Synthesis for a Weak Real-Time Logic

(1)

HAL Id: tel-00440829

https://tel.archives-ouvertes.fr/tel-00440829

Submitted on 11 Dec 2009

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

To cite this version:

Omer Landry Nguena Timo. Synthesis for a Weak Real-Time Logic. Software Engineering [cs.SE].

Université Sciences et Technologies - Bordeaux I, 2009. English. �tel-00440829�

(2)

N

o

d'ordre :3931

THÈSE

PRÉSENTÉE À

L'UNIVERSITÉ DE BORDEAUX

ÉCOLE DOCTORALE DE MATHÉMATIQUES ET

D'INFORMATIQUE

Par Omer Landry Nguena Timo

POUR OBTENIR LE GRADE DE

DOCTEUR

SPÉCIALITÉ : INFORMATIQUE

SYNTHESE POUR UNE LOGIQUE TEMPS-REEL FAIBLE

(SYNTHESIS FOR A WEAKREAL-TIME LOGIC)

Soutenue le : 07Dé embre 2009

Après avis des rapporteurs :

Fran k Cassez ... Chargéde Re her he CNRS, HDR

François Laroussinie Professeur, Université Paris Diderot Paris7

Devant la ommission d'examen omposée de :

Mar Zeitoun ... Professeur, Université Bordeaux 1 ... Président du jury

Fran k Cassez ... Chargéde Re her he CNRS, HDR ... Rapporteur

François Laroussinie Professeur, Université Paris Diderot Paris7 ... Rapporteur

Didier Lime ... Maître de Conféren es, É ole Centrale de Nantes Examinateur

Igor Walukiewi z ... Dire teur de Re her he CNRS ... Dire teur de Thèse

André Arnold ... Professeur àla retraite ... Invité

(3)

(4)

(5)

(6)

Dans ette thèse,nous nous intéressonsà la spé i ation età lasynthèse de ontrleurs des

systèmestemps-réels.Lesmodèlespour essystèmessontdesEvent-re ordingAutomata.Nous

supposonsqueles ontrleurs observent touslesévènementsseproduisant danslesystèmeet

qu'ils peuvent interdirent uniquement des évènements ontrlables. Tous les évènements ne

sontpasné essairement ontrlables.

Une premièreétude estfaitesurlalogique Event-re ording Logi (ERL). Nousproposons

des nouveaux algorithmes pour les problèmes de véri ation et de satisfaisabilité. Ces

algo-rithmes présentent les similitudes entre les problèmes de dé ision ités i-dessus et les

prob-lèmes dedé isionsimilairesétudiés dansle adredu

µ

- al ul. Nosalgorithmes orrigentaussi desalgorithmesprésentsdanslalitérature.Lessimilitudesrelevéesnouspermettentdeprouver

l'équivalen eentreles formules de ERLetlesformulesde ERLen forme normaledisjon tive.

La logiqueERL n'étant passusamment expressive pour dé rire ertaines propriétés des

systèmes,enparti ulierdespropriétésdes ontrleurs,nousintroduisonsunenouvelle logique

WT

µ

. La logique WT

µ

est une extension temps-réel faible du

µ

- al ul. Nous proposons des algorithmes pourlavéri ationdessystèmeslorsquelespropriétéssont é ritesenWT

µ

.Nous identions un fragment de WT

µ

appeléWT

µ

pour le ontrle (

C

-WT

µ

). Nousproposons un algorithmequipermetdevériersiuneformulede

C

-WT

µ

possèdeunmodèle.Cetalgorithme n'a pasbesoin de onnaîtreles ressour es(horloges et onstantemaximale omparéeave les

horloges) desmodèles.

En utilisant

C

-WT

µ

omme langage de spé i ation des systèmes, nous proposons des algorithmes dedé isionpourle ontrle entralisé etle

∆

- ontrle entralisé.Ces algorithmes permettent ausside onstruire desmodèles de ontrleurs.

Mots- lés : Systèmestemps-réel, Event-Re ording automata,logique temps-réel,

satisfais-abilité, Event-Re ording Logi , méthodes formelles,véri ation, synthèsede ontrleurs.

Dis ipline : Informatique.

LaBRI,

Université Bordeaux1,

351, oursde laLibération,

(7)

real-time systems.OurmodelsforsystemsarekindsofEvent-re ording automata.Weassume

that ontrollersobserveallthe eventso urringinthesystemand an prevent o urren esof

ontrollable events.

WestudyEvent-re ordingLogi (ERL).Weproposenewalgorithmsforthemodel- he king

and the satisability problems of that logi . Our algorithms are similar to some algorithms

proposed for the same problems in the setting of the standard

µ

- al ulus. They also orre t earlier proposed algorithms. We dene disjun tive normal form formulas and we show that

every formulaisequivalent to aformulaindisjun tive normal form.

Unfortunately, ERLis rather weak and an not des ribe some interesting real-time

prop-erties, inparti ular some important properties for ontrollers. We dene a new logi thatwe

allWT

µ

.Thelogi WT

µ

isaweakreal-timeextensionofthestandard

µ

- al ulus.Wepresent analgorithmfor themodel- he king problemofWT

µ

.We onsiderafragmentofWT

µ

alled WT

µ

for ontrol (

C

-WT

µ

).We showthatthe satisabilityof

C

-WT

µ

isde idable. The algo-rithm thatwe proposefor de idingwhethera formulaof

C

-WT

µ

,hasamodeldoesnotneed to know the maximal onstant used in models and it enables the onstru tion of a witness

model.

Using

C

-WT

µ

,we present algorithms for a entralised ontroller synthesis problemand a entralised

∆

- ontrollersynthesisproblems.The onstru tionofwitness ontrollersisee tive.

Keywords: Real-timesystems,Event-Re ordingautomata,formalmethods,real-timelogi ,

µ

- al ulus, Event-Re ording Logi , satisability,model- he king, ontroller synthesis.

Dis ipline: Computer S ien e.

LaBRI,

Université Bordeaux1,

351, oursde laLibération,

(8)

Introdu tion 1

1 Preliminaries 15

1.1 Automata onWords . . . 15

1.2 Two PlayerParityGames and Multi-Parity Games . . . 17

1.3 The

µ

-Cal ulus . . . 18

1.3.1 Denitions andSemanti s . . . 18

1.3.2 Model-Che king andSatisabilityResults . . . 22

1.3.3 Disjun tive NormalForm . . . 23

1.4 Alternating TreeAutomata . . . 23

1.5 Frameworksfor Dis rete-TimeControl . . . 24

1.5.1 The Ramadge etal. Approa h. . . 25

1.5.2 The Arnoldet al.Approa h . . . 25

1.6 Frameworksfor Dense-TimeSupervisoryControl . . . 26

1.6.1 The TimedAutomata Model . . . 26

1.6.2 The Madhusudan etal.Approa hfor Automata Spe i ation . . . 28

1.6.3 The Laroussinieetal. Approa h for

L

ν

Spe i ation . . . 29

2 Timed Pro esses 33 2.1 Clo k,Valuation, Constraints . . . 35

2.1.1 Clo ksand Valuations . . . 35

2.1.2 Constraints . . . 35

2.2 Regions . . . 41

2.2.1 Regions for Diagonal FreeConstraints . . . 42

2.2.2 Regions for General Constraints. . . 45

2.3 Zonesand Dieren eBounded Matri es . . . 45

2.3.1 Zone and Representation. . . 45

(9)

2.4.3 Representations for TimedPro esses . . . 51

2.5 Produ tof TimedPro esses . . . 52

2.6 Rea habilityAnalysis. . . 53

2.6.1 Region-based Algorithms . . . 54

2.6.2 Zone-based Algorithms . . . 55

2.7 Diagonal ConstraintsCan BeSafely Removed . . . 58

2.8 Con luding Remarks . . . 60

3 Results on Event-Re ording Logi 61 3.1 Event-Re ording Logi . . . 63

3.1.1 Denitions . . . 63

3.1.2 Semanti s . . . 63

3.2 Model-Che king . . . 66

3.2.1 Abstra t Semanti s for Formulas . . . 67

3.2.2 Fixpoint Approximation . . . 69 3.2.3 Model-Che king Results . . . 70 3.2.4 Complexity . . . 71 3.3 Satisability . . . 72 3.3.1 Tableau . . . 72 3.3.2 Semanti s ofTableau. . . 76 3.3.3 Satisability Results . . . 77 3.3.4 Complexity Issues . . . 82

