

of loks,T Q[C(X)U(X)℄Qisa nite setof transitions,I Q

is thesubsetof initialstates,F Qis thesubsetof nal states,RQ isthe

subsetofrepeatedstates.

Let C C(X) be a subset of lok onstraints and U U(X) be a subset of

updates, thelassAut(C;U)isthe setof alltimedautomatawhose transitions

only use lok onstraints of C and updates of U. The usual lass of timed

automata,denedin[AD90℄,isthefamilyAut(C

df (X);U

0 (X)).

Apath inAisanite oraninnitesequeneofonseutivetransitions:

P=q

0 '

1

;a

1

;up

1

!q

1 '

2

;a

2

;up

2

!q

2

:::; where(q

i 1

;'

i

;a

i

;up

i

;q

i

)2T; 8i>0

Thepathissaidtobeaepting ifitstartsinaninitialstate(q

0

2I)andeither

it is nite and it ends in an nal state, or it is innite and passes innitely

oftenthrough a repeatedstate.Arun oftheautomatonthrough thepathP is

a sequeneoftheform:

hq

0

;v

0 i

'1;a1;up1

!

t hq

1

;v

1 i

'2;a2;up2

!

t hq

2

;v

2 i:::

where =(t

i )

i1

isatimesequeneand(v

i )

i0

arelokvaluationssuhthat:

8

<

: v

0

(x)=0;8x2X

v

i 1 +(t

i t

i 1 )j='

i

v

i 2up

i (v

i 1 +(t

i t

i 1 ))

Remarkthat anysetup

i (v

i 1 +(t

i t

i 1

))ofarun isnonempty.

Thelabelof therun is thetimedwordw=(a

1

;t

1 )(a

2

;t

2

)::: If thepath P is

aeptingthenthetimedwordwissaidtobeaeptedbythetimedautomaton.

ThesetofalltimedwordsaeptedbyAoverthetimedomainT isdenotedby

L(A;T), orsimplyL(A).

Remark1. A folklore result on timed automata states that the families

Aut(C(X);U

0

(X)) and Aut(C

df (X);U

0

(X)) are language-equivalent. This is be-

ause any lassialtimed automaton (using reset updates only) an be trans-

formed into a diagonal-free lassial timed automaton reognizing the same

language (see [BDGP98℄ for a proof). Another folklore result states that

onstant updates are not more powerful than reset updates i.e. the families

Aut(C(X);U

st

(X)) andAut(C(X);U

0

(X)) arelanguage-equivalent.

3 The Emptiness Problem

For veriation purposes, a fundamentalquestionabouttimedautomata is to

deidewhethertheaeptedlanguageisempty.Thisproblemisalledtheempti-

nessproblem.Tosimplify,wewillsaythatalassoftimedautomataisdeidable

iftheemptinessproblem isdeidableforthislass.Thefollowingresult,due to

AlurandDill[AD90℄,isone ofthemostimportantabouttimedautomata.

Theorem 1. The lassAut(C(X);U

0

(X)) isdeidable.

The priniple of the proof is the following. Let A be an automaton of

Aut(C(X);U

0

(X)),thenaBühiautomaton(oftenalledtheregionautomatonof

A)whihreognizestheuntimedlanguage Untime(L(A))ofL(A)iseetively

onstrutible.TheuntimelanguageofAisdenedasfollows:Untime(L(A))=

f2 1

jthereexistsa timesequene suhthat (;)2L(A)g.

The emptiness of L(A) is obviously equivalent to the emptiness of Un-

time(L(A))andsinetheemptinessofaBühiautomatononwordsisdeidable

[HU79℄,theresult follows.Infat,theresultis more preise:testing emptiness

ofa timedautomatonisPspae-omplete(see[AD94℄fortheproofs).

Remark2. From[AD94℄(Lemma4.1)itsuestoprovethetheoremabovefor

timedautomatawhere allonstantsappearinginlokonstraintsare integers

(andnot arbitraryrationals).Indeed, forany timedautomatonA, there exists

some positiveintegerÆ suh that foranyonstant ofa lokonstraintof A,

Æ:isaninteger.LetA 0

bethetimedautomatonobtainedfrom Abyreplaing

eahonstantbyÆ,thenitisimmediatetoverifythatL(A 0

)isemptyifand

onlyifL(A)isempty.

