Basic Concepts Theoretical Results Practical Verification Summary

Formal Verification of Real Time Systems

Timed Automata

Radek Pelánek
Basic Concepts Theoretical Results Practical Verification Summary

Aim of the Lecture

knowledge of a basic formalism for modeling timed

systems
basic understanding of verification algorithms for timed
systems
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Example: Peterson’s Algorithm

flag[0], flag[1] (initialed to false) – meaning I

want to access CS
turn (initialized to 0) – used to resolve conflicts
Process 0: Process 1:
while (true) { while (true) {
<noncritical section>; <noncritical section>;
flag[0] := true; flag[1] := true;
turn := 1; turn := 0;
while flag[1] and while flag[0] and
turn = 1 do { }; turn = 0 do { };
<critical section>; <critical section>;
flag[0] := false; flag[1] := false;
} }
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Example: Peterson’s Algorithm

Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Example: Peterson’s Algorithm

Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Fischer’s Protocol

real-time protocol – correctness depends on timing

assumptions
simple, just 1 shared variable, arbitrary number of
processes
assumption: known upper bound D on reading/writing
variable in shared memory
each process has it’s own timer (for delaying)
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Fischer’s Protocol
id – shared variable, initialized -1
each process has it’s own timer (for delaying)
for correctness it is necessary that K > D
Process i:
while (true) {
<noncritical section>;
while id != -1 do {}
id := i;
delay K;
if (id = i) {
<critical section>;
id := -1;
}
}
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Modeling Fischer’s Protocol

how do we model clocks?

how do we model waiting (delay)?
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Modeling Real Time Systems

Two models of time:

discrete time domain
continuous time domain
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Discrete Time Domain

clocks tick at regular interval

at each tick something may happen
between ticks – the system only waits
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Discrete Time Domain

choose a fixed sample period 

all events happen at multiples of 
simple extension of classical model (time = new integer
variable)
main disadvantage – how to choose ?
big  ⇒ too coarse model
low  ⇒ time fragmentation, too big state space
usage: particularly synchronous systems (hardware
circuits)
Basic Concepts Theoretical Results Practical Verification Summary

Motivation

Continuous Time Domain

time ∼ real number

delays may be arbitrarily small
more faithful model, suited for asynchronous systems
model checking (automatic verification) ∼ traversal of
state space
uncountable state space ⇒ cannot be directly handled
automatically by “brute force”
Basic Concepts Theoretical Results Practical Verification Summary

TA Introduction

Timed Automata

extension of finite state machines with clocks

continuous real semantics
limited list of operations over clocks ⇒ automatic
verification is feasible
allowed operations:
comparison of a clock with a constant
reset of a clock
uniform flow of time (all clocks have the same rate)
note: even simple extensions lead to undecidability
Basic Concepts Theoretical Results Practical Verification Summary

TA Introduction

What is a Timed Automaton?

an automaton with locations (states) and edges

the automaton spends time only in locations, not in edges
Basic Concepts Theoretical Results Practical Verification Summary

TA Introduction

What is a Timed Automaton? (2)

real valued clocks

all clocks run at the same speed
clock constraints can be guards on edges
Basic Concepts Theoretical Results Practical Verification Summary

TA Introduction

What is a Timed Automaton? (3)

clocks can be reseted when taking an edge

only a reset to value 0 is allowed
Basic Concepts Theoretical Results Practical Verification Summary

TA Introduction

What is a Timed Automaton? (4)

location invariants forbid to stay in a state too long

invariants force taking an edge
Basic Concepts Theoretical Results Practical Verification Summary

Syntax

Clock Constraints

Definition (Clock constraints)

Let X be a set of clock variables. Then set C (X ) of clock
constraints is given by the following grammar:

φ≡x ≤k |k ≤x |x <k |k <x |φ∧φ

where x ∈ X , k ∈ N.
Basic Concepts Theoretical Results Practical Verification Summary

Syntax

Timed Automata Syntax

Definition (Timed Automaton)