3.4 Comparison WithEarlierWorks . . . 82

3.4.1 Sorea's Semanti s for Timed Pro ess and ERLFormulas . . . 82

3.4.2 Sorea's Tableau Systemof Rules . . . 83

3.4.3 Existential ModalityMayCause Constraint Division . . . 83

3.4.4 Zone Approa hIs NotCorre t . . . 85

3.5 Disjun tive NormalForm . . . 87

3.5.1 Denition and Satisability Results. . . 87

3.5.2 TableauEquivalen e and Tableau WithBa kEdges . . . 88

(10)

4.1.1 Denitions . . . 94

4.1.2 Semanti s ofWT

µ

. . . 95

4.1.3 Restri tedLogi s:

W G

-WT

µ

and

C

-WT

µ

. . . 97

4.1.4 Re tangular Formulas . . . 98

4.1.5 Relation between ERLand WT

µ

. . . 99

4.2 Model- he king . . . 101

4.2.1 Abstra t Semanti s for Formulas . . . 101

4.2.2 Model-Che king Results . . . 102

4.3 Satisabilityof the

C

-WT

µ

Fragment . . . 103

4.3.1 Tableaux . . . 103

4.3.2 Satisability Results . . . 106

4.3.3 Existen e ofDeterministi Modelsfor Formulas . . . 108

5 Centralised Controller Synthesis using C-WT

µ

Spe i ation 111 5.1 ModalAutomataand ModalAutomata for Controller Synthesis . . . 113

5.1.1 Denition and Semanti s . . . 113

5.1.2 Model- Che king . . . 115

5.1.3 Restri tedModalAutomata:

W G

-MAand

C

-MA. . . 117

5.2 Automata andLogi . . . 118

5.2.1 FromFormulasto ModalAutomata . . . 118

5.2.2 FromModalAutomatato Formulas . . . 121

5.3 Quotient forAutomata . . . 123

5.4 Centralised Controller Synthesis for

C

-WT

µ

. . . 126

5.4.1 Centralised Controller Synthesis. . . 126

5.4.2 The

∆

-Dense-TimeControl Problem . . . 127

5.5 Con lusion. . . 129

Con lusion and Perspe tives 131 Bibliography . . . 133

(11)

(12)

Asystemis aset ofintera ting obje ts. We onsider omputerisedsystems,that aresystems

embedding omputationaldevi es.The roleof omputationaldevi es isto exe uteprograms.

Computerised systems in lude transformational systems ( lassi al systems whose inputs are

availableatthebeginningoftheexe ution,andwhi hdelivertheiroutputswhenterminating:

for instan e ompiler and bat h systems), and rea tive systems that rea t ontinuously to

their environment, at the speed determined bythe latter [HP85 ℄. Rea tive systemsmaintain

anongoingintera tionwiththeir environmentwhiletransformationalsystemsdonot.Intheir

turn, rea tive systems in lude intera tive systems (for instan e: World wide web browsers)

and real-time systems (for instan e ontrol systems). While deadlinesof omputations, tasks

or events an be o asionally missed in intera tive systems, they should not be missed in

real-time systems. Thus, the orre tness of a real-time system not only depends on logi al

intera tions thathappen init, butalso onthetime atwhi h intera tions (re eptionof inputs

or out omes ofoutputs) o ur.

Be ause the size of omputational devi es have shrank, they are embedded in physi al

obje tsthatthey ontrol.Controloperationsareoftentriggeredbyinternalorexternalsignals

and the results of omputations areused to introdu e motion inphysi al obje ts of systems.

In pra ti e, the ommuni ation between omputational devi es and the rest of the system

is realised using sensors that interpret physi al input and a tuators that introdu e motions

in the obje ts using results of omputations. Compa t disk players, mobiles phones, ars,

washingma hinesandplanesareexamplesofsystems.Forexamplethereisaround30program

instru tions in a washing ma hine and around one billion program instru tions in a mobile

phone.

A ording to the ar hite ture of systems, it is usual to onsider entralised systems and

de entralised systems.Centralised systems embed asingle omputationaldevi ewithasingle

program,whilede entralised systems embedmore than one omputationaldevi e orprogram

needingto ommuni ate to a hieve tasks in ludingthe ontrol ofphysi al devi es.

The design of programs and systems should be a rigorous taskand programs need to be

validated. The validation approa h that is widely onsidered onsist to test the systemwith

sometest ases.Thetest asesareoftengeneratedmanuallybythedevelopers.Thisvalidation

approa his not reliable.Indeed,test ases ould not overall theaspe tsof thesystems.For

example,thetest asesapproa hhadnotbeene ienttodis overedbugsinthephoneswit h

CCS7atManathan(1990),inthephone ommuni ationnetworkatParis(1998),intheAriane

ro ket(1999) [Fle02℄. Just imagine a riti al bug in the program that ommands the exit of

the wheelsof anairplane or insystemsembedded inautomated ars.

(13)

to orre tthem.Asolutionmay onsist to orre terroneouspartsofthesystem;ifoneisnot

able to orre t the system, a solution may onsist to start again the implementation of the

system.Anothersolutionmay onsistto ombinetheerroneoussystemwithanewoneinsu h

awaythatthe resulting systemdoesnot longer ontain bugs.

Inthisthesiswe onsiderthe orre tionproblemfor systems.Theabovemotivatestheuse

offormalmethods presented below.

Formal Methods

Itisoften the ase thatrequirements for systemsaredes ribedina natural languageby

us-tomers,andimplementationisperformedbyateamofengineers. Itshouldbe learthat,ifthe

requirementsare omplex,sowill alsobethesystem. But, thesimpli ityofthe requirements

isnot a guaranteefor thesimpli ityand the orre tness ofthesystems,asnatural languages

areoftenambiguous.Itis important to haveexa t languagestodes ribeproperties, exa t

methodstodesignsystems,exa t methodstovalidateor orre tsystems.Thesearethegoals

ofFormal methods thatin lude:

•

Test generation aims at providing methods for asserting that a system is orre t. It amountsto generation of a olle tion of test sequen es from a formal spe i ation and

a propertyto betested.

•

Proving orre tness amounts toprovidingaformalproof onthe orre tnessofasystem withrespe ttoapropertydes ribedinaformallanguage.Thismethodissemi-automati

asitisoftenthe asethatproverneedshumanintera tion (introdu tionofnewaxioms)

to terminates.

•

Model- he king isan automati method thatallows to he kwhether asystemsatises a given property.

•

Satisability/realisability provideste hniquesto he k whethera given property anbe fullled by at least one system. It also provide te hniques to onstru t a system that

satisesa givenproperty.

•

Controller synthesisdesigns ontrollers fora mainsystem( alledtheplant) sothatthe ontrolled system satisesa given property. It an be applied if the supervision of the

system an bedone bydisabling intheplant somea tions at theorigin ofthebugs.

All the lasses above aresomehow related. For example ontroller synthesis methods an

be useful when a given systemdoesnot satisfya property (test, proof, model- he king) and

whenthe ontrollers an be onstru ted automati ally (satisability).

We will onsider the ontroller synthesis method for the orre tion of real-time systems

whenthepropertiesaredes ribedwithaweak real-timeformallanguage.But,letusdis uss

some hallenges on erning the denition of models for systems and thedenition of formal

(14)

The Design of models and De ision Pro edures

Themain goalof formalmodels isto provide formalrepresentations for interesting real-life

situationsaswe arenot always interestedin alltheaspe ts ofsystems [HP85, Sif01℄.

Thedesignofmodelsforsystemsandpropertiesdependsoninterestingaspe tsofsystems

andthenatureofthepropertiesforsystems.Areweinterestedinthetimeatwhi havariation

o urs in systems (if so, models may expli itly mention information on the time)? Are we

interested only in the logi al o urren e of events? Are we interested in a ommuni ation

proto ol(ifso,amodelmayhavea queueformessage) orinrea tive systems(ifso, noqueue

isneededinthemodel).Thedesignofmodelsisbasedontheabstra tionrealisedoninteresting

aspe tsof systems.

We are most often interested in the representation of behavioural aspe ts of systems.