4 Undeidable Classes of Updatable Timed Automata

Inthissetionweexhibit someimportantlassesofupdatabletimedautomata

whih areundeidable. Allthe proofsare redutions of theemptiness problem

forounter mahines.

4.1 Twoounters mahine

Reallthatatwoountersmahineisanitesetofinstrutionsovertwoounters

(xand y).There aretwo typesofinstrutionsoverounters:

- inrementation instrutionofounteri2fx;yg :

p:i:=i+1; goto q (wherepandqareinstrutionlabels)

- derementation (orzero-testing) instrutionofounteri2fx;yg:

p: if i>0

theni:=i 1; goto q

else goto q 0

Themahine startsatinstrutionlabelledbys

0

withx=y =0andstops ata

speialinstrutionHaltlabelledbys

f .

Theorem 2. The emptiness problem of two ounters mahine is undeidable

[Min67℄.

4.2 Diagonal-free automata with updates x:=x 1

Weonsiderhere adiagonal-freeonstraintslass.

Proposition 1. LetU be aset ofupdates ontaining both fx:=x 1jx2Xg

andU

0

(X). ThenthelassAut(C

df

(X);U) isundeidable.

Sketh of proof. We simulate a two ounters mahine M with an updatable

timedautomatonA

M

=(;Q;T;I;F;R ;X)with X =fx;y;zg,=fag(for

onvenienereasonslabelsareomittedintheproof)andequippedwithupdates

x:=x 1andy:=y 1.Cloksxandy simulatethetwoounters.

Simulationofan inrement appears onFigure 1.Counter xis impliitlyinre-

mentedbylettingthetimerunduring1unitoftime(thisisontrolledwiththe

testz=1).Thentheotherounteryisderementedwiththey:=y 1update.

p q

z=1;z:=0 z=0;y:=y 1

z=0

Fig.1.Simulationofainrementationoperationoverounterx.

SimulationofaderementappearsonFigure2.Counterxiseitherderemented

p q

q' x=0

Fig.2.Simulationofaderementationoperationontheounterx.

Remarkthatweneveromparetwoloksbutonlyuseguardsoftheformi

withi2fx;y;zg and2f0;1g.

ToompletethedenitionofA

M

,wesetI=fs

0

gandF =fs

f

g.Thelanguage

of M is empty if and only if the language of A

M

is empty and this implies

undeidabilityofemptinessproblemforthelassAut(C

df

(X);U).

4.3 Automatawith updatesx:=x+1orx:>0orx:>y orx:<y

Surprisingly,lassesofarbitrarytimedautomatawithspeialupdatesareunde-

idable.

Proposition 2. LetU be asetof updates ontaining U

0

(X) and(1) fx:=x+

1jx2Xgor(2)fx:>0jx2Xg or(3)fx:>yjx;y2Xg or(4)fx:<yjx;y2

Xg, then thelassAut(C(X);U) isundeidable.

Sketh of proof. The proofs are four variations of the onstrution given for

proposition1.Theideaistoreplaeeverytransitionlabelledwithupdatesx:=

x 1ory:=y 1(framedwithdashedlinesonpitures)byasmallautomaton

involving the other kinds of updates only. The ounter mahine will be now

simulated by an updatable timedautomaton with four loks fw;x;y;zg. We

showhowto simulateanx:=x 1 inanyofthefourases :

(1) Firstlylokwisreset,thenupdatew:=w+1isperformeduntilx w=1

(reallthat xsimulates a ounter and that we areinterestedto itsinteger

values).Seondly,lokxisresetandupdate x:=x+1 isperformeduntil

x=w.

(2) Aw:>0isguessed,followedbyatestx w=1.Thenax:>0 isguessed,

followedbyatest x=w.

(3) Clokw isreset,w:>wisguessedandtestx w=1ismade.Thenlok

xisreset,x:>xisguessedandtest x=wismade.

(4) Aw:<xisguessed, followedbytest x w=1.Thena x:<xis guessed,

followedbyatest x=w.

Inthefourases,operationsaremadeinstantaneouslywiththehelpoftestz=0

performed at the beginning and at the end of the derementation simulation.

Remarkthatforanyaseweuseomparisonsofloks.Wewillseeinsetion6

that lasses of diagonal-free timed automata equipped with any of these four

updatesaredeidable.

Let us end the urrent setion with a resultaboutmixed updates. Updates of

thekindy+:x:z+d(with;d2N)an simulatelokomparisons.In

0