A timed automaton is a 4-tuple: A = (L, X , l0 , E )
L is a finite set of locations
X is a finite set of clocks
l0 ∈ L is an initial location
E ⊆ L × C (X ) × 2X × L is a set of edges

edge = (source location, clock constraint, set of clocks to be

resetted, target location)
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Semantics: Main Idea

semantics is a state space

(reminder: guarded command language, extended finite
state machines)
states given by:
location (local state of the automaton)
clock valuation
transitions:
waiting – only clock valuation changes
action – change of location
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Clock Valuations

a clock valuation is a function ν : X → R+

ν[Y := 0] is the valuation obtained from ν by resetting
clocks from Y :

0 x ∈Y
ν[Y := 0](x) =
x otherwise
ν + d = flow of time (d units):

(ν + d)(x) = ν(x) + d

ν |= c means that valuation ν satisfies the constraint c

Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Evaluation of Clock Constraints

Evaluation of a clock constraint (ν |= g ):

ν |= x < k iff ν(x) < k
ν |= x ≤ k iff ν(x) ≤ k
ν |= g1 ∧ g2 iff ν |= g1 and ν |= g2
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Examples

let ν = (x → 3, y → 2.4, z → 0.5)

what is ν[y := 0]?
what is ν + 1.2?
does ν |= y < 3?
does ν |= x < 4 ∧ z ≥ 1?
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Timed Automata Semantics

Definition (Timed automata semantics)

The semantics of a timed automaton A is a transition system
SA = (S, s0 , −→):
S = L × (X → R+ )
s0 = (l0 , ν0 ), ν0 (x) = 0 for all x ∈ X
transition relation −→⊆ S × S is defined as:
δ
(delay action) (l, ν) −→ (l, ν + δ)
(discrete action) (l, ν) −→ (l 0 , ν 0 ) iff there exists
(l, c, Y , l 0 ) ∈ E such that ν |= c, ν 0 = ν[Y := 0]
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Example

What is a clock valuation?

What is a state?
Find a run = sequence of states
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Example

clock valuation:
assignment of a real value
to x
initial state (off , 0)
example of a run:
2.4
(off , 0) −→ (off , 2.4) −→
1.5
(light, 0) −→
(light, 1.5) −→
(bright, 1.5) −→ ...
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Example

Construct a timed automaton, which models the following

schedule of a student:
the student wakes up between 7 and 9
if the student wakes up before 8, he has a breakfast,
which takes exactly 15 minutes
the students travels to school, it takes between 30 and 45
minutes
if the student arrives to school before 10, he goes to the
lecture, otherwise he goes to the library
Basic Concepts Theoretical Results Practical Verification Summary

Semantics

Semantics: Notes

the semantics is infinite state (even uncountable)

the semantics is even infinitely branching
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability Problem

Reachability Problem
Input: a timed automaton A, a location l of the automaton
Question: does there exists a run of A which ends in l

This problem formalises the verification of safety problems – is

an erroneous state reachable?
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Example

How to do it algorithmically?
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Other Verification Problems

verification of temporal (timed) logic

equivalence checking – (timed) bisimulation of timed
automata
universality, language inclusion (undecidable)
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability: Attempt 1

discretization (sampled semantics)

allow time step (delay) 1
clock above maximal constant ⇒ value does not increase
finite state space
but not equivalent ⇒ find counterexample
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability: Attempt 2

what about time step 0.5

Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability: Attempt 2

what about time step 0.5

Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability: Attempt X

what about time step 0.25?

what about time step 2−n ?
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability and Discretization

for each automaton there exists  such that sampled and

dense semantics are reachability equivalent
why?
how to determine ?
no fixed  is sufficient for all timed automata
more complex equivalences (trace equivalence,
bisimulation) and verification problems – sampled and
dense semantics are not equivalent
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Sampled vs Dense Semantics

dense semantics: arbitrary long words

sampled semantics: bounded length of words
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Another Approach?