It is natural to think of behavioural aspe ts of systems as su essive observable variations

o urring in systems. Ea h variation may have a ause. Models for systems are abstra tion

of thevariations and the auses of the variations.An abstra tion of a variation ontains: an

abstra tion of starting ontrol point of the variation, an abstra tion of the ending ontrol

point of the variation and, an abstra tion of the ause of thevariation. Abstra t variations

areoften alledtransitions,abstra t ontrolpointsareoften alledstates and abstra t auses

of variations areoften alledevents.

To des ribe properties of systems, one an use natural languages; be ause they are

am-biguous,theyarenegle tedinfavorofformallanguageshavingexa tsemanti s.Thedesignof

modelsfor propertiesdependson themodelsfor systemsand thenature ofproperties forthe

models.Propertiesfor modelswill ombine properties onstatesand propertieson transitions

leading froma state(future-based properties) oron transitionsleading to astate(past-based

properties).Thestandardtypesofpropertiesforsystemsin luderea hability properties(some

situation anhappen),safety properties(somesituation willneverhappen),liveliness

proper-ties (some situationis unavoidable) fairness properties(somesituation will happen innitely

often) deadlo k-free properties (thesystemnever stop).

Whateveristhenatureandaspe tsofasystemandtheproperties,itisobviousthattheir

representations are useful in pra ti e only if we are able to provide de ision pro edures for

the validation and the orre tion problems in luding the model- he king, and the ontroller

synthesis.Themodels ofsystemsandthe languagestodes ribepropertiesareinthisway,the

result ofan arbitration between the expressive power (that is lassof systemsand properties

they an represent) , their su in tness enabling the representation of a big system with a

model of small size, and their simpli ity that makes their use easy and enables problems to

be ome de idable(existen e ofde ision pro edures).

For pra ti al issues, de ision pro edures need to be e ient and their implementation

should be easy. For theoreti al issues, it ould happen that we are interested in the

under-standing of models and their theoreti al properties. Then, we may not be interested in the

e ien y ofpro edures,but only inrelations withothers de ision pro edures.

Abstra tion of systems into models is the sour e of some problems in luding a non

de-terminism ofthe models,the (behavioral) equivalen e of models and theformalisationof the

notion of ombination of systems. A non determinism o urs ina model when two outgoing

transitions from a state an be triggered by the same event; this an happen if an event is

(15)

models for the same system, knowing whether they are equivalent an redu e the

omplex-ityof de ision pro edures when amodelis more tra table (forde ision pro edures)than the

others. Models of systems an be ombined in syn hronous mode or asyn hronous mode. In

syn hronous mode,atransitiono ursinthe ombinedsystemwhen fromtherespe tive

ur-rent state of ea h omponent of the ombination, itispossible totake atransition aused by

a same event. In asyn hronous model it is not required that the event happens at the same

time inall the omponents. Rea tivesystems areoften ombined insyn hronousmode.

Providing new languages for properties of systems raises fundamental problems of the

language theory in luding emptiness he king (does a property have a model?), in lusion

he king(isasetofmodelsofapropertyin ludedinasetofmodelsofanotherproperty),the

expressive poweroflanguages(what properties an bedes ribedwithagivenlanguage?) and

losurepropertiesunderoperationson languages(union, interse tion, omplementation). For

example, forthe losureunder omplementation, it ouldbeuseful andpra ti al thattheset

of systemsthat do not satisfya property an be des ribed with another property written in

the samelanguage; for the losureunderinterse tion, it ouldbeuseful thatthe onjun tion

oftwo properties an bedes ribed witha singleproperty ofthelanguage.

Formal Models for Rea tive Systems

A low level model for systemsis untimed transition system thatis just a olle tion of

transi-tions.Inthat model, atransition

s

a

−→ s

′

indi ates that inthestate

s

,thepro ess an move to the state

s

′

when the event

a

o urs. No expli it information on the time of the o ur-ren eoftheeventsarementioned.Untimedtransitionsystemshave beenextendedbyadding

a tripping ondition on the transitions. For probabilisti transition systems [PZ93 ℄, tripping

onditions are justprobabilisti laws. For timed transition systems (TTS) [HMP92℄,tripping

onditions are information on the time at whi h the event an o ur. In timed transition

systems,transitions are labelled either with a delay or by an event. Delay an range over a

dis rete domain (natural numbers for example) for dis rete time transition system or over a

densedomain (real numbersfor example) for dense time transition system.

Theproblemwiththelowlevelmodelsaboveisthattheyarenottra tableforautomation.

They annotberepresentedusinganitestru tureasthesetofstatesandthesetoftransitions

inamodel anbeinnite.Highlevel models that anberepresentedinanitewayhavebeen

developed.

There are two theoreti al approa hes for high-level modelling of systems. The algebrai

approa h [vG97℄ and the nite state transition systems based approa h. The semanti s of

highlevelmodelsisoftendes ribedusinglow-levelsmodels.Algebrai -basedmodels anoften

be translated into transition systems. Thus, they will not be onsidered here. We des ribe

belowdevelopment thathave been done forhigh-levelmodels inthetransitionsystemsbased

approa h.

Kripke stru ture or nite state automata [CCG00 ℄ are transition systems with nitely

manystates. Behaviours ofthe systems areasequen e oftransitions.

Durational Kripke stru ture (DKS)[Lar05 ℄ are somehow a generalisation of ideas behind

(16)

s

1 s

0 s

2 [2; 3], a

[3; 3], a

(a)ADKS

s

1 s

0 s

1 s

2

2 a

3 a

(b)JumpSemanti s

s

1 s

0 s

2

1

1 a

1

1 a

( )Semanti swithintermediarystates

s

1 s

0

1

1 a

s

2 a

a

(d)Continuouswithdelay

Figure1:ExampleofaDKS anditssemanti s.

Theyarekindsof nitestate automatahaving tripping onditions ontransitions.There

on-dition are integer interval. For example, a transition

s

[2,3],a

−→ s

′

asserts that the system an

move from

s

to

s

′

when iftheevent

a

o ursat 2, or 3 timeunits after thesystementerthe state

s

.Thenitisfundamental towonderabout thestatesofthesystem1,2,or 3timesunits afteritenterthestate

s

′

orthestateofthesystembetween1and2timesunits.Threedis rete

semanti s had been onsidered(see Figure1 forillustration):

1. the the jump semanti s.Inthis semanti s thesystemmovefrom astate

s

to

s

′

without

takinganyintermediarystate.Thus,thestatesofasystematthetimes

d + 1

,

d + 2

,

. . .

,

d + t − 1

arenotexpli itlyrepresentedwhen movingfrom

s

inthetime

d

tothestate

s

′

inthetime

d + t

.Heretimeprogresses butina dis rete way.

2. the ontinuous semanti s with intermediary states. Here, moving from

s

to

s

′

takes

t

timeunits and thesystemmoves throughintermediary statesbetween

s

and

s

′

.Allthe

rossed intermediary states have the same properties as

s

. This semanti s is not time deterministi but time elapse ontinuously. Then next rea hable state is hosen very

early inthe time.

3. the ontinuous semanti swithdelay.Thesystemletsthetimeelapseinits urrent state

before moving to another state. This semanti s is time deterministi and time elapses

ontinuously.Moreoverafterano urren eofanevent,thenextrea hablestateis hosen

late inthe time.

Timed automata [AD94 ℄ has been provided as powerful model to des ribe real-time

(17)

lo kvariables growwith thesamerate (theone of theuniversal time).Timed automata are

also a kind of timed extension of nite state automata. A transition

s

g,a,X

−→ s

′

is equipped

with a tripping onstraint

g

and a set of lo k

X

to be reset when the transition is taken. Thetripping onstraint ompares lo k variables withrational onstants. There istwo types

of omparisons: the omparison between asingle lo kandarational alleddiagonalfree

on-straint and the omparison of a dieren e between two lo ks and a rational alleddiagonal

onstraint. Clo ks areevaluated inthe dense-timedomain (setof positive real number). The

ontinuous semanti s of a high level transition

s

g,a,X

−→ s

′

is a set of low level transitions of the forms

(s, v)

t

−→ (s, v + t)

or

(s, v)

a

−→ (s, v[X := 0])

(

v

represents a valuation of the lo ks,

t

represent a delay,

v + t

returns the value ofthe lo ks after thedelayand

v[X := 0]

return the values of the lo ks after the reset of all the lo k in

X

). A low level transition

(s, v)

−→ (s, v[X := 0])

a

o urs only if the value of the lo ks represented by

v

satises the ondition

g

.We remarkthat sin e their introdu tion byAlurand Dill, timed automata have been extended to interesting models su h as hybrid automata [Hen96℄, updatable timed

au-tomata [BDFP04 ℄.

Event-re ordingautomata[AFH99℄modelhasbeenintrodu edasarestri tedformoftimed

automata. The main dieren e between Event-Re ording automata and timed automata is

that ea h lo k is asso iated to a unique event and the unique lo k to be reset when a

transitionistakenis the lo kasso iatedto theevent on thattransition.

Formal Des ription of Properties

Low level models are widely used to represent the semanti s of high level models.

Lan-guages to des ribed properties must be interpreted on transition systems models. Formal

languages [Koy90, AH94, HR04℄ enable exa t des ription of linear-time properties (that are

properties on the possible exe utions) and/orbran hing-time properties (that are properties

on states whi h may have several possible futures). They also des ribe either properties on

untimedsystems or properties on timedsystems.

As it is dis ussed in [EH83 ℄, the use of linear or bran hing time spe i ation languages

depends on the underlying nature of time. The use of linear time language is based on the

hypothesis that ea h moment (present time) has a unique future time while, when using

bran hing time languages, we impli itly assume that the future of a present time ould be

dividedinto alternative future times. Alternation an beobserved innon deterministi

mod-els as an event an be the sour e of two alternative transitions. Bran hing-time languages

allowto hara terize interesting behavioral relations between systemssu h assimulationand

bisimulation[Par81 ℄; theyaresometimes preferredto linear-time languages.

The development of formal languages to des ribe properties has been done in two main

dire tions: The logi al dire tion that provides logi al languages and the automata-based

di-re tion. We present here some relevant languages for untimed systems followed with some

relevant languagesfor real-time (timed) systems.

Theautomataapproa h Automata,thatareKripkestru turesequippedwithasetof

a - eptingsequen es oftransitions, anbeusedtodes ribeasystemanditsproperties.AKripke

(18)

de laredgood orbad a ordingtowhethertheybelongtoana eptan e ondition(Rabin,

Parity, et ...). Thus, automata [Tho90℄ are kinds of devi es re ognising set of words, set of

trees,or set oftransitionsystems.Automata on wordsare usedto des ribe linear-time

prop-erties and automata on trees, inparti ular alternating automata on trees, are often used to

des ribebran hing-time properties.

Usual methods for emptiness he king and universality he king for automata-based

languages onsist to he k whether some states are rea hable. Forward or Ba kward state

exploration algorithms areoftenused. The losure under booleanoperations usuallyinvolves

the onstru tion ofnew automata.

Were allsomeresults on erningsomeimportantproblemsonautomata-basedlanguages.

Finitestateautomataonwordsandevent-re ordingautomataontimedwordsare losedunder

all booleanoperations andthelanguage in lusion testingproblemisde idable. The language

in lusion testingproblemfor theseautomataisalso de idable.Timed automata onwordsare

not losedunder omplementation andlanguagein lusiontestingproblemisunde idable.The

languageemptinesstestingproblemforalltheaforementionedautomataonwordsisde idable.

Alternating automata on trees (or transition systems) are losed under boolean operations,

their emptiness andtheir in lusion testingproblem isalso de idable.

The logi al approa h Herearesome important languagesthat have beendeveloped.

Linear-temporal Logi (LTL)isalinear-time temporallogi introdu ed byPnueli [Pnu77,

LPZ85℄for untimedsystems.LTLenables thedes riptionof properties ona single exe ution

of thesystem or sequen e of transitions. But itis not possible to des ribe a property of the

form on all the exe utions of a system it is always true that there existsan exe ution that

satisesa property.

TheComputational Tree Logi (CTL[CE82 ℄,CTL

∗

[EH83℄) arebran hing-timelogi s for

untimedsystems. Theyallow quanti ation (existential or universal) on transitions outgoing

fromstatesofmodels.FormulasofCTL

∗

andCTL arenotinterpretedoverindependentsetof

exe utions (sequen e of transitions) but over a tree-like stru ture representing a dependen e

between exe utions.

The Hennessy-Milner logi was introdu ed by Hennessy and Milner [HM80℄ for untimed

systems(initially represented withtheCCS algebrai representation). Thislogi in lude two

important modal operators

hai

and

[a]

. A state

s

of a system satises

haiϕ

when there is at least one outgoing transition

s

a

−→ s

′

su h that the target

s

′

satises theproperty

ϕ

. A state

s

of asystemsatises

[a]ϕ

whenfor alloutgoing transitions

s

a

−→ s

′

,thetarget state

s

′

satisesthe property

ϕ

.A weakness of the Hennessy-Milner logi is thatit an not be used todes ribedfairness or liveliness properties.

The

µ

- al ulus introdu ed by Kozen [Koz82 , AN01℄ is an expressive logi whi h extends the Hennessy-Milner Logi [HM80℄ by onsidering thegreatest (

ν

) andleast (

µ

) xpoint op-erators. Fixpoint operatorsareusefultodes riberea hability,fairnessor livelinessproperties.

The

µ

- al ulus is more expressive than CTL and CTL

∗

. Formulas of the

µ

- al ulus in ludes arbitrarynestedxpoints.Thepowerofnestedxpointhadbeendemonstrated[Bra98 ,BL05 ℄;

inparti ular theyareusedto des ribe properties su has:anevento ursinnitelyoften or

(19)

the

µ

- al ulusarede idable.The

µ

- al ulus isasexpressiveasalternatingautomata ontrees. The metri temporal logi (MTL) [Koy90℄ is a timed linear-time temporal logi whi h

extendsLTLwithtiming onstraints.For instan e,withMTL,itispossibleto writeaformula

expressingthat a request

p

is always followed one timeunit later bya response

q

.There are tra tablefragmentsofMTLthathadbeen onsideredlikeSafety-MTL[OW06b ℄whi himpose

boundonthemodalityonthefutureandMITL [AFH96℄whi hdisallowspun tual onstraints

some modality ofthefuture.

TimedComputationalTreeLogi (TCTL)[ACD93 ℄isanextension ofCTLthatexpli itly

mentions the information on thetime.

Timed Modal Logi (TML) and Extended Timed Modal Logi (ETML) are timed logi

proposed by Larsen etal. [HLY91 ℄ to des ribe properties of pro esses expressed in the

real-time pro ess al ulus TCCS of Wang [Yi90 ℄. Among properties that an be handled with

these logi an important property for real-time pro esses is the ne essity modal operator on

time delays that enables to des ribe a property like After a oin has been inserted, oee

will be ontinuously available for 30 se onds. TML is an extension of the Hennessy-Milner

Logi [HM80℄whi h onsidersmodalitiesoftheform

hai

∃I

ϕ

,

hai

∀I

ϕ

,

[a]

∃I

ϕ

,and

[a]

∀I

ϕ

where the semanti s of

I

isa delayinterval,

a

is ana tion and

ϕ

aformulaand .A formula

hai

∀I

ϕ

spe iesapropertywhi hholds invariably foralltime-delaysin

I

;asystemthatsatisesthis formula is su h that any state rea hed after a time-delay within

I

must have a

a

-su essor satisfying

ϕ

. Aformula

hai

∃I

ϕ

spe ifyapropertywhi hholds eventuallyfor some time-delay in

I

.Operator ofthe form

[a]

∃I

ϕ

and

[a]

∀I

ϕ

aredened byduality. Then, Larsen etal. have shown that if

I

is dened with a rst-order assertion, then the model- he king of TML is de idable. ETML isa fragment of TMLinwhi h timeintervals arenot spe ied.In[HLY91 ℄

the model- he king and the satisability ofETMLis leftopen.