discretization (sampling) is not sufficient

any other idea?
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Another Approach?

discretization (sampling) is not sufficient

any other idea?
is it necessary to distinguish the following valuations?
(0.589, 1.234) and (0.587, 1.236)
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Another Approach?

discretization (sampling) is not sufficient

any other idea?
is it necessary to distinguish the following valuations?
(0.589, 1.234) and (0.587, 1.236)
some clock valuations are equivalent ∼ the automaton
cannot distinguish between them ∼ any run possible from
one valuation is also possible from the second
let us find these equivalence classes (regions)
Basic Concepts Theoretical Results Practical Verification Summary

Verification Problems

Reachability Problem

Theorem
The reachability problem is PSPACE-complete.

note that even decidability of the problem is not

straightforward – the semantics is infinite state
decidability proved by region construction (to be
discussed)
completeness proved by general reduction from linearly
bounded Turing machine (not discussed)
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Region Construction

Main idea:
some clock valuations are equivalent
work with regions of valuations instead of valuations
finite number of regions
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Preliminaries

Let d ∈ R≥0 . Then:

let bdc be the integer part of d
let fr (d) be the fractional part of d

Thus d = bdc + fr (d).

Example: b42.37c = 42, fr (42.37) = 0.37

Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence on Clock Valuation

we want an equivalence ∼ = such that if ν ∼= ν 0 then the

automaton “cannot distinguish between ν and ν 0 ”
formally: bisimulation
informally: whatever action an automaton can do in ν, it
can also do it in ν 0 (and vice verse, repeatedly)
what conditions on ∼ = do we need?
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence on Clock Valuation: Condition 1

Let cx by the largest constant compared to a clock x (“max

bound”).

Condition 1:

Clock x is in both valuations ν and ν 0 are above its max

bound, or it has the same integer part in both of them.

ν(x) ≥ cx ∧ ν 0 (x) ≥ cx or bν(x)c = bν 0 (x)c

Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence on Clock Valuation: Condition 2

Condition 2:

If the value of clock is below its max bound, then either it has
zero fractional part in both ν and ν 0 or in neither of them.

ν(x) ≤ cx ⇒ (fr (ν(x)) = 0 ⇔ fr (ν 0 (x) = 0))

Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence on Clock Valuation: Condition 3

Condition 3:

For two clocks that are below their max bound, the ordering of
fractional parts must be the same in both ν and ν 0 .

ν(x) ≤ cx ∧ ν(y ) ≤ cy ⇒
fr (ν(x)) ≤ fr (ν(y )) ⇔ fr (ν 0 (x)) ≤ fr (ν 0 (y ))
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence on Clock Valuation

Let cx by the largest constant compared to a clock x (“max

bound”).
∼
= is equivalence on clock valuations such that ν ∼
= ν 0 iff for all
clocks x, y holds:
1 ν(x) ≥ cx ∧ ν 0 (x) ≥ cx or bν(x)c = bν 0 (x)c
2 ν(x) ≤ cx ⇒ (fr (ν(x)) = 0 ⇔ fr (ν 0 (x) = 0))
3 ν(x) ≤ cx ∧ ν(y ) ≤ cy ⇒
fr (ν(x)) ≤ fr (ν(y )) ⇔ fr (ν 0 (x)) ≤ fr (ν 0 (y ))
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Why Do We Need Condition 3?

Why do we need condition 3, when the automaton cannot

compare clocks?
Find an automaton and clock valuations ν1 , ν2 such that:
ν1 , ν2 satisfy condition 1 and 2, but not condition 3
automaton can “distinguish” between ν1 , ν2 , i.e. there
exists timed run r such that r is possible from ν1 but not
from ν2
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence: Example 1

Identify cx , cy
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Equivalence: Example 2

suppose cx = 4, cy = 5, cz = 1
let (x, y , z) denote valuations, decide:
1 (0, 0.14, 0.3) ∼
= (0.05, 0.1, 0.32) ?
2 (1.9, 4.2, 0.4) ∼
= (2.8, 4.3, 0.7) ?
3 (0.05, 0.1, 0.3) ∼
= (0.2, 0.1, 0.4) ?
4 (0.03, 1.1, 0.3) ∼
= (0.05, 1.2, 0.3) ?
5 ∼
(3.9, 5.3, 0.4) = (3.8, 6.9, 0.8) ?
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Regions

Definition (Region)
Classes of equivalence ∼
= are called regions, denoted [ν].

Lemma
The number of regions is at most |X |! · 2|X | ·
Q
x∈X (2cx + 2).
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Regions: Example

suppose TA with two clocks, cx = 3, cy = 2

draw all regions (since we have just 2 clocks, we can draw
them in plane)
hints:
what is the region [(x = 0.3, y = 0.2)]?
what is the region [(x = 1.3, y = 0.3)]?
what is the region [(x = 2.0, y = 1.0)]?
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Regions: Example

Regions for TA with two clocks cx = 3, cy = 2.

Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Region Graph

states are 2-tuples location + clock region: (l, [ν])

there is a transition from (l, [ν]) to (l 0 , [ν 0 ]) if there exists
ω∼= ν, ω 0 ∼
= ν 0 such that (l, ω) → (l 0 , ω 0 )
region graph is equivalent to the semantics of A with
respect to reachability
(note: in fact it is equivalent wrt bisimulation
equivalence)
moreover region graph is finite and can be effectively
constructed ⇒ region graph can be used to answer the
reachability problem
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Operations on Regions

To construct the region graph, we need the following

operations:
let time pass – go to adjacent region at top right
intersect with a clock constraint (note that clock
constraints define supersets of regions)
if region is in the constraint: no change
otherwise: empty
reset a clock – go to a corresponding region
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Example: Automaton

(source: R. Alur)
Basic Concepts Theoretical Results Practical Verification Summary

Region Construction

Example: Region Graph

Basic Concepts Theoretical Results Practical Verification Summary

Zones

Zones

regions ... nice theory, but inefficient and hard to

implement
zones:
convex sets of clock valuations
defined by conjunction of constraints x − y < k
allows efficient representation and manipulation
(Difference Bound Matrix)
Basic Concepts Theoretical Results Practical Verification Summary

Zones

Difference Bound Matrix

x < 20 ∧ y ≤ 20 ∧ y − x ≤ 10 ∧ x − y ≤ −10 ∧ z > 5

matrix representation can be used to perform necessary

operation: passing of time, resetting clock, intersection with
constraint, ...
Basic Concepts Theoretical Results Practical Verification Summary

Zones

Zones: Operations

(source: J.P. Katoen)

Basic Concepts Theoretical Results Practical Verification Summary

Zones

Zone Graph: Example

Basic Concepts Theoretical Results Practical Verification Summary

Extensions

Extensions

For practical modeling we use several extensions:

location invariants
parallel composition of automata
channel communication, synchronization
integer variables
These issues are solved in the ‘usual way’. Here we focused on
the basic model, basic aspects dealing with time.
Basic Concepts Theoretical Results Practical Verification Summary

Extensions

Example: Parallel Composition

(source: R. Alur)
Basic Concepts Theoretical Results Practical Verification Summary

Extensions

Fischer’s Protocol
id – shared variable, initialized -1
assumption: known upper bound D on reading/writing
variable in shared memory, for correctness it is necessary
that K > D
Process i:
while (true) {
<noncritical section>;
while id != -1 do {}
id := i;
delay K;
if (id = i) {
<critical section>;
id := -1;
}
Basic Concepts Theoretical Results Practical Verification Summary

Extensions

Fischer’s Protocol: Model

Basic Concepts Theoretical Results Practical Verification Summary

Summary

timed automata: formal syntax and semantics

reachability problem, equivalence of valuations, region
automaton
practical verification: zones, extensions