The logi

L

t

µ

has been introdu ed by Sokolsky et al. [SS95 ℄. The logi

L

t

µ

is a timed extensionofthe

µ

- al ulus;itenablesthedes riptionofsafetyandlivelinesspropertiesof real-timesystems.Themodel- he kingof

L

t

µ

isshownde idablein[SS95 ℄.Thelogi

L

t

µ

supportsall originaloperatorsof the

µ

- al ulus aswell astwo newtimemodalities(ne essity/universality and possibility/eventuality of time su essors) also used in [HLY91 ℄. But

Lµ

t

formulas are

alternation free asthefragment ofthe

µ

- al ulusstudied in [SS94 , BC96 ℄,whi h meansthat in every

L

t

µ

formula the level of mutually re ursive greatest and least xpoint operators is one (arbitrary nested xpoint is not authorized). The lo al model- he king algorithm for

L

t

_µ

[SS95 ℄ uses quotients of lo ks values asdened by Alurand Dill [AD94℄. As this model- he king algorithm is lo al, the whole state spa e need not be explored and renements of

thequotient are arriedonly whenne essaryto satisfy lo k onstraints intheformulaorthe

timedautomatonusedto represent thesystemunderinvestigation.

The logi

L

ν

[LLW95 ℄ has been onsidered by Laroussinie et al.. It is a fragment of the logi

T

ν

[TXJS92 ℄ introdu ed by Henzinger et al.; it allows to des ribe properties on timed automata. Formulas of

L

ν

use also ombined modalities on events of the lassi al

µ

- al ulus withmodalitieson time-delays.Thelogi

L

ν

onsiders thegreatestxpoint operator;it does not onsiderthe leastxpointoperator.Thelogi

L

ν

issu iently expressive for hara teris-ingtimed automata (behavioral hara terisation) [Cer93 ,SI94, IPPA00 ℄.For a given timed

automata, itispossible to onstru ta

L

ν

hara teristi formula. Thesatisabilityproblemof

L

ν

have been leftopen in[BCL05 ℄.

(20)

EventClo kTL is an extension of LTL with event-re ording and event-predi ting operators.

The satisabilityproblem ofEventClo kTL have been shownde idable.

Event-re ording Logi (ERL) is a timed extension of the

µ

- al ulus introdu ed by Sorea [Sor02 ℄ and itis usedto des ribe properties on systemsmodelled withevent-re ording

automata. ERLismoreexpressivethantheevent-re ording partofEventClo kTL sin eit

in- ludesarbitrarynestedxpoints.Theextension onsistinaddingtiming onstraintsinmodal

operatorsobtainingmodaloperatoroftheform

hg, ai

and

[g, a]

.For example,aformulaofthe form

hh

b

< 3, ai

expressesthefa tthatthe event

a

musto urat most

3

timeunitsafterthe lo k

h

b

hasbeen reset (re all thatthe lo k

h

b

isreset only afteran o urren eofthe event

b

).Ade ision pro edure forthesatisabilityproblemof ERLis provided in [Sor02 ℄.

Let us omment some te hniques usedto solve some problems on logi al languages. The

losure properties are often a onsequen e of their denitions. Indeed most of the logi al

languagesusebooleanoperators(logi al"and"operator(

∧

)forthe losureunderinterse tion, logi al"or"operator (

∨

)for the losureunderunion, and logi al"negation" operator (

¬

) for the omplementation). Dualityisoftena fundamental prin iple oflogi al languages.

The emptiness testing of logi al languages is also alled the satisability problem. A widely

used method for temporal logi is the tableau method. Tableau systems were rst developed

byGentzen assynta ti al devi esfor modallogi s[Gen34 ℄.Tableausystems benetfromthe

stru ture of the properties to de ompose their satisability he king into the satisability

he king of smaller properties. It has been shown that there exists an intimate relationship

between tableaux andautomata overtrees [Eme85 ℄.

Whatever is their forms (automata or logi ), languages on the same models need to be

ompared.To omparetwolanguages,itis ommontoprovideexampleofpropertiesthat an

be des ribed with only one of the two languages and it is ommon to show how properties

written inone of thetwo languages an be rewrittenintheother language.

Methods and Algorithms for the Model- he king

Te hniquesfor the model- he king ofsystemshave been developed depending onmodels and

the spe i ations.Mostof these te hniqueswork on lowlevelmodels.

There aretwo basi strategies whendesigning amodel- he king algorithm: Global

algo-rithms thatarere ursive onthestru ture ofthespe i ation andevaluateea hofpartofthe

spe i ation over the states ofthe transitionsystem. Lo al algorithms, in ontrast, explore

onlypartsofthestatesspa eofthesystem,but he kallpartsofthespe i ation.The hoi e

of lo al or global algorithm does not ae t the worst- ase omplexity of model- he king

al-gorithms. Model- he king algorithms areoften presented intheformof tableau [Eme85 ℄ and

they useresults ontwo player games.

Inorderto provide e ient model- he king algorithm, somete hniques toredu e thesize

of models have been developed [Mer01℄in luding, symboli te hniques and abstra tion based

te hniques. Symboli te hniques onsist in en odingset of states using ompa t obje ts su h

as logi al formulas or e ient data stru tures [GV08℄ su h as Binary De ision Diagrams,

Dieren e BoundMatri es,Clo kDieren e Diagrams.

(21)

•

The setting of Kripke Stru tures. Themodel- he king of systems modeled withKripke stru tures has been widely investigated for linear-time properties (LTL [Var07 ℄) and

Bran hing-time Properties (CTL and CTL

∗

[LS01℄, the

µ

- al ulus [SE89 ℄). The te h-niquesaforementionedhavebeenusedandimplementedintoolssu hasSMV[CCG

+

02 ℄,

MEC 5[GV04 ℄,Lustre [CPHP87 ℄ and SPIN[Hol97℄.

•

Thesettingoftimedautomata.Abstra tionbasedte hniqueshavebeenprovidedforthe rea hability of timed automata. These te hniques in lude region abstra tion and

zone-based abstra tion. They onsistinpartitioningtheinniteset ofstatesof thesemanti s

into nite sets of abstra tion lasses. Region and zone-abstra tion based te hniques

have also been deployed for other types of properties. This te hniques have been used

for the model- he king of TCTL [TXJS92℄, the model- he king of MTL and its

frag-ments [OW05 ,OW06a ,AH93,OW06b ,AFH96℄, themodel- he king ofTML[HLY91 ℄,

ETML [HLY91 ℄,

L

t

µ

[SS95 ℄,

L

ν

[LLW95 ℄ and Event-Re ording Logi [Sor01 , Sor02 ℄. Tools implementing model- he king algorithms for real-time systems in lude

Kro-nos [BDM

+

98℄,Uppaal [BLL

+

96 ℄, Hyte h[HHWT97℄, Cm [LL98 ℄,Tempo [Sor01 ℄and

PHAVer[Fre05 , Fre08 ℄.

Methods and Algorithms for the Controller Synthesis

We re all that the supervisory ontrol problem, as introdu ed by Ramadge and W

on-ham [RW89℄, asks whether a given system alled a plant an be ontrolled with another

system alleda ontroller insu hawaythattheresultingsystem alledthe ontrolledsystem

satisesthegiven ontrol obje tive. The synthesisproblem askswhether a witness ontroller

anbe ee tively omputed.

The ontroller synthesis ( ontrol + synthesis) problem is studied depending on theoreti al

assumption made on the systems. These assumptions on ern the nature of the events in

systems,thear hite ture of systemsand the natureof properties.

The notions of ontrollability, observability, distinguishability are often onsidered. The

notion of ontrollability is based on theassumption that some events of the systems an be

disable( ontrollableevent)andtheothers annot.Thenotionofobservabilityisbasedonthe

assumption that ontroller an not observe all the events that happen in the systems. This

notion onsiders observable eventsand unobservable events. The notion of distinguishability

reliesonthefa tthata ontrollermaynotabstra ta auseofavariationinthesamemanner

asthesystem; then, it ould happen thato urren es ofsome events inthe systems an not

bedistinguishedbythe ontrollers.Relyingonthe ar hite tureofthesystems,the entralised

supervisory ontrol isopposedtothede entralised(distributed) ontrol.The entralised

super-visory ontrolof a systemis a hieved bya unique ontroller whileinthe de entralised ases,

more than one ontroller an be ombined with the plant to meet the ontrol obje tives. It

is usual to distinguish internal ontrol obje tives from external ontrol obje tives. Internal

ontrol obje tivesrefertostatepropertieswhileexternal ontrol obje tivesrefertoproperties

onsequen es of events.

Let us re all some previous works on the ontroller synthesis for dis rete event systems

anddense-time systems.

(22)

systems. In their setting, a plant and ontrollers are deterministi nite state automata;

the notion of ontrollability is also onsidered. The external ontrol obje tive is either a

rea hability or a safety property. Manyauthors [PR05, BK06 , AVW03, AW07℄ have

onsid-ered the supervisory ontrol of dis rete event systems modeled with nite state automata

when the ontrol obje tives are des ribed with a

µ

- al ulus formula. These extensions of the works of Ramadge and Wonham use the expressive power of the

µ

- al ulus to des ribe more general properties for supervised systems and ontrollers. They onsider the notion

of ontrollability, observability, and distinguishability and the entralised and de entralised

supervisory ontrol problems. They use a so- alled quotient based method that provide

powerful quotient operation for the division of properties by systems and the division of

properties by properties. In the works of Arnold et al. [AVW03, ABPV05, AW07℄, the

division operation works for disjun tive normal form formulas and the omputation of

witness ontrollers is ee tive (winning strategy intwo player parity game) for some lasses

of de idable supervisory ontrol problems. In parti ular, Arnold et al. [AW07℄ have shown

that the supervisory ontrol problem is de idable under the three following onditions: at

most one ontroller isnon deterministi ; all but one spe i ation of ontrollersaresimple (a

simple spe i ation does not des ribe observability and distinguishability onditions); and

the spe i ationof the nondeterministi ontroller issimple.

The entralised dense-time version of the supervisory ontrol has been investigated and

solved in [AMP95℄. In that investigation, Maler et al. onsider timed automata models,

un-timed ontrol obje tivesandthenotionof ontrollability.Theyprovideanalgorithmtode ide

whetheradis rete ontroller exists,andshowthatiftheanswerispositive,awitness ontroller

anbe ee tively omputed. The ontrol obje tive is area habilityor a safetyproperty.

D'Souza and Madhusudan [DM02℄ have also onsidered the entralised dense-time

supervi-sory ontrol fortimedautomatawhentheexternal ontrolobje tiveisdes ribedwithatimed

automaton. They also onsider the notion of ontrollability. For de idable ases of ontrol,

D'Souzaand Madhusudansynthesise ontrollerswitha priory limit ontheir resour es

(num-berof lo ks,powerof the ontrollers to observe lo ks). Madhusudan et al. [BDMP03 ℄ had

extended the frameworks of D'Souza and Madhusudan by onsidering the notion of partial

observability.

Bouyer et al. [BBC06 ℄ have investigated entralised dense-time supervisory ontrol of timed

automatawhentheexternal ontrolobje tive isdes ribedwiththelogi MTL. They onsider

notionsof ontrollabilityandthey provide de idabilityresults whenthereisalimitonthe

re-sour esof ontrollers.Controllersarejustwinningstrategiesinsometwoplayerparitygames.

Laroussinie et al. [BCL05 ℄ have onsidered the entralised supervisory ontrol problem for

timedautomatamodelswith

L

ν

whenthesetofeventsispartitioned intoasetof ontrollable events and a set of un ontrollable events. They present how to de ide the existen e of

on-trollerforsomedeterministi fragmentof

L

ν

,butthepro eduredoesnotsayhowto onstru t a witness ontroller.

Contributions of this Thesis

We onsider ontroller synthesis for real-time systems that an be ombined in syn hronous

(23)

TheframeworkofArnoldetal.[AVW03,ABPV05 ,AW07℄,basedonnitestateautomata

and the

µ

- al ulus, is a powerful framework for the ontroller synthesis of untimed systems. This workproposes methods to de ide theexisten eof ontrollers andmethods tosynthesize

ontrollers. For timed systems,Laroussinie etal. [BCL05 ℄ have provided an extension to the

frameworkofArnoldetal.astheyhave onsideredtimedautomatamodelsforsystemsandthe

logi

L

ν

to des ribe ontrol obje tives. The method intheLaroussinie etal. framework only de ides theexisten eofa ontroller anddoesnot provide amethod to synthesise ontrollers.

Our goalinthis thesis isto nd a lassof timedmodels weaker than the lass oftimed

automata, to use a weak real-time extension of the

µ

- al ulus for providing a powerful frameworkfor the ontroller synthesis ofreal-time systems.We alsohopeto reuse te hniques

of theframework of Arnoldetal.

Westartourinvestigationwithevent-re ordingautomataasmodelsforsystemsand

Event-Re ordingLogi (ERL)aslanguagetodes ribeproperties.Wepresentnewde isionpro edures

forthemodel- he kingandthesatisabilityofERL.Wealsopresentadisjun tivenormalform

theorem for ERL. We show thatERL is not expressibleenough to des ribe useful properties

of timed pro esses, espe ially some interesting properties for ontrollers. For instan e, with

the modalities of ERL we are not able to des ribe a property of theform an event an be

ompletedat anymoment thatsatisesatiming onstraint.

Then,weintrodu eanewlogi thatwe allWT

µ

whi hisalsoaweak real-timeextension ofthe

µ

- al ulus. WeshowthatWT

µ

ismore expressivethatERL.We onsiderfundamental problems on WT

µ

namely: themodel- he king and thesatisability problems.We showthat the model- he king problem of WT

µ

is de idable. For the satisability, we onsider a frag-ment of WT

µ

alled

C

-WT

µ

(WT

µ

for the ontrol). We provide a de ision pro edure for a satisabilityproblemof

C

-WT

µ

formulas.That pro edureworkswithoutanyinformation on the maximal onstant of the models. It also shows how to onstru t a witness model for a

satisable formula.

We present de ision pro edures for the entralised and the

∆

-dense-time entralised on-trollersynthesisproblems when the ontrol obje tives aredes ribed with

C

-WT

µ

formulas.

Organisation of this Thesis

InChapter 1 we present basi notions that we use later in the thesis. These notions in lude

alternatingautomataontrees,two playerparitygames,the

µ

- al ulus,thelogi

L

µ

andsome frameworksto the ontroller synthesis.

In Chapter 2, we present models for real-time systems and some fundamental problems

about thesemodels.Ourmodel,thatwe alltimed pro ess isnothing elsebutevent-re ording

automata (without an a eptan e ondition). We present the rea hability analysis in that

model using well know region abstra tion te hniques and zone abstra tion te hnique. We

present howto remove diagonal onstraintsinthe modelwithout hangingtheir behavioural

properties.

In Chapter 3, we present Event-Re ording Logi (ERL for short). We onsider

funda-mental problems about that logi : the model- he king problem, the satisability problem,

the disjun tivenormal formproblem. Therst two problemshave been onsidered earlier by

(24)

theyalso enableto reusesome algorithms forthesame problems forthestandard

µ

- al ulus. We provide a disjun tive normal form theorem for ERL formulas. We show that the

algo-rithmof Sorea[Sor02 ℄for thesatisability he king isambiguous andisnot orre tin aseof

diagonal onstraints.

The Chapter 4 introdu es the new logi WT

µ

. There, we dene WT

µ

and we show that WT

µ

is more expressive than ERL as any formula of ERL an be translated into equivalent formulaofWT

µ

andsomeformulasofWT

µ

annotbetranslatedintoformulasofERL.WT

µ

enablesades riptionofsomeinterestingpropertiesinparti ularsomepropertiesof ontrollers.

Then we onsiderthe model- he king andthesatisabilityproblemsfor WT

µ

.We showthat the model- he king of WT

µ

is de idable. We introdu e

C

-WT

µ

as a de idable fragment of WT

µ

.Our de isionpro edure forthesatisabilityof

C

-WT

µ

shows howto onstru t models for satisable formulas.

The entralised andthe

∆

-densetime entralised ontroller synthesisproblemsare onsid-ered inChapter 5. Formulas are di ult to handle be ause they use xpoint operators. We

introdu emodalautomatathatareakindofalternatingautomata.Modalautomataare

inter-pretedovertimedpro esses.We denethe quotient ofmodalautomata overtimedpro esses.

Then,we onsiderasub lassofmodalautomata thatwe allmodalautomata for ontrol(

C

-MA).Weshowthata

C

-MAautomaton anbe translatedintoanequivalent

C

-WT

µ

formula andre ipro allya

C

-WT

µ

formula anbetranslatedintoanequivalent

C

-MAautomaton.At the end of this hapter, we show that the two aforementioned ontroller synthesis problems

(25)

(26)

Preliminaries

This hapterpresentssomeframeworksforthesupervisory ontrolproblemofdis retesystems

anddense-time systems.

Firstofall,we re allsomedenitions andresults on erningtransitionsystems,automata

on words, the standard

µ

- al ulusand automata ontransitionsystems.Then, we presentthe frameworks of Ramadage and Wonham [RW89℄, Arnold et al. [AVW03, ABPV05, AW07℄,

D'Souzaand Madhusudan[DM02℄and Laroussinieetal. [BCL05 ℄.

1.1 Automata on Words

Inthisse tion wepresent basi notions thatin lude labelled transitionsystems,bisimulation

relation,(Bü hi, Rabinand Parity) a eptan e onditions andautomata on words.

Denition 1 A word overan alphabet

Σ

isa sequen e

w = w

0 .w

1 . . .

ofsymbolsin

Σ

.

Σ

∗

is

the setof nitewords over

Σ

,and

Σ

ω

is thesetof innitewordsover

Σ

.

For a word

w

, the number of o urren es of the letter

a

in

w

is denoted by

|w|

a

. Given

w ∈ Σ

ω

,we onsider the set

Inf (w) = {a ∈ Σ | ∀i∃j > i w

j

= a}

ofsymbolsin

Σ

o urringinnitely oftenin

w

.

Denition 2 A labelled transition system overan alphabet

Σ

(ora

Σ

-labelled transition sys-tem forshort)isatuple

S = hS, Σ, s

0 _{, ∆}

S

i

where

S

isasetofstates,

s

0 _{∈ S}

istheinitial state

and

∆

S

⊆ S × Σ × S

is a transitionrelation. A

Σ

-labelled transition systemis deterministi if

∆

S

isa partialfun tion

∆

S

: S × Σ → S

.

We oftenwrite

s

a

−→ s

′

insteadof simplythetransition

(s, a, s

′

_{) ∈ ∆}

S

. A nite labelledtransition systemisa systemwithnitelymany states.

Denition 3 A produ t of two

Σ

-labelled transition systems

P = hP , Σ, p

0 _{, ∆}

P

i

and

S =

hS, Σ, s

0 _{, ∆}

S

i

is the

Σ

-labelled transition system

P × S = hP × S, Σ, (p

0 _{, s}

0 _{), ∆}

P×S

i

where

(p, s)

−→ (p

a

′

, s

′

)

ifandonly if

p

a

−→ p

′

and

s

a

−→ s

′

.

(27)

Wedenetwobehavioralrelationsbetweenlabeltransitionsystems.Theserelations, alled

simulation andbisimulation, havebeenintrodu ed byPark [Par81℄.Let

S

1 = hS

1 , Σ, s

0

1 , ∆

S 1

i

and

S

2 = hS

2 , Σ, s

0

2 , ∆

S 2

i

be two labelled transitionsystems.

Denition 4 A simulation between

S

1

and

S

2

isa relation

R ⊆ S

1 × S

2

su h thatwhenever

s

1 Rs

2

and

a ∈ Σ

,then:

•

If

s

1 a

−→ s

′

₁

thenthere exists

s

′

2 ∈ S

2

su h that

s

2 a

−→ s

′

₂

and

s

′

1 Rs

′

2

.

Denition 5 Abisimulation between

S

1

and

S

2

isarelation

R ⊆ S

1 × S

2

su hthatwhenever

s

1 Rs

2

and

a ∈ Σ

,then:

•

If

s

1 a

−→ s

′

1

thenthere exists

s

′

2 ∈ S

2

su h that

s

2 a

−→ s

′

2

and

s

′

1 Rs

′

2

.

•

If

s

2 a

−→ s

′

₂

thenthere exists

s

′

1 ∈ S

1

su h that

s

1 a

−→ s

′

₁

and

s

′

1 Rs

′

2

.

We write

s

1 ⊑ s

2

(resp.

s

1 ∼ s

2

)ifand only ifthereexistsa simulation(resp. a bisimula-tion)

R

with

s

1 Rs

2

.

Denition 6

S

2

simulate

S

1

(resp.

S

1

and

S

2

are bisimilar) whenever there exists a simu-lation(resp. a bisimulation)

R

between

S

1

and

S

2

su h that the pair

(s

0

1 , s

0

2 )

of their initial states belongs to the relation

R

,andthenwe write

S

1 ⊑ S

2

(resp.

S

1 ∼ S

2

).

Denition 7 An

ω

-automaton on words over

Σ

is a tuple

A = hS, Acci

where

S =

hS, Σ, s

0 _{, ∆}

S

i

isa nite

Σ

-labelled transitionsystemand

Acc

isthea eptan e ondition. Denition 8 Let

A = hS, Acci

be an

ω

-automaton over

Σ

-words asabove dened. A run

ρ

of

A

ona word

w = w

0 w

1 · · · ∈ Σ

ω

isasequen eof states

ρ = s

0 s

1 . . .

su hthatthefollowing onditions hold:

1.

s

0 = s

0

2.

s

i

issu h that

s

i−1

w

i

−→ s

i

∈ ∆

S

Whether a run of an automaton is a epting depends on the nature of the a eptan e

ondition ofthe automaton. There areseveral a eptan e onditions:

1. The Bü hia eptan e ondition [B

62℄is givenbya set

F ⊆ Q

:

ρ

is a eptingwhen

Inf (ρ) ∩ F 6= ∅

2. The Rabin a eptan e ondition [Rab69 ℄ is given by a set

Ω = {(E

i

, F

i

)}

i=1..n

with

E

i

, F

i

⊆ Q

:

ρ

isa epting when

(28)

3. The parity ondition [Mos85℄ isgiven byafun tion

rank : Q → {1, . . . , k}

(where

k

is a naturalnumber)thatassignsaparity index tostatesoftheautomaton:

ρ

isa epting when

max{rank(q) | q ∈ Inf (ρ)}

is even.This onditionisalso alledthe

max

-parity ondition.

Dependingofthenatureofthea eptan e ondition,automata are alledBü hiautomata,

Rabinautomata,or Parity automata.

Denition 9 Thelanguage ofanautomaton

A

denotedby

L(A)

isthesetofwordsonwhi h

A

hasan a eptingrun.

Let us re all some interesting well known results on automata. Non deterministi Bü hi

automata, RabinautomataandParityautomata a eptthesamesetoflanguages.Thissetof

languagesis losedunderinterse tion,union,and omplementation (see[Tho97℄).The

empti-ness he kingforaRabinautomatawith

m

statesand

n

pairsisde idablein

O(mn)

3n

.Every

nondeterministi Rabinautomaton anbetranslatedintoanequivalentparityautomatonand

re ipro ally(see[L

99 ℄).Moreover,everynondeterministi parityautomaton anbetranslated

into a deterministi parityautomaton.

1.2 Two Player Parity Games and Multi-Parity Games

We present a omplexity result for he king a winning strategy in a two player games with

parity ondition. Wealso present thenotionof twomulti-paritygame.

Denition 10 Atwoplayerparity game(see [Zie98 ℄)isatuple

G = hN

E

, N

A

, T ⊆ N

2 _{, Acc}

G

i

where

hN, T i

isa graphwiththenodes(orpositions)

N = N

A

∪ N

E

partitioned into

N

E

and

N

A

.

N

E

denotes the set of nodes of the player

Eve

and

N

A

denotes the set of nodes of the player

Adam

. The winning ondition

Acc

G

⊆ N

ω

, is a parity ondition on the nodes. The

gameisnite if

N

is nite.

Aplaybetween

Eve

and

Adam

fromsomenode

n ∈ N

pro eedsasfollows:if

n ∈ N

E

then

Eve

makes a hoi e of a su essor otherwise

Adam

hooses a su essor; from this su essor thesame rule applies and the play goes on forever unless one of the parties annot make a

move.A playis niteifa player annot make a move and thenheloosetheplay.In the ase

that the play is an innite path

π = n

0 n

1 n

2 · · ·

,

Eve

wins if

π ∈ Acc

G

. Otherwise

Adam

isthewinner. Among winning onditions introdu ed intheliterature, we onsiderthe parity

ondition. Astrategy

σ

for

Eve

isafun tion assigningto everysequen eofnodes

~n

ending in anode

n

from

N

E

a vertex

σ(~n)

whi h isa su essor of

n

.

A play from

n

onsistent with

σ

is a nite or innite sequen e

n

0 n

1 n

2 · · ·

su h that

n

i+1

= σ(n

i

)

forall

i

with

n

i

∈ N

E

.Thestrategy

σ

iswinningfor

Eve

fromthenode

n

ifand onlyifallthe playsstarting in

n

and onsistentwith

σ

arewinning. Thestrategies for

Adam

isaredened similarly. Anode iswinning ifthere existsa strategy winning fromit. A game

isdetermined ifeverynode iswinningforoneof theplayer. Astrategyispositional ifitdoes

(29)

Sosu h a strategy for

Eve

an be representedasa fun tion

σ : N

E

→ N

andidentied with a hoi eof edges inthe graph ofthe game.

Nowwe state the following resultson two playergames (see[GH82, EJ91 , Jur00,VJ00℄).

Theorem 11 Everyparity gameisdetermined.Ina twoplayerparitygameoneoftheplayers

hasawinningpositionalstrategyfromea hofhiswinningnodes.Thereisanee tivepro edure

that de ideswho isa winner froma given node in a nite game, andthat pro edure works in

time

O

|T | ×

2 × |N |

d

⌈d/2⌉

!

where,

d

isthe maximal parity index.

1.3 The

µ

-Cal ulus

The

µ

- al ulusintrodu ed byKozen[Koz82℄(seealso[AN01℄)isanexpressivetemporallogi thatextendsmodallogi withthegreatest(

ν

)andleast(

µ

)xpointoperators.Wepresentthe syntaxandthesemanti softhe

µ

- al ulus.Thenwestatesomewellknownresultsthatin lude the omplexityofthemodel- he kingproblem,the omplexityofthesatisabilityproblemand

adisjun tive normalformtheorem. The omplexityresultfor themodel- he king is obtained

byredu tionto he king ifthereis awinning strategy inatwo playerparitygame.

1.3.1 Denitions and Semanti s

Denition 12 The syntax of the

µ

- al ulus is dened over a set

Var

= {X, Y, . . .}

of vari-ables, aset

Σ

of events.It isgiven by thefollowing grammar:

ϕ ::= tt |

| X | ϕ ∨ ψ | ϕ ∧ ψ | haiϕ | [a]ϕ | µX.ϕ(X) | νX.ϕ(X)

In theabove,

X ∈ Var

,

a ∈ Σ

; and

tt

and denote the formula that are always true and false respe tively;

hai

and

[a]

denotetheexistentialandtheuniversalmodalitiesindexedwith theevent

a

;theyrepresentexists

a

-su essorandall

a

-su essor modalitiesrespe tively.The formulas

µX.ϕ(X)

and

νX.ϕ(X)

represent respe tively the least and the greatest xpoint formula.

For a formula

ϕ

,the losure[Koz82℄of

ϕ

,

sub(ϕ)

isdened asfollows:

Denition 13 The losure

sub(ϕ)

of

ϕ

isthe smallest setof formulas su h that:

• ϕ ∈ sub(ϕ)

•

if

ψ

1 ∨ ψ

2 ∈ sub(ϕ)

theboth

ψ

1 , ψ

2 ∈ sub(ϕ)

•

if

ψ

1 ∧ ψ

2 ∈ sub(ϕ)

theboth

ψ

1 , ψ

2 ∈ sub(ϕ)

•

if

haiψ ∈ sub(ϕ)

then

ψ ∈ sub(ϕ)

(30)

1.3. The

µ

-Cal ulus 19

•

if

σX.ψ(X) ∈ sub(ϕ)

then

ψ(X) ∈ sub(ϕ)

,where

σ ∈ {ν, µ}

Theformulasin

sub(ϕ)

are alledthe sub formulas of

ϕ

.For aformula

ϕ

,

sub(ϕ)

is nite and, bydenition, itis not largerthatthenumberof symbols usedin

ϕ

.

Denition 14 Theset

f ree(ϕ)

offreevariableofa

µ

- al ulusformula

ϕ

isdenedindu tively asfollows:

• f ree(tt) = f ree(

) = ∅

• f ree(X) = {X}

• f ree(ϕ ∨ ψ) = f ree(ϕ ∧ ψ) = f ree(ϕ) ∪ f ree(ψ)

• f ree([a]ϕ) = f ree(haiϕ) = f ree(ϕ)

• f ree(µX.ϕ(X)) = f ree(νX.ϕ(X)) = f ree(ϕ) \ {X}

Avariable

X

isfree ina formula

ϕ

if

X ∈ f ree(ϕ)

.

Denition 15 Avariable

X

isbound ina formula

ϕ

ifthereisasub formula

σX.ψ(X)

of

ϕ

with

σ ∈ {µ, ν}

.

We remark that, a variable an be bound and free at the same time. For example, in the

formula

ϕ = µX(haiX ∨ hbiY ) ∧ νY.hciY

,the variable

Y

is bound andfree. Ano urren eof

Y

in

ϕ

an be repla ed with a new variable to getan equivalent formula variables of whi h areeitherfreeor bound.

Denition 16 (Well named) We all aformulawell named iftheexpression

µX.ϕ(X)

(or

νX.ϕ(X)

) o ursat most on efor ea h variable

X

.

By renaming some o urren es of variables if ne essary, every formula an be translated

into an equivalent well namedformula. Inwhatfollows,withoutlossof generality,weassume

that formulas arewell named.

Denition 17 (Binding) The binding denition of a bound variable

X

in a well named formula

ϕ

,

D

ϕ

(X)

istheuniquesubformulaof

ϕ

oftheform

σX.ψ(X)

.Wewillomitsubs ript

ϕ

when it auses no ambiguity. We all

X

a

µ

-variable when

σ = µ

, otherwise we all

X

a

ν

-variable. Thefun tion

D

ϕ

assigning to everyboundvariable itsbinding denitionin

ϕ

will be alledthe binding fun tion asso iatedwith

ϕ

.

Denition 18 Asenten e is awell named formulawithout freevariables.

Denition 19 The dependen y order

≤

ϕ

over the bound variables of a formula

ϕ

, is the leastpartialordersu hthatif

X

o urs in

D

ϕ

(Y )

and

D

ϕ

(Y )

isasubformulaof

D

ϕ

(X)

then

X ≤

ϕ

Y

.When

X ≤

ϕ

Y

, itisalso saidthat

Y

depends on

X

or

X

is older than

Y

.

(31)

Letus illustratethe threedenitionsjustabove withanexample.Consideragaintheformula

ϕ = µX(haiX ∨ hbiY ) ∧ νY.hciY

. It should be lear that

ϕ

is not a senten e as there is a free o urren e of the variable

Y

in

ϕ

. We have that

D

ϕ

(X) = µX(haiX ∨ hbiY )

and

D

ϕ

(Y ) = νY.hciY

. The variables

X

and

Y

an not be ompared withthe dependen y order relation

≤

ϕ

.

Denition 20 (Expansion) Givena formula

ϕ

,itsbinding fun tion

D

ϕ

,andasub formula

ψ

of

ϕ

,theexpansion

h[ψ]i

D

ϕ

of

ψ

withrespe tto

D

ϕ

is dened by

h[ψ]i

_D

_ϕ

= ψ[D

ϕ

(X

n

)/X

n

] · · · [D

ϕ

(X

1 )/X

1 ]

where

X

1 ≤

ϕ

X

2 ≤

ϕ

· · · ≤

ϕ

X

n

isa hain ofboundvariables of

ϕ

withrespe tto

≤

ϕ

.

Denition 21 Variable

X

in

µX.ϕ(X)

isguarded ifevery o urren e ofX in

ϕ(X)

isinthe s ope of some modality operator

hi

or

[]

. We say that a formula is guarded if every bound variable intheformulais guarded.

Alternationdepthdes ribesthenumberofalternationsbetweenleastandgreatestxpoint

operators.

Denition 22 Thealternation depthofaformuladenotedby

alt(ϕ)

isthenumber ofnesting between

µ

and

ν

in

ϕ

;it isre ursively dened asfollows: