Master Thesis. Modeling and Verification of Extended Timed-Arc Petri Nets

Transcription

1 Master Thesis Moeling an Verification of Extene Time-Arc Petri Nets Lasse Jacobsen, Morten Jacobsen & Mikael Harkjær Møller {lassejac, mortenja, Department of Computer Science, Aalborg University, group 621a June, 2010

2

3 Preface This report ocuments a DAT6-project in the Department of Computer Science at Aalborg University. The project was carrie out in the spring of 2010 within the Distribute an Embee Systems research unit. The report serves as a master thesis in computer science for Lasse Jacobsen, Morten Jacobsen an Mikael H. Møller an is a continuation of a DAT5-project, ocumente in a report entitle Extening Time-Arc Petri Nets [27]. Chapter 1 (Introuction), Chapter 2 (Preliminaries), Chapter 3 (Extene Time- Arc Petri Nets) an Section 4.1 (Problems of Interest) have for the most part been overtaken from the DAT5 report an reuse in this thesis. The verification times for UPPAAL in Section 12.2 have also been overtaken from previous experiments. Further, parts of Chapter 11 (TAPAAL) have to a lesser extent been overtaken from the DAT5 report. Finally, Appenix A (except for the last section) have been inclue from the DAT5 report for comparison. Furthermore, a paper entitle Uneciability of Coverability an Bouneness for Time-Arc Petri Nets with Invariants has been publishe (see [28]). The main parts of this paper have been reprinte in Section 4.3. We woul like to thank our supervisor Jiří Srba for his feeback an suggestions, as well as iscussions throughout the project. Furthermore, we woul like to thank Kenneth Yrke Jørgensen for his help an ieas regaring TAPAAL an the translations. Finally, we thank Alexanre Davi for his help with UPPAAL.

4

5 Contents 1 Introuction Introuctory Example Preliminaries 5 3 Extene Time-Arc Petri Nets Basic Definitions Example Semantics Uneciability Results for Time-Arc Petri Nets Problems of Interest Overview Time-Arc Petri Nets with Invariants Uneciability Results Conjectures Summary Time Computation Tree Logic 25 6 TCTL-Preserving Framework Stable Proposition One-By-Many Corresponence Main Theorem Overall Methoology Applications Networks of Time Automata with Integer Variables Clocks Integer Variables Time Automata with Integer Variables Complexity an Computability

6 8 Broacast Translation Example Translation Algorithm Correctness Degree 2 Broacast Translation Example Translation Algorithm Correctness Time-Arc Petri Nets with Integers Example Semantics Translation an Correctness Deciability TAPAAL Overview Implementation Translations TAPN with Integers Experiments TAPN Alternating Bit Protocol Soccer Fiel Grass Cutting TAPN with Integers Conclusion Future Work Bibliography 105 A Vikings Case Stuy Moels 109 A.1 UPPAAL Moel A.2 TAPN Moel A.3 TAPN with Integers Moel B Soccer Fiel Grass Cutting Case Stuy 117 C Summary 119

7 Chapter 1 Introuction Increasing emans on the reliability an safety of embee software systems have fuele the nee for extensive research into formal moeling an verification. Often, these embee systems rely on timing-constraints (e.g. ealines). To this en, iscrete moels have been extene to time-epenent moels such as Networks of Time Automata (NTA) [5, 6], Time Petri Nets (TPN) [33, 34] an Time-Arc Petri Nets (TAPN) [13, 24]. These moels are among the most stuie time-epenent moels. For a comparative overview of these moels the reaer is referre to [40]. Time automata (TA) were introuce by Alur an Dill [5, 6]. A TA is a timeextension of a finite automaton where continuous an synchronous clocks can be use to moel time constraints. An NTA is then a parallel composition of TA where ifferent automata are allowe to communicate over channels. In 1962, Carl Aam Petri introuce the Petri net moel in his issertation [37]. Since then, Petri nets has become a well-establishe an popular moel of istribute systems, in part thanks to their intuitive graphical representation. TPN is a wellknown time extension of Petri nets which was introuce by Merlin an Farber [33, 34]. In this moel, time intervals are assigne to transitions which enote its earliest an latest firing time. This can be intuitively explaine as each transition having its own clock which is ticking once the transition becomes enable. A transition must fire before its latest firing time. However, it is possible that an enable transition becomes isable before it is fire (e.g. by firing another transition). Another well-known time-extension of Petri nets is TAPN, introuce by Bolognesi et al. [13] an Hanisch [24]. In TAPN each token is assigne a real number inicating its age. Time intervals on arcs from places to transitions restrict which tokens can be use to fire transitions. Note that both iscrete an continuous time versions of the time-arc Petri net moel have been introuce. In this report, we will focus on the continuous time version of the moel. Recent work on the verification tool TAPAAL [1] by Byg et al. [17] extene the time-arc Petri net moel with invariants on places which gives an upper boun on the age of tokens in a place an so-calle transport arcs which allow for transporting tokens between places while preserving their ages. Recently, a substantial amount of research has focuse on the corresponence be- 1

8 Chapter 1 Introuction tween time-epenent formalisms. This has le researchers to evelop several translations between these formalisms (see e.g. [12, 13, 15, 17, 18, 39]) in orer to establish a corresponence between them up to some notion of equivalence (e.g. bisimulation [15, 18]). However, each translation requires a istinct proof of correctness, even though the translations often use the same ieas, e.g. simulating a single step in one moel by a number of steps in another moel. For a more complete overview of these translations the reaer is referre to [36, 40]. In this thesis, we stuy TAPN extene with invariants, transport arcs an inhibitor arcs. We prove that invariants alone is enough to make bouneness an coverability uneciable, which was publishe in a recent paper [28] (the results of this paper are inclue in Section 4.3). In respect to formal verification of time-epenent moels we present Time Computation Tree Logic (TCTL) in its full generality, unlike much work on TCTL where maximal runs are not hanle in full etail (see e.g. [18, 36]). Further, we ientify a class of translations that preserve TCTL (or a specific subset of TCTL) by eveloping a general framework (motivate by [18]), which works at the level of time transition systems, making it inepenent of the moeling formalism. We then evelop two novel translations from TAPN to NTA an apply the framework to these in orer to prove that they both preserve the full TCTL. Following this, we further exten the TAPN moel such that each token carries both its age an an integer value an sketch how to exten the translations. Finally, we compare the performance of our translations to previous translations from TAPN to NTA. 1.1 Introuctory Example We shall now informally introuce the moel we use in this report, calle time-arc Petri net with inhibitor arcs, transport arcs an invariants. To o so we shall use a moel of a rollercoaster which is illustrate in Figure 1.1. The moel of the rollercoaster contains a number of places (rawn as circles), transitions (rawn as black squares) an arcs from places to transitions or transitions to places. Time intervals are associate with arcs from places to transitions. Further, the places in the moel may contain tokens, each of which is associate with a real number signifying the age of the token. In the example, there are two tokens in the place calle station, both with age 0.0. Invariants may be assigne to places which restrict the ages of the tokens in that place. In our example, the place first half has an associate invariant of [0, 4] (written inv: 4). There are ifferent types of arcs: normal arcs (normal arrow tip), transport arcs (iamon arrow tip) an inhibitor arcs (circle arrow tip). The precise semantics of the moel will be mae clear later in this report. Intuitively, the normal arcs from places to transitions will consume tokens of appropriate ages an normal arcs from transitions to places will prouce tokens of age zero. A transport arc works in a similar fashion except that any token prouce will have the same age as the one consume. Inhibitor arcs are use to test for the absence of tokens of certain ages in places. The iea of the moel is that we have two trains for the rollercoaster. The roller- 2

9 Section 1.1 Introuctory Example emergency [5, ) repair [0, ) fail 1 fail 2 {0.0, 0.0} [0, ) [0, ) [0, ) station #2 epart [0, ) [0, ) first half inv: 4 [4, 4]:1 [0, ) halfway 1 secon half inv: 7 return [7, 7] Figure 1.1: A rollercoaster moele as a time-arc Petri net with inhibitor arcs, transport arcs an invariants. coaster must ensure the safety of the passengers which means that the two trains cannot be in the same part of the track at once. Further, since a train may experience some sort of failure at any given time uring its trip aroun the rollercoaster, the system must ensure that the other train is stoppe when there is an emergency. Thus, a train can only leave the station an enter the first half of the track if there is no emergency an no other train in the first half of the track (inhibitor arcs are use to check for the absence of tokens in these places) an similarly for entering the secon half of the track. As a concrete example, say the first train fails in the secon half of the track while the secon train is on the first half. In this case, the secon train will be stoppe before it enters the secon half of the track so there can be no crash between the two. It takes 4 time units for a train to run through the first half of the track an 3 time units to run through the secon part. Thus, a full trip aroun the track takes 7 time units. Once the first train enters the secon half of the track, the other train may leave the station. In the event that a train fails, it takes at least 5 time units to repair it an return it to the station. Once we have a moel of a system, we want to verify if certain properties are satisfie. For instance, we might want to verify if it is possible for the two trains to be in the same part of the track of the rollercoaster at once (except for the station). This property is a safety property because the proof of the property is a finite sequence of steps escribing how to reach the situation where both trains are in the same part of the track. Naturally, if we can fin such a sequence, we can conclue that there is an 3

10 Chapter 1 Introuction error in the moe,l as it shoul not be possible for the two trains to be in the same part of the track at once. As another example of a property consier one that checks if it is possible for the two trains to run forever without any emergency. This is a liveness property because the proof is an infinite sequence of steps escribing how the trains can run forever without an emergency. 4

11 Chapter 2 Preliminaries In this chapter, we shall introuce some basic concepts an notation which we will use through this report. We let N = {1, 2, 3,...} enote the set of natural numbers an we let N 0 = {0} N. In a similar way, we let R enote the set of real numbers an R 0 enote the set of non-negative real numbers (incluing 0). We shall use the notation 2 S, for some set S, to enote the power set of S, that is, the set of all subsets of S. A multiset is a pair S = (D, f) where D is a set an f : D N 0 is a multiplicity function that for a given element D returns the number of occurrences of in the multiset. We will now efine some of the stanar operators on multisets. Let S 1 = (D, f 1 ) an S 2 = (D, f 2 ) be multisets over the same set D. Then count, union, subtraction, inclusion, size an membership are efine as S 1 () = f 1 () for all D, (S 1 S 2 )() = f 1 () + f 2 () for all D, (S 1 \ S 2 )() = max(0, f 1 () f 2 ()) for all D, S 1 S 2 if D. f 1 () f 2 (), S 1 = D f 1 (), an S 1 if f 1 () > 0. For notational convenience, we will use multisets as orinary sets with the efine operations implicitly interprete over multisets. An example of the union operator is {2, 2, 4.5} {2, 3.1} = {2, 2, 2, 3.1, 4.5}. A multiset S is finite if S <. We let the set of all finite multisets over a set S be enote by B(S). For a binary relation R on some set X, the reflexive closure of R is a binary relation R such that, R is reflexive, i.e. x R x for all x X, 5

12 Chapter 2 Preliminaries R R, an for any relation R, if R R an R is reflexive, then R R, that is, R is the smallest reflexive relation containing R. Similarly, the transitive closure of R is a binary relation R such that, R is transitive, i.e. if x R y an y R z then x R z for all x, y, z X, R R, an for any relation R, if R R an R is transitive, then R R, that is, R is the smallest transitive relation containing R. For a binary relation over some set X, we shall use the notation to mean the reflexive an transitive closure of. We shall now efine the notion of a time transition system. Definition 1 (Time Transition System) A time transition system (TTS) is a tuple T = (S,, AP, µ) where S is a set of states (or processes), (S S) (S R 0 S) is a relation on states calle the transition relation consisting of iscrete actions an time elays, AP is a set of atomic propositions, an µ : S 2 AP is a function assigning sets of true atomic propositions to states. We write s s (resp. s s for some R 0 ) instea of (s, s ) (resp. (s,, s ) for some R 0 ) for some s, s S. As evient by the efinition, there are two types of transitions in a TTS. Transitions of the type s s are orinary transitions that result from performing actions. Transitions of the type s s for some R 0, are elay (or time-elapsing) transitions. For s s we shall sometimes refer to s as s[]. We write s (resp. s for some R 0 ) whenever s s (resp. s s for some R 0 ) for some s S. Similarly, we write s (resp. s for some R 0 ) whenever there is no state s such that s s (resp. s s for some R 0 ). We require that the TTS satisfy the following stanar conitions for elay transitions (see e.g. [12]). For all, R 0 an s, s, s S we have: 1. Aitivity: if s s an s s then s + s, 2. Continuity: if s + s then s s s for some s, 3. Zero elay: s 0 s for each state s, an 6

13 4. Determinism: if s s an s s then s = s. The first requirement states that if we can elay for time units an thereby reach a state s, an subsequently elay to reach a state s then we can also elay + time units from s an reach s. The secon requirement states the inverse of the first, that is if we can elay for + time units in s to reach s, then we can also o two subsequent elays of an an reach the same state (through the intermeiate state s ). The thir requirement states that the only state we can reach from a state s by elaying 0 time units is s itself. Finally, the fourth requirement states that elay transitions are eterministic, i.e. we will always reach the same state from a state s when we elay time units. 7

14

15 Chapter 3 Extene Time-Arc Petri Nets In this chapter, we shall explore our extension of the time-arc Petri net moel. Specifically, our moel is an extension of the work by Byg et al. [17]. We exten their moel with inhibitor arcs. 3.1 Basic Definitions We shall now efine our extene time-arc Petri net moel. We will first efine the set of well-forme time intervals as the subset of time intervals satisfying the following abstract syntax where a N 0, b N an a < b: I ::= [a, a] [a, b] [a, b) (a, b] (a, b) [a, ) (a, ). We enote the set of all well-forme time intervals by I. Further, the set of all wellforme time intervals for invariants is enote I Inv an is efine accoring to the following abstract syntax: I Inv ::= [0, 0] [0, b] [0, b) [0, ). The preicate r I is efine for r R 0 in the expecte way. Definition 2 (TAPN) A Time-Arc Petri Net with invariants, inhibitor arcs an transport arcs, abbreviate TAPN, is a tuple N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) where P is a finite set of places, T is a finite set of transitions such that P T =, F (P T ) (T P ) is a set of normal arcs calle the flow relation, c : F P T I is a function assigning time intervals to arcs from places to transitions, 9

16 Chapter 3 Extene Time-Arc Petri Nets F tarc (P T P ) is the set of transport arcs that satisfy for all (p, t, p ) F tarc an all r P : ( (p, t, r) Ftarc p = r ) ( (r, t, p ) F tarc p = r ) (p, t) / F (t, p ) / F, c tarc : F tarc I is a function assigning time intervals to transport arcs, F inhib P T is the set of inhibitor arcs satisfying for all (p, t) F inhib an all p P (p, t) / F (p, t, p ) / F tarc, c inhib : F inhib I is a function assigning time intervals to inhibitor arcs, an ι : P I inv is a function assigning invariants to places. Note that we shall sometimes refer to less general moels than the one above. For this we will use a special abbreviation: TAPN(inv) refers to a time-arc Petri net moel extene with invariants, TAPN(tarc) refers to one extene with transport arcs an TAPN(inhib) refers to one extene with inhibitor arcs. For a given transition t T we will efine the preset of t as the set of all input places an the postset as the set of all output places. Formally, the preset is efine as t = {p P (p, t) F p P. (p, t, p ) F tarc }. Note that the places from which there are inhibitor arcs to the transition t are not inclue in the preset. For our purposes we will only nee the preset to refer to all places from which tokens will be consume when firing t, hence the exclusion. Similarly, the postset is efine as t = {p P (t, p) F p P. (p, t, p) F tarc }. We say that a transition t is of egree 2 if t = t = 2. We say that a TAPN N is of egree 2 if all transitions in the net are of egree Example In orer to provie some intuition for the TAPN moel before introucing the formal semantics, we will now give an example which introuces the various features of the moel in a step-by-step manner. We will start with a basic time-arc Petri net an then graually ecorate that example with transport arcs, invariants an finally inhibitor arcs while explaining the intuition behin the change in behaviour of the net, inuce by these aitions. The basic time-arc Petri net is presente in Figure 3.1. It inclues two transitions t 0 an t 1 an 5 places p i, 0 i 4. There are tokens of age 0.0 in the places p 0, p 1 an p 2. Initially, only t 0 is enable because its input place p 0 contains a token of an age which satisfies the constraint on the arc from p 0 to t 0. Transition t 1 requires a token of any age in p 1 but also a token of an age in the interval [4, 5] in p 2 which is 10

17 Section 3.2 Example p [0, ) t 0 p 3 p [0, ) t 1 p 4 p 2 [4, 5] 0.0 Figure 3.1: A basic time-arc Petri net. why t 1 is not enable initially. Since t 0 is enable, we can fire it whereby we woul remove a token of an appropriate age from p 0 an prouce a token of age 0.0 in each of the places p 3 an p 4. However, we coul also choose to o a time elay of, say, 4.5 time units, whereby all tokens in the net woul grow 4.5 time units oler. Since all tokens are now of age 4.5 both t 0 an t 1 are enable since both woul have tokens of appropriate ages in all their input places. Let us now introuce transport arcs into our example net. Specifically, we will replace the normal arcs from p 0 to t 0 an from t 0 to p 4 with a transport arc from p 0 through t 0 to p 4 as illustrate in Figure 3.2. Note that the : 1 on the transport arc is there to help istinguish where each token goes in case we have more than one transport arc through the transition. p [0, ):1 t 0 p 3 p 1 : [0, ) t 1 p 4 p 2 [4, 5] 2.5 Figure 3.2: A time-arc Petri net with transport arcs. For the sake of illustration, assume that we have initially mae a time elay of 2.5 time units such that all tokens are now of age 2.5. Transition t 0 is still the only enable transition in net at this point, however there is a ifference when we choose to fire t 0. By firing t 0 we will still remove a token of appropriate age from p 0 an prouce a token of age 0.0 in the place p 3 as before. However, ue to the transport arc we will prouce a token at p 4 of the same age as the token we remove from p 0, 11

18 Chapter 3 Extene Time-Arc Petri Nets i.e. of age 2.5 in this case. In this way, the transport arcs allow us to preserve the age of tokens as we transport them aroun the net. Let us now a invariants to our example net. Specifically, we will a invariants to the places p 2 an p 4 that isallow tokens oler than 5, as illustrate in Figure 3.3. p [0, ):1 t 0 p 3 p 1 : [0, ) t 1 p 4 p 2 [4, 5] inv: inv: 5 Figure 3.3: A time-arc Petri net with transport arcs an invariants. Note that by convention, if no invariant is given for a place then this implicitly means that the invariant for this place is [0, ). Assume that we have one a time elay such that all tokens are of age 5.0. At this point we cannot o any further time elays because that woul violate the invariant at p 2. We are force to fire either t 0 or t 1, both of which are enable. Thus, invariants facilitate urgency in the moel. One of the particularities of the use of invariants an transport arcs is emonstrate by the invariant of the place p 4, which has implications for the transition t 0 because of the transport arc from p 0 through t 0 to p 4. Since transport arcs preserve the ages of tokens we can only fire t 0 when there is a token of age smaller than or equal to 5 in p 0, otherwise the token prouce at p 4 woul violate the invariant on that place. Finally, let us introuce inhibitor arcs into our example. Specifically, we will replace the arc from p 2 to t 1 with an inhibitor arc as illustrate in Figure 3.4. Intuitively, p [0, ):1 t 0 p 3 p 1 : [0, ) t 1 p 4 p 2 [4, 5] inv: inv: 5 Figure 3.4: A time-arc Petri net with transport arcs, invariants an inhibitor arcs. 12

19 Section 3.3 Semantics an inhibitor arc is the opposite of a normal arc. For instance, t 1 will now be enable whenever there is a token of any age in p 1 an no token with an age which belongs to the interval [4, 5] in p 2. Thus, initially both t 0 an t 1 are enable since there are tokens in p 0 an p 1 with appropriate ages, an there is no token with an age between 4 an 5 in p 2. In this way, inhibitor arcs allow us to test for the absence of tokens of a certain age in an input place. This conclues our introuctory example to the various features of the TAPN moel. 3.3 Semantics We will now efine the semantics of the TAPN moel. To o so, we shall first efine the concept of a marking on a TAPN. Definition 3 (Marking) Let N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) be a TAPN. A marking M on N is a function M : P B(R 0 ), such that for every place p P an every token x M(p) it hols that x ι(p). The set of all markings over N is enote M(N). A marke TAPN is efine as a pair (N, M 0 ) where N is a TAPN an M 0 is the initial marking on N. Note that we only allow initial markings where all tokens have age 0. Definition 4 (Enableness) Let N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) be a TAPN. We say that a transition t T is enable in a marking M if in all places p t where (p, t) F there is a token x with an age belonging to the time interval on the arc from p to t, i.e. p t s.t. (p, t) F. x M(p). x c(p, t), in all places p t where (p, t, p ) F tarc for some p P then moreover the age of the token x in p must satisfy the invariant at p, i.e. p t s.t. (p, t, p ) F tarc. x M(p). x c tarc (p, t, p ) x ι(p ), in all places p P where (p, t) F inhib there is no token with an age belonging to the time interval on the inhibitor arc from p to t, i.e. p P s.t. (p, t) F inhib. x M(p). x c inhib (p, t). Definition 5 (Firing Rule) Let N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) be a TAPN, M some marking on N an t T some transition of N. If t is enable in the marking M, it can be fire, whereby we reach a marking M efine as where p P. M (p) = ( M(p) \ C t (p)) C + t (p) 13

20 Chapter 3 Extene Time-Arc Petri Nets for every p P such that (p, t) F Ct (p) = {x} where x M(p) an x c(p, t), for every p P such that (t, p) F C t + (p) = {0}, for every p, p P such that (p, t, p ) F tarc C t (p) = {x} = C+ t (p ) where x M(p), x c tarc (p, t, p ) an x ι(p ), an in all other cases we set the above sets to. Note that there may be multiple choices for the sets Ct (p) an C+ t simply fix these sets before firing t. (p) for each p. We Let us now efine the notion of a time elay in our moel. To o so, we shall introuce an aition operator on multisets. For a multiset B = (R 0, f) an a non-negative real R 0, we efine the aition operator in the following manner, { f(x ) if x 0 (B + )(x) = 0 otherwise where x ranges over the elements of R 0. Definition 6 (Time Delay) Let N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) be a TAPN an M some marking on N. A time elay R 0 is allowe if (x + ) ι(p) for all p P an all x M(p), i.e. by elaying time units no token violates the invariants. By elaying time units we reach a marking M efine as M (p) = M(p) + for all p P. The semantics of a TAPN is given by a time transition system. Specifically, a TAPN N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) efines a TTS T (N) = (M(N),, AP, µ) where the set of states are the markings on N an the transition relation is efine such that M M if by firing transition some transition t in marking M we get to marking M an M M if by elaying time units in marking M we get to marking M. The set of atomic propositions AP an the labeling function µ are aopte from Byg et al. [17] an are efine as AP ef = {(p n) p P, n N 0 an {<,, =,, >}} an µ(m) ef = {(p n) M(p) n an {<,, =,, >}}. The intuition is that a proposition (p n) is true in a marking M if the number of tokens in the place p satisfies the proposition with respect to n. 14

21 Chapter 4 Uneciability Results for Time-Arc Petri Nets In this chapter, we will present an overview of uneciability results for various extensions of the stanar TAPN moel. We shall focus on three problems, namely reachability, coverability an bouneness. 4.1 Problems of Interest Let us efine the three problems for TAPN, starting with reachability. Reachability simply asks whether a given marking is reachable from the initial marking in some TAPN N. Definition 7 (Reachability) Given a marke TAPN (N, M 0 ) an a marking M M(N). M is sai to be reachable if M 0 M. For some M M(N) we let M(N, M ) enote the set of reachable markings in N from the marking M. The coverability problem is efine as follows. Definition 8 (Coverability) Let (N, M 0 ) be a marke TAPN an let M M(N) be a marking. M is sai to be coverable if there exists a reachable marking M M(N, M 0 ), such that M(p) M (p) for all places p P. Usually, coverability is use to prove safety properties. This is one by specifying a marking that characterizes ba behaviour an asking whether it is possible to cover that marking. For example, if we moel some form of mutual exclusion protocol, we can ask whether we can cover a marking where there is more than one process in the critical section. If we can, the protocol is not correct. For bouneness, we generally consier two variants, which are inter-relate. The first is k-bouneness. Definition 9 (k-bouneness) A marke TAPN (N, M 0 ) is sai to be k-boune if there exists a k N such that the total number of tokens in the net oes not excee k for any marking reachable from M 0. 15

22 Chapter 4 Uneciability Results for Time-Arc Petri Nets We efine bouneness in terms of k-bouneness. Definition 10 (Bouneness) A marke TAPN (N, M 0 ) is sai to be boune if it is k-boune for some k N. Note that if a net is not k-boune for some given k N, then we cannot conclue that it is unboune. It may be k -boune for some k > k. If a net is unboune however, then we may conclue that it is not k-boune for any k N. The reason for this istinction, is that while bouneness is uneciable [28], k-bouneness is eciable. Bouneness is useful because reachability an coverability are eciable for boune nets. This follows from the fact that there are only finitely many reachable markings in a boune net since techniques such as regions [5, 6] or zones [9] can be use to represent continuous time in a finite way. We shall later use a slightly ifferent efinition of bouneness, which we call place-bouneness to istinguish the two. Definition 11 (Place-bouneness) A marke TAPN (N, M 0 ) is place-boune if there exists some k N such that the total number of tokens in any place oes not excee k for any marking reachable from M 0. It is clear that bouneness an place-bouneness are relate. If a marke TAPN is place-boune for some k, then we know that it is k -boune where k = P k. Similarly, if it is k-boune then we know that it is place-boune for k also. 4.2 Overview We shall now give an overview of the known uneciability results for various extensions of TAPN. However, we will first briefly introuce the notion of a two-counter Minsky machine (2-CM). Definition 12 A Two-Counter Minsky Machine (2-CM) with two non-negative registers r 1 an r 2 is a sequence of instructions (I 1 : Ins 1 ; I 2 : Ins 2 ;... I e 1 : Ins e 1 ; I e : HALT ) where for every j, 1 j < e, Ins j is one of the two types: r i := r i + 1; goto I k ; where i {1, 2} an k {1, 2,..., e} (Increment). if r i > 0 then r i := r i 1; goto I k ; else goto I l ; where i {1, 2} an k, l {1, 2,..., e} (Test an ecrement). The last instruction is always the HALT instruction. A configuration of a 2-CM is a triple (j, v 1, v 2 ) where j {1, 2,..., e} is the inex of instruction I j to be execute an v 1 an v 2 are the values of the registers r 1 an r 2, respectively. The computational step relation of a 2-CM is efine as expecte an we use the notation (j, v 1, v 2 ) (j, v 1, v 2 ) to enote that we perform the current instruction I j with values v 1 an v 2 in the registers, resulting in the configuration (j, v 1, v 2 ). 16

23 Section 4.2 Overview Definition 13 (The Halting Problem for 2-CM) Given a 2-CM, is it possible to reach the halt instruction from the initial configuration (1, 0, 0), i.e. (1, 0, 0) (e, v 1, v 2 ) for some v 1, v 2 N 0? Theorem 14 (Minsky [35]) The halting problem for 2-CM is uneciable. Ruiz et al. [38] showe that for a slighty more general TAPN moel (they allow real numbers in intervals on input arcs), the reachability problem is uneciable by reuction from the halting problem for 2-CM 1. They essentially create a weak simulation of a 2-CM, in the sense that the behaviour of the 2-CM can be simulate in the net, though aitional behaviour is possible. However, clever exploitation of time elays ensures that both registers can only be emptie completely if a faithful simulation of the 2-CM is performe in the net, thereby ensuring that a specific marking is reachable iff the 2-CM halts. Abulla an Nylén [3] showe that for Time Petri Nets (TPN) (essentially a TAPN where intervals are also present on output arcs, an the age of a prouce token is non-eterministically chosen to be in this interval) the coverability problem is eciable. Specifically, they introuce the notion of existential zones, which represent (possibly infinite) upwar-close sets of markings (a set S is upwar-close if for all markings M, M it hols that if M S an M M then M S). The algorithm works by backwar analysis. Specifically, they perform a fixpoint iteration, generating larger an larger upwar-close sets of markings, such that at iteration i, all markings from which it is possible to cover the target marking in i or fewer steps, are foun. Termination of the algorithm is ensure by a well-quasi orering among the existential zones. A reflexive an transitive binary relation (a quasi orering) on a set A is a well-quasi orering if for all infinite sequences a 0, a 1, a 2,... A there exists i, j N 0 such that i < j an a i a j. This orering ensures that the iteration will eventually reach a fixpoint an it allows them to represent the upwars-close sets of markings in a finite way. Coverability from the initial marking then amounts to checking whether the initial marking is inclue in the fixpoint. Abulla et al. [4] prove that bouneness is eciable for TPN. They use the notion of regions for TPN. The notion of regions for TPN is similar to the notion of regions for TA (see [5, 6]). They provie an algorithm similar to the coverability tree algorithm by Karp an Miller [32], where each noe in the coverability tree is labelle by a region instea of a marking. Starting from the root noe (labelle with a region satisfie by the intial marking) they successively buil the tree by aing chil noes for each possible successor region. The algorithm by Karp an Miller [32] coul also be use to ecie bouneness by checking whenever we reach a new marking M if there exists a marking M on the path from the root to M such that M (p) M(p) for each place p (in this case the net is unboune). The regions are use in a similar way to etermine when the net is unboune, i.e. whenever we reach a new region R we check if there exists another region R on the path from the root to R such that 1 Technically, they work with an extene two-counter machine that empties both registers before performing the halt instruction. 17

24 Chapter 4 Uneciability Results for Time-Arc Petri Nets R is smaller than R. The algorithm is guarantee to terminate ue to a well-quasi orering among the regions. Hack [23] showe that the bouneness problem for untime Petri nets with inhibitor arcs an untime Petri nets with priorities on transitions is uneciable. They introuce the notion of a counter automaton which is essentially a generalize version of a two-counter machine that contains a finite set of counters an some aitional instructions. They show that aing inhibitor arcs to an untime Petri net allows them to simulate the counter automaton in the Petri net correctly, since an inhibitor arc allows them to test for zero (which is not possible in TAPN). Since a counter automaton is basically a generalization of a two-counter Minsky machine, it follows that the halting problem for counter automata is uneciable, which in turn implies uneciability of bouneness. They require only a small moification to obtain the same result using priorities (this is not surprising, given that the author also shows how to encoe inhibitor arcs using priorities an vice versa). Though not explicitly mentione by the author, this also implies the uneciability of coverability, because the simulation can easily be use to show that a marking is coverable iff the automaton halts. Dufour et al. [21] prove that bouneness is uneciable for untime Petri nets with reset arcs. A reset arc is an arc from a place to a transition which upon firing the transition will remove all tokens in the place. Reset arcs o not influence the enableness of transitions but only have an effect when firing transitions. They provie a reuction from Hilbert s Tenth Problem to bouneness for Petri nets with reset arcs. 4.3 Time-Arc Petri Nets with Invariants In this section we will prove the uneciability of place-bouneness an coverability for the TAPN(inv) moel by reuction from the halting problem for 2-CM. The contents of this section appeare in the paper [28]. We will now escribe the reuction from 2-CM to TAPN(inv). Given a 2-CM (I 1 : Ins 1 ; I 2 : Ins 2 ;... I e 1 : Ins e 1 ; I e : HALT ) we construct a TAPN(inv) (P, T, F, c, ι) where P = {p j, q j 1 j < e} { p r1, p reset r 1, p r2, p reset } r 2 {pcount } {p e, p halt } T = { t reset, t reset } { } r 2 t j, t goto Ins j is of type increment r 1 { t else 1 j, t else 2 j, t then j j } Ins j is of type test an ecrement {t e } The number of tokens in p r1 an p r2 correspon to the values of r 1 an r 2, the number of tokens in p count remembers the number of computation steps which have been simulate in the net an p 1,..., p e correspons to the instructions Ins 1,..., Ins e such that the place p j contains one token if an only if the current instruction is Ins j. For the flow relation we will split it into 4 parts. 18

25 Section 4.3 Time-Arc Petri Nets with Invariants p ri t reset r i p reset r i p e t e p count 1 [1, 1] [0, 0] [1, 1] p halt (a) Simulation of a register. (b) Simulation of Halt instruction. p j [1, 1] t j p reset r 2 q j [0, 0] [0, 0] t goto j p count p k p reset r 1 [0, 0] 1 p ri (c) Simulation of I j : r i := r i + 1; goto I k. p j p ri [1, 1] [0, 0] t else 1 j p reset r 3 i q j [0, 0] [0, 0] t else 2 j p l p count 1 [0, 0] t then j p k () Simulation of I j : if r i > 0 then r i := r i 1; goto I k ; else goto I l. Figure 4.1: TAPN(inv) moels for 2-CM simulation. F 1 contains the arcs for the registers. For each register r i, i {1, 2}, we a the following arcs to F 1 (p ri, t reset r i ), (t reset r i, p ri ), (p reset r i, t reset r i ), (t reset r i, p reset r i ) where c((p ri, t reset r i )) = [1, 1], c((p reset r i, t reset r i )) = [0, 0] an ι(p ri ) = [0, 1]. This is illustrate in Figure 4.1a. The number of tokens on p ri inicates the value of the register. Notice the invariant on the register which isallows tokens with an age greater than 1. Placing a token on p reset r i allows us to reset the age of all tokens of age 1 in the register. F 2 contains the arcs for the increment instructions. For each increment instruction I j : r i := r i + 1; goto I k ;, we a the following arcs to F 2 (p j, t j ), (t j, p reset r 2 ), (t j, q j ), (t j, p reset r 1 ), (p reset r 2, t goto j ), (q j, t goto j ), (p reset r 1, t goto j ), (t goto j, p count ), (t goto j, p k ), (t goto j, p ri ) where c((p j, t j )) = [1, 1], c((p reset r 2, t goto j )) = [0, 0], c((q j, t goto j )) = [0, 0] an c((p reset r 1, t goto j )) = [0, 0]. 19

26 Chapter 4 Uneciability Results for Time-Arc Petri Nets This is illustrate in Figure 4.1c. Notice that we require a elay of one time unit before firing t j. Because of this, we allow tokens in each register to be reset (by placing tokens on p reset r 1 an p reset r 2 ). Following this, by firing t goto j a token is ae to p count, register r i is incremente by aing a token to p ri an control is given to the next instruction I k by placing a token on p k. F 3 contains the arcs for the test an ecrement instructions. For each test an ecrement instruction I j : if r i > 0 then r i := r i 1; goto I k ; else goto I l ;, we a the following arcs to F 3 (p j, t else 1 j ), (p j, t then j ), (p ri, t then j ), (t else 1 (p reset r 3 i, t else 2 j ), (t else 2 c((p j, t else 1 j j, p l ), (t else 2 j j, q j ), (t else 1 j, p count ), (t then j, p reset r 3 i ), (q j, t else 2 j ),, p count ), (t then, p k ) where )) = [1, 1], c((p j, t then j )) = [0, 0], c((p ri, t then j )) = [0, 0], c((p reset r 3 i, t else 2 j )) = [0, 0] an c((q j, t else 2 j )) = [0, 0]. This is illustrate in Figure 4.1. Notice that when we follow the else branch (firing transition t else 1 j ), we can only reset the ages of tokens in the register on which we are not testing for emptiness. F 4 contains the arcs for the HALT instruction. Formally it is efine as F 4 = {(p e, t e ), (t e, p count ), (t e, p halt )} where c((p e, t e )) = [1, 1]. This is illustrate in Figure 4.1b. Again we require a time elay of one time unit before t e can be fire an a token place at p halt. The flow relation F can then be efine as the union of the four parts, i.e. F = F 1 F 2 F 3 F 4 an we let ι(p) = [0, ) for all p P \ {p r1, p r2 }. We efine the initial marking M 0 such that M 0 (p 1 ) = {0} an M 0 (p) = for all p P \ {p 1 }. Let (N, M 0 ) be the marke TAPN(inv) simulating a given 2-CM. Notice that every place in the net except for p r1, p r2, p count is 1-safe (i.e. contains at most one token). In a correct simulation of the 2-CM by our net, a configuration (j, v 1, v 2 ) of the 2-CM correspons to any marking M where M(p j ) = {0}, M(p ri ) = {0, 0,..., 0} }{{} v i times for i {1, 2}, (4.1) M(p count ) = n where n N 0 an M(p) = for all p P \ {p j, p r1, p r2, p count }. We will now escribe how to simulate the three types of instructions of a 2-CM in a correct way. Assume there is a token of age 0 in p j. If I j is an increment instruction, we nee to elay for one time unit in orer to enable t j (see Figure 4.1c). Because we elaye one time unit, all tokens in the registers j 20

27 Section 4.3 Time-Arc Petri Nets with Invariants are now of age 1. In a correct simulation, we fire repeately transitions t reset r 1 an t reset r 2 until all tokens in p r1 an p r2 are of age 0. Note that it is possible to cheat in the simulation, as it is possible to leave some tokens of age 1 in p r1 or p r2 when firing t goto j. If I j is a test an ecrement instruction there are two possibilities (see Figure 4.1). If there is a token of age 0 at p ri, we fire t then j in orer to ecrement the number of tokens in register r i, an han over the control to I k by placing a token on p k. Otherwise, in the correct simulation we elay one time unit before firing t else 1 j. Then we reset the age of all the tokens in the other register, p r3 i to 0. We then procee by firing t else 2 j. This will han over control to instruction I l by placing a token on p l. Again note that it is possible to cheat in the simulation, either by leaving tokens of age 1 at p r3 i when proceeing to the next instruction or by taking the else-branch even though there is a token at p ri (because the net oes not force us to fire transition t then j when it is enable). If I j is the halt instruction, we elay one time unit before we fire the last transition t e an a a token to p halt. After every instruction one token is ae to p count. We will now prove a lemma etailing what happens if we cheat. Lemma 15 Let (j, v 1, v 2 ) be the current configuration of a 2-CM CM, (N, M 0 ) the associate TAPN(inv) an M a marking corresponing to (j, v 1, v 2 ) (see Equation 4.1). If the net cheats then uring the simulation of CM in the next computation step it is not possible to simulate an increment instruction, go to the halt state, nor to take the else-branch of a test an ecrement instruction. Further, the net can o at most v 1 + v 2 ecrements before getting stuck. Proof We can perform an incorrect simulation in two ways: If all tokens in p r1 an p r2 are not reset to age 0 in an increment or test an ecrement instruction before going to the next instruction. In a test an ecrement instruction, the net can fire the transition t else 1 j even if there is a token of age 0 in p ri. This is possible by elaying 1 time unit to enable the transition. However, this will result in the tokens in p ri having age 1 an these can not be reset before going to the next instruction. In both cases we en up in a marking M where there is at least one token of non-zero age in either p r1 or p r2. Observe that the simulation of increment, halt an the elsebranch of a test an ecrement instruction all require a elay of 1 time unit (see Figure 4.1) which woul violate the invariants ι(p r1 ) or ι(p r2 ). Thus, the only possibility is to take the then-branch of a test an ecrement instruction. However, this is only possible as long as there are tokens of age 0 in p r1 or p r2. There are v 1 an v 2 tokens in p r1 an p r2, repectively. Thus, the net can o at most v 1 + v 2 ecrements before getting stuck. 21

28 Chapter 4 Uneciability Results for Time-Arc Petri Nets Uneciability Results First we prove the uneciability of the place-bouneness problem. Lemma 16 Given a 2-CM CM an the associate TAPN(inv) (N, M 0 ), CM halts if an only if N is place-boune. Proof We start by proving that if N is place-boune then CM halts. Assume that N is place-boune for some k. Further, assume by contraiction that CM oes not halt. After simulating k + 1 computational steps of CM correctly, the net will be in a marking M where M(p count ) = k + 1. This is a contraiction to the assumption that N is place-boune for k. Now we prove the implication in the other irection. Assume that CM halts in n steps. We will show that N is place-boune for 2n. If we simulate CM correctly, there will be at most n tokens at the registers, an exactly n tokens at p count. Hence, the net must cheat in orer to become unboune. In the worst case, it cheats at the last step, when there are at most n 1 tokens in the registers an n 1 tokens at p count. Then we have that the net is place-boune for 2n since there will be at most 2(n 1) tokens at p count by Lemma 15. From Lemma 16 we conclue the following theorem. Theorem 17 The place-bouneness problem is uneciable for TAPN(inv). We now prove the uneciability of the coverability problem. Lemma 18 Let M be a marking such that M(p halt ) = {0} an M(p) = for all p P \ {p halt }. Given a 2-CM CM an the associate marke TAPN(inv) (N, M 0 ), as efine above, CM halts if an only if M is coverable from M 0. Proof First we prove that if CM halts then M is coverable from M 0. Assume that the CM halts. By simulating CM correctly in N, we can easily see that we reach a marking M, with a token in p halt, hence M (p) M(p) for all p P. Now we prove that if M is coverable from M 0 then CM halts. Assume that M is coverable from M 0. By assumption there exists a reachable marking M such that M (p) M(p) for all p P. By efinition of coverability, it hols that 0 M (p halt ) an by Lemma 15 this is only possible if we simulate CM correctly in the net, hence CM halts. From Lemma 18 we conclue the following theorem. Theorem 19 The coverability problem is uneciable for TAPN(inv). 22

29 Section 4.4 Conjectures 4.4 Conjectures There are still open problems for some TAPN extensions an in this section we will present conjectures for these problems. Let us start by consiering coverability for TAPN(reset) (TAPN extene with reset arcs). Dufour et al. [21] showe that coverability is eciable for so-calle Reset Post G-nets, which are basically untime Petri nets with reset arcs an the ability to have polynomials as weights on output arcs. Thus, untime Petri nets with reset arcs are a subclass of Reset Post G-nets where all output arcs have weight 1. The aition of reset arcs oes not break the monotonicity property of TAPN, i.e. for two markings M an M where M M, if M t for some transition t then M t. In other wors, it is not possible to isable transitions by aing aitional tokens to a marking. This is easy to see since reset arcs oes not influence the enableness of transitions but only have an effect when firing a transition. This means that it shoul be possible to use the concept of existential zones to escribe upwar-close sets of markings. Thus, it shoul be possible to prove the eciability of coverability for TAPN(reset) by extening the concepts an proofs in [3] to support reset arcs. Conjecture 20 The coverability problem is eciable for TAPN(reset). Bouyer et al. [15] prove that coverability is eciable for TAPN extene with socalle rea arcs which allow for testing for the presence of tokens without consuming any tokens when a transition is fire. The proof is an extension of the proof by Abulla an Nylén [3]. Transport arcs are a generalization of rea arcs an as for reset arcs they o not break the monotonicity property of TAPN. Thus, it shoul be possible to extene the proof in [3] to support transport arcs. Conjecture 21 The coverability problem is eciable for TAPN(tarc). It shoul be possible to use the algorithm by Abulla et al. [4] (which is an extension of the coverability tree algorithm by Karp an Miller [32]) to ecie bouneness for TAPN(tarc). Conjecture 22 The bouneness problem is eciable for TAPN(tarc). 4.5 Summary Table 4.1 shows a summary of the uneciability results mentione in this chapter. Deciable problems are inicate by an uneciable problems are inicate by. Further, our results are marke with an conjectures are marke with?. 23

30 Chapter 4 Uneciability Results for Time-Arc Petri Nets Reachability Coverability Bouneness TAPN [38] [3] [4] TAPN(inv) [38] TAPN(tarc) [38]?? TAPN(inhib) [38] [23] [23] TAPN(prio) [38] [23] [23] TAPN(reset) [38]? [21] Table 4.1: Deciability Results 24

31 Chapter 5 Time Computation Tree Logic In this chapter, we shall explain the syntax an semantics of Time Computation Tree Logic (TCTL) inspire by Penczek an Pólrola [36]. However, unlike [36] which only consier infinite maximal runs, we treat TCTL in its full generality, incluing finite maximal runs in which the computation gets stuck. We shall focus on TCTL formulae interprete over continous time moels. We assume a set AP of atomic propositions. A TCTL formula is given by the abstract syntax: ϕ ::= ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 A(ϕ 1 U I ϕ 2 ) E(ϕ 1 U I ϕ 2 ) A(ϕ 1 R I ϕ 2 ) E(ϕ 1 R I ϕ 2 ), where AP is an atomic proposition an I I is a time interval as efine on page 9. We enote the set of all TCTL formulae over the set of atomic propositions AP as Φ(AP). Note that if we remove the operators E(ϕ 1 R I ϕ 2 ) an A(ϕ 1 U I ϕ 2 ) from the above syntax we get the so-calle safety fragment of TCTL. A run in a TTS (S,, AP, µ) is a (finite or infinite) alternating sequence of time elays an iscrete transitions of the form ρ = s 0 0 s 0 s 1 1 s 1 s such that s i, s i S for all i 0. For completeness, let us state the intuition behin the operators. The U stans for Until an the R stans for Release. A(ϕ 1 U I ϕ 2 ): On all runs ϕ 2 must eventually hol within the interval I, an until it oes, ϕ 1 must hol continuously. E(ϕ 1 U I ϕ 2 ): There exists a run such that ϕ 2 eventually hols within the interval I, an until it oes, ϕ 1 hols continuously. A(ϕ 1 R I ϕ 2 ): On all runs either ϕ 2 always hols within the interval I or ϕ 1 occurre previously. E(ϕ 1 R I ϕ 2 ): There exists a run such that either ϕ 2 always hols within the interval I or ϕ 1 occurre previously. 25

32 Chapter 5 Time Computation Tree Logic We shall now efine the semantics of TCTL formulae. Let T = (S,, AP, µ) be a TTS. A run ρ is sai to be a maximal run if it cannot be extene any further by time elays or iscrete transitions. Formally, there are three ways a run ρ can be maximal: (i) ρ is an infinite alternating sequence of the form ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ] s (ii) ρ is a finite alternating sequence of the form where ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ]... s n means that s n s n [] for all R 0, or (iii) ρ is a finite alternating sequence of the form: ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ]... s n n Alternatively the run can be of the form ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ]... s < n n such that for any R 0 where > n (resp. n for the alternate form), we have that s n an for any R 0 where n (resp. < n ), whenever s n s n [ ] then s n [ ]. Intuitively, the three conitions above escribe the possible ways in which a run can be maximal. The first case is an infinite alternating sequence of time elays an iscrete transitions. In the secon case the run ens in a state where time can iverge, that is a state where any time elay is possible. Finally, the thir case escribes a run which en in a state from which it is not possible to o a iscrete transition after any time elay. Note that there are two ifferent forms for such a run: the final time elay n can either be inclue or not ( n an < n respectively). This case iffers from the secon case in that time cannot iverge for these runs (any time elay greater than n is not possible), however, whenever a time elay is possible we are certain that no iscrete transition is possible afterwars. Let the set of all maximal runs ρ in T starting from s be enote by Runs(T, s) Figure 5.1 illustrates part of the maximal run ρ = s 0 s 0 [1] s s 1 [2.5] s 2 s 2 [2] s 3 s 3 [1.3] s The x-axis inicates elapse time. Note that iscrete transitions take zero time units (which is why iscrete transitions are rawn as vertical lines) an that, although not shown in this 26

33 s 1 s 1 [2.5] s 3 s 3 [1.3] s 0 s0 [1] s 2 s2 [2] s Figure 5.1: An illustration of the concrete run ρ = s 0 s 0 [1] s 1 s 1 [2.5] s 2 s 2 [2] s 3 s 3 [1.3] s time example, time elays can be zero. Hence, it is possible to o multiple iscrete transitions in succession without any time progression in between. Further, there is no special meaning as to whether the arrow for a iscrete transition goes up or own, this is simply to keep the figure small. For a maximal run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s , an inex i N an a non-negative real R 0 we let i 1 r(i, ) = j=0 j +. Intuitively, r(i, ) enotes the total time elapse from the beginning of the run up to some elay after the i-th iscrete transition. Definition 23 For each maximal run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s , we efine a preicate vali ρ : N R 0 I {true, false} as follows: i r(i, ) I if i R 0 r(i, ) I if i = vali ρ (i,, I) = < n r(i, ) I if i = < n n r(i, ) I if i = n Intuitively, the arguments, i, together escribe a possible state s i [] in the run ρ an this state lies within the interval I. Figure 5.2 illustrates a run ρ = s 0 0 s 0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ]... an three points (marke with ). Note that although time elays appear ientical in the figure they can be of ifferent length (even zero). We see in Figure 5.2 that vali ρ (1,, I) is false because s 1 [] lies outsie the interval I. Similarly, vali ρ (2,, I) is false because s 2 [ ] is not a part of the run (since > 2 ). Finally, vali ρ (2,, I) is true because s 2 [ ] is a part of the run an within I. Finally, we efine a function enoting the history of a run at some specifie point. 27

34 Chapter 5 Time Computation Tree Logic s 1 1 s 1 [ 1 ] s 1 [] s 3 3 s 3 [ 3 ] 0 s 0 s0 [ 0 ] 2 s 2 [ ] s 2 s 2 [ ] s2 [ 2 ] 4... s 4 I time Figure 5.2: An illustration of a run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s 2 [ 2 ] s 3 3 s3 [ 3 ] s Definition 24 For a run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s , we let history ρ : N R 0 N R 0 be a function which given an inex i an a elay, returns the pairs (j, ) that constitute all previous states s j [ ] in the run: history ρ (i, ) = {(j, ) j < i j } {(i, ) < } The satisfaction relation s = ϕ is efine inuctively for a state s S in a TTS T an a formula ϕ as follows: s = s = ϕ iff µ(s) iff s = ϕ s = ϕ 1 ϕ 2 iff s = ϕ 1 an s = ϕ 2 s = ϕ 1 ϕ 2 iff s = ϕ 1 or s = ϕ 2 s = A(ϕ 1 U I ϕ 2 ) iff ρ Runs(T, s). s = E(ϕ 1 U I ϕ 2 ) iff ρ Runs(T, s). s = A(ϕ 1 R I ϕ 2 ) iff ρ Runs(T, s). s = E(ϕ 1 R I ϕ 2 ) iff ρ Runs(T, s). i 0. R 0. [vali ρ (i,, I) s i [] = ϕ 2 (j, ) history ρ (i, ). s j [ ] = ϕ 1 ] i 0. R 0. [vali ρ (i,, I) s i [] = ϕ 2 (j, ) history ρ (i, ). s j [ ] = ϕ 1 ] i 0. R 0. vali ρ (i,, I) [ si [] = ϕ 2 (j, ) history ρ (i, ). s j [ ] = ϕ 1 ] i 0. R 0. vali ρ (i,, I) [ si [] = ϕ 2 (j, ) history ρ (i, ). s j [ ] = ϕ 1 ] 28

35 s 0 = E(ϕ 1 U I ϕ 2 ) s 0 s 0 ϕ 1 s 1 s 1 s 2 s 2 ϕ 2 s 3 s 3 s 4... Figure 5.3: Illustration of a run satisfying an until formula. I time s 0 = E(ϕ 1 R I ϕ 2 ) s 0 s 0 s 1 s 1 ϕ 1 s 2 s 2 s 3 s 3 s 4... s 0 = E(ϕ 1 R I ϕ 2 ) s 0 s 0 s 1 s 1 s 2 s 2 ϕ 2 s 3 s 3 s 4... s 0 = E(ϕ 1 R I ϕ 2 ) s 0 s 0 s 1 s 1 s 2 s 2 ϕ 2 ϕ 1 ϕ 2 s 3 s 3 s 4... s 0 = E(ϕ 1 R I ϕ 2 ) s 1 s 1 s 2 s 0 s 0 ϕ 2 s 2 time Figure 5.4: Illustration of runs satisfying an release formula. Notice that there are four ways a release formula can be satisfie. I 29

36 Chapter 5 Time Computation Tree Logic A: s 2 {p} 2.1 s 3 {p} s 4 {q} 1.2 s 1 s 0 {p, q} {p, q} s 5 s s 7 s 8 {p} {p} {p, q} B: t 0 {q} 1.5 t 1 {q} t 2 {p} 1 t 3 {p} t 4 2 t 5 {q} t 6 {q} 0.5 t 7 {q} 1.2 t 8 {q} Figure 5.5: Two example TTSs. Figure 5.3 illustrates the satisfaction of an until formula an Figure 5.4 illustrates the satisfaction of a release formula. The figure illustrates where the two subformulae ϕ 1 an ϕ 2 must hol. In particular, notice that there are four possible ways for a release formula to be satisfie. First, ϕ 1 may have occurre in the past (outsie the interval), which releases ϕ 2, effectively ensuring that ϕ 2 nee not hol in the interval I at all. Seconly, ϕ 2 may not be release, which means that it must hol continuously within the entire interval I. Thirly, ϕ 2 can hol continuously in the interval I, until some point in the interval where ϕ 1 ϕ 2 hols, thereby releasing ϕ 2. Finally, ϕ 2 can hol continuously in the interval I until the run ealocks. As a concrete example consier the two TTSs in Figure 5.5. For both TTSs we 1.2 have a set of atomic propositions AP = {p, q}. Consier the maximal run ρ = s s 1 s 2 s 3 s 4 in A. This run witnesses the property E(p U [2,4] q) an thus we have that s 0 = E(p U [2,4] q). For B, the two maximal runs ρ = t 0 t 1 t 2 t 3 t 4 ρ = t 0 2 t 4 t t 6 t t 8 t means we have that t 0 = A(p R [2,3] q). Penczek an Pólrola [36] mention that for CTL the operators R an U are ual. However, they o not say if this is the case for TCTL. Thus, we will now show that they are infact still ual for TCTL. Lemma 25 Let T = (S,, AP, µ) be a TTS an let s S. Then s = A(ϕ 1 R I ϕ 2 ) if an only if s = E( ϕ 1 U I ϕ 2 ) 30

37 Proof ( ): Assume s = A(ϕ 1 R I ϕ 2 ). We will show that s = E( ϕ 1 U I ϕ 2 ). Assume by contraiction that s = E( ϕ 1 U I ϕ 2 ). This means that there exists a maximal run ρ starting from s such that there exists an i 0 an a R 0 such that vali ρ (i,, I) is true, s i [] = ϕ 2 an for all (j, ) history ρ (i, ) it hols that s j [ ] = ϕ 1. This is a contraiction to the assumption that s = A(ϕ 1 R I ϕ 2 ) which by efinition means that for all maximal runs ρ starting from s, all i 0 an all R 0 it hols that vali ρ (i,, I) implies that either s i [] = ϕ 2 or there exists a (j, ) history ρ (i, ) such that s j [ ] = ϕ 1. Thus, it follows that s = A(ϕ 1 R I ϕ 2 ) implies s = E( ϕ 1 U I ϕ 2 ). ( ): Assume that s = E( ϕ 1 U I ϕ 2 ). This means that for all maximal runs ρ starting from s, all i 0 an all R 0 it hols that either vali ρ (i,, I) is not true or s i [] = ϕ 2 or there exist a (j, ) history ρ (i, ) such that s j [ ] = ϕ 1. By removing the ouble negations we see that this matches exactly the efinition of s = A(ϕ 1 R I ϕ 2 ) which says that for all maximal runs ρ starting from s, all i 0 an all R 0 it hols that if vali ρ (i,, I) is true, then either s i [] = ϕ 2 or there exists a (j, ) history ρ (i, ) such that s j [ ] = ϕ 1. Thus, we have E( ϕ 1 U I ϕ 2 ) implies s = A(ϕ 1 R I ϕ 2 ). Lemma 26 Let T = (S,, AP, µ) be a TTS an let s S. Then s = A(ϕ 1 U I ϕ 2 ) if an only if s = E( ϕ 1 R I ϕ 2 ) Proof ( ): Assume s = A(ϕ 1 U I ϕ 2 ). We will show that s = E( ϕ 1 R I ϕ 2 ). Assume by contraiction that s = E( ϕ 1 R I ϕ 2 ), this means that there exists a maximal run ρ starting from s s.t. for all i 0 an for all R 0 if vali ρ (i,, I) is true, then it hols that s i [] = ϕ 2 or there exist a (j, ) history ρ (i, ) s.t. s j [ ] = ϕ 1. This is a contraiction to the assumption that s = A(ϕ 1 U I ϕ 2 ), which by efinition means that for every maximal run ρ starting from s there exists an i 0 an a R 0 such that vali ρ (i,, I) is true, s i [] = ϕ 2 an for all (j, ) history ρ (i, ) it hols that s j [ ] = ϕ 1. Then it follows that s = E( ϕ 1 R I ϕ 2 ) an thus s = A(ϕ 1 U I ϕ 2 ) implies s = E( ϕ 1 R I ϕ 2 ) ( ): Assume by contraposition that s = A(ϕ 1 U I ϕ 2 ). By efinition this means that there exists a maximal run ρ starting from s s.t. for all i 0 an all R 0 either vali ρ (i,, I) is not true or s i [] = ϕ 2 or there exist a (j, ) history ρ (i, ) s.t. s j [ ] = ϕ 1. This matches exactly the efinition of s = E( ϕ 1 R I ϕ 2 ) which says that there exists a maximal run ρ starting from s s.t. for all i 0 an all R 0 if vali ρ (i,, I) is true then either s i [] = ϕ 2 or there exists (j, ) history ρ (i, ) s.t. s j [ ] = ϕ 1. Thus we have that s = E( ϕ 1 R I ϕ 2 ) implies s = A(ϕ 1 U I ϕ 2 ). 31

38

39 Chapter 6 TCTL-Preserving Framework There are several examples in the literature of translations from one time-epenent framework to another, see e.g. [15, 17, 18, 20, 29]. Usually, a time-epenent system A (e.g. a TAPN) an a formula ϕ are translate into another time-epenent system B (e.g. an NTA) an a translate formula ϕ such that A = ϕ iff B = ϕ or the two systems are shown equivalent up to some equivalence relation (e.g. bisimulation). However, the correctness of each of these translations requires a istinct proof. Our goal is to generalize this by introucing a framework, in the form of a oneby-many corresponence, which is a relation between the states of TTSs A an B. Intuitively, when the states of A an B are relate by a one-by-many corresponence we can simulate one step in A by a number of steps in B. If we can establish such a relation between states of A an B, then that will allow us to conclue that the translation from A to B preserves the full TCTL (or only the safety fragment epening on the requirements fulfille by the relation). Our framework can be seen as a generalization of the ieas by Cassez an Roux [18]. While their iea solely concerns a translation from time Petri nets to networks of time automata, our framework works at the level of time transition systems, making it inepenent of the moeling formalisms use. Moreover, the etails of TCTL an runs are incomplete in [18]. Our framework hanles TCTL in its full generality, as use in state-of-the-art verification tools like UPPAAL [2], making it irectly applicable to tool evelopers. In the rest of this chapter, we shall use A an B to refer to the original an translate system, respectively. 6.1 Stable Proposition As mentione, B is simulating a single step of A by a sequence of steps. Therefore, A an B are only comparable in the states before an after this sequence has been performe. We say that B is stable in these states. Formally, we introuce an atomic proposition stable in the system B as a istinguishe atomic proposition. We will refer to states in B which satisfy the proposition 33

40 Chapter 6 TCTL-Preserving Framework stable as stable states an the other states as intermeiate states. We will now efine three properties that B shoul possess in orer to fit into our framework. Definition 27 (TTS Properties) A TTS (S,, AP, µ) where stable AP is sai to be a no-elay-in-intermeiate-state TTS if s for some > 0 implies s = stable for all s S, a elay-preserves-stable TTS if for any state s S such that s = stable, if s s[] then s[] = stable for all R 0, an an eventually-stable TTS if for any infinite sequence of iscrete transitions of length at least one ρ = s 0 s 1 s 2 s 3 s 4... where s 0 = stable, there exists an i 1 such that s i = stable, an for any finite sequence ρ = s 0 s 1 s n where s 0 = stable, there exists an i n such that s i = stable. We refer to such sequences as maximal iscrete sequences. Observe that in a no-elay-in-intermeiate-state TTS, it is only possible to o time elays of 0 in any intermeiate state. Further, notice that in an eventually-stable TTS, whenever an intermeiate state is reache from a stable state, we will eventually return to a stable state. We will now efine a shorthan for the notion of a sequence of intermeiate states between two stable states. Definition 28 Let (S,, AP, µ) be a TTS such that stable AP. For states s, s S we write s s if s = stable an s = stable, an s = s 0 s 1 s 1 s 2 s n 1 s n = s such that s j = stable for 1 j n 1. We have inclue zero elays in the efinition of in orer to preserve the alternating nature of the sequence. This allows us to construct alternating runs using which is neee when ealing with maximal runs. 34

41 Section 6.2 One-By-Many Corresponence 6.2 One-By-Many Corresponence We will now efine the notion of one-by-many corresponence, which is a relation between states in two TTSs. Definition 29 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs, where stable AP B. We say that a relation R S T is a one-by-many corresponence if B is a no-elay-in-intermeiate-state an elay-preserves-stable TTS an there exists a function tr p : AP A AP B such that whenever s R t then 1. t = stable, 2. s = iff t = tr p ( ) for all AP A, 3. if s s then t t an s R t, 4. if s s[] then t t[] an s[] R t[] for all R 0, 5. if t t then s s an s R t, an 6. if t t[] then s s[] an s[] R t[] for all R 0. If B is moreover an eventually-stable TTS, then we say that R is a complete oneby-many corresponence. We write s = t (resp. s =c t) if there exists a relation R such that s R t an R is a one-by-many corresponence (resp. complete one-by-many corresponence). Remark 30 Notice that if all states in B are stable, Definition 29 efines a strong time bisimulation between states in A an B, since all transitions are of length one. Consier Figure 6.1. The set of propositions for the TTS A is AP A = {p, q} an the sets of propositions for the TTSs B an C are AP B = AP C = {p, q, stable}. We assume that consecutive iscrete actions are separate by a 0 time elay. Then {(s 0, t 0 ), (s 1, t 1 ), (s 2, t 4 ), (s 3, t 6 ), (s 2, t 7 )} is a complete one-by-many corresponence relating the states of A an B. The relation {(s 0, u 0 ), (s 1, u 1 ), (s 2, u 4 ), (s 3, u 7 )} is a one-by-many corresponence for the systems A an C. Notice that system C is not an eventually-stable TTS since both of the maximal sequences ρ = u 1 u 2 u 3 ρ = u 1 u 5 u 6 u 6 u 6 break this property. Let us now introuce some notation for relating runs in the two systems. 35

42 Chapter 6 TCTL-Preserving Framework {stable, q} A: 4.4 s 1 s 0 {p, q} {p, q} s 2 {q} {p, q} s 3 B: {stable, p, q} t t 7 t 1 {stable, p, q} t 2 {q} t 5 t 3 t 4 {p, q} {stable, q} {stable, p, q} t 6 C: {stable, p, q} u 0 {stable, q} 4.4 u 1 u 4 u 2 u 3 {stable, p, q} {stable, p, q} u 5 u 6 u 7 Figure 6.1: Three example TTSs. Definition 31 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs, where stable AP B. For two finite alternating runs ρ in A an ρ in B of the form ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n n sn [ n ] ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t n n tn [ n ] we write ρ = ρ if s i [] = ti [] for all i n an all i. We can generalize this notion of relate runs to maximal runs. Definition 32 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs, where stable AP B. For two maximal runs ρ in A an ρ in B we write ρ = ρ if ρ is an infinite maximal run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ]..., ρ is an infinite maximal run ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 2 t2 [ 2 ]..., an s i [] = ti [] for all i 0 an all i, or ρ is a finite maximal run of the form ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 δ 2 s2 [ 2 ]... s n, 36

43 Section 6.2 One-By-Many Corresponence ρ is a finite maximal run of the form ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 δ 2 t2 [ 2 ]... t n, for some δ {, n, < n } such that, s i [] = ti [] for all i < n an all i, s n [] = tn [] for all R 0 if δ =, s n [] = tn [] for all n if δ = n an s n [] = tn [] for all < n if δ = < n. Let us now establish a relationship between finite non-maximal runs in systems A an B. Lemma 33 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs, where stable AP B. Further let s 0 S an t 0 T be such that s 0 = t0. Then there exists a finite run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n n sn [ n ] in A if an only if there exists a finite run ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t n n tn [ n ] in B such that ρ = ρ. Proof ( ): Assume that there exists a run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n n sn [ n ] in A. By inuction on i an using conition 3 an 4 of Definition 29 we can construct a run ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t n n tn [ n ] in B. ( ): Assume that there exists a run ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t n n tn [ n ] in B. By inuction on i an using conition 5 an 6 of Definition 29 we can construct a run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n n sn [ n ] in A. Notice that Lemma 33 requires the run in B to have a specific form. Thus, there may exist runs in B for which no relate run in A exists. Let us now introuce a lemma that is a irect consequence of the efinition of a complete one-by-many corresponence. Lemma 34 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs, where stable AP B. Further let s 0 S an t 0 T be such that s 0 =c t 0. Then there exists a maximal run ρ Runs(A, s 0 ) if an only if there exists a maximal run ρ Runs(B, t 0 ) such that ρ =c ρ. 37

44 Chapter 6 TCTL-Preserving Framework Proof ( ): We shall prove this lemma in two steps, first for infinite maximal runs an then for finite maximal runs. Let ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ]..., be any infinite maximal run in A. Since s 0 =c t 0, we have by inuction on the inex i of states an using conition 3 an 4 of Definition 29 that there exists an infinite maximal run ρ in B of the form ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 2 t2 [ 2 ]..., where s i [] =c t i [] for all i 0 an all i. Thus, ρ =c ρ. Now let ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 δ 2 s2 [ 2 ]... s n, be any finite maximal run in A where δ {, n, < n }. Since s 0 =c t 0, we shall construct a finite maximal run in B of the form ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 δ 2 t2 [ 2 ]... t n. Using Lemma 33 an noticing that the lemma also works with runs ening with a iscrete action, it follows that from the prefix of ρ up to an incluing s n (referre to as ρ prefix ), we can construct the prefix of ρ up to an incluing t n (referre to as ρ prefix ) such that ρ prefix =c ρ prefix. We shall now hanle the final part of ρ accoring to the value of δ in ρ. δ = In this case, s n s n [] for all R 0. It follows from conition 4 of Definition 29 that t n t n [] such that s n [] =c t n [] for all R 0. Hence ρ =c ρ. δ = n In this case, s n s n [] an s n [] for all n. It follows from conition 4 of Definition 29 that t n t n [] such that s n [] =c t n [] an from conition 5 of Definition 29 that t n [] for all n. Moreover, by the no-elay-inintermeiate-state an eventually-stable properties of B, it follows that t n [] iff t n [], hence t n [] for all n. Finally, since s n for > n, it follows from conition 6 of Definition 29 that t n for > n. Hence ρ =c ρ. δ = < n In this case, s n s n [] an s n [] for all < n. It follows from conition 4 of Definition 29 that t n t n [] such that s n [] =c t n [] an from conition 5 of Definition 29 that t n [] for all < n. Moreover, by the no-elay-inintermeiate-state an eventually-stable properties of B, it follows that t n [] iff t n [], hence t n [] for all < n. Finally, since s n for n, it follows from conition 6 of Definition 29 that t n for n. Hence ρ =c ρ. 38

45 Section 6.3 Main Theorem ( ): Assume that there exists a (finite or infinite) maximal run in B of the form ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 2 t2 [ 2 ] where intermeiate states are also inexe. Let j 1 < j 2 < j 3 <... be all the inices such that t ji = stable for all i > 0 (follows from the eventually-stable property of B). Moreover, since B is a no-elay-inintermeiate-state TTS, it follows that if t i = stable then i = 0 for all i > 0. Finally, because B is also a elay-preserves-stable TTS, it follows that whenever t i = stable then t i [ i ] = stable for all i 0. These properties in turn imply that we can write ρ in the form ρ = t 0 0 t0 [ 0 ] t j1 j1 tj1 [ j1 ] t j2 j2 tj2 [ j2 ] Now, following the same strategy as ( ) case, we can conclue that for any ρ, there exist a maximal run ρ Runs(A, s 0 ) such that ρ =c ρ. 6.3 Main Theorem We will now escribe how to translate TCTL formulae for A to formulae for B. Definition 35 Let AP A an AP B be sets of atomic propositions with stable AP B an let tr p : AP A AP B be a function translating atomic propositions in AP A to atomic propositions in AP B. We efine a TCTL translation function tr : Φ(AP A ) Φ(AP B ) in the following manner: tr( ) = tr p ( ) tr( ϕ 1 ) = tr(ϕ 1 ) tr(ϕ 1 ϕ 2 ) = tr(ϕ 1 ) tr(ϕ 2 ) tr(ϕ 1 ϕ 2 ) = tr(ϕ 1 ) tr(ϕ 2 ) tr(e(ϕ 1 U I ϕ 2 )) = E((tr(ϕ 1 ) stable)u I (tr(ϕ 2 ) stable)) tr(a(ϕ 1 U I ϕ 2 )) = A((tr(ϕ 1 ) stable)u I (tr(ϕ 2 ) stable)) tr(e(ϕ 1 R I ϕ 2 )) = E((tr(ϕ 1 ) stable)r I (tr(ϕ 2 ) stable)) tr(a(ϕ 1 R I ϕ 2 )) = A((tr(ϕ 1 ) stable)r I (tr(ϕ 2 ) stable)) As an example consier Figure 6.1. The maximal run ρ = s 0 s 1 s 2 in system A witnesses the property E(pU [3,5] q). Similarly, one possible witness in system B for the formula E((p stable)u [3,5] (q stable)) is ρ = t 0 t 1 t 4. We are now reay to prove the main theorem of this chapter. Theorem 36 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs such that stable AP B. Further, let s 0 S an t 0 T be such that s 0 =c t 0. Then for any TCTL formula ϕ, s 0 = ϕ if an only if t 0 = tr(ϕ). 39

46 Chapter 6 TCTL-Preserving Framework Proof We shall prove this theorem by structural inuction on ϕ. By Lemma 25 an Lemma 26 it is sufficient to hanle the operators, ϕ, ϕ 1 ϕ 2, ϕ 1 ϕ 2, E(ϕ 1 U I ϕ 2 ) an E(ϕ 1 R I ϕ 2 ). ϕ =, ϕ = ϕ 1, ϕ = ϕ 1 ϕ 2 an ϕ = ϕ 1 ϕ 2 : Follows trivially from the inuction hypothesis an the efinition of =c. ϕ = E(ϕ 1 U I ϕ 2 ): ( ) : Assume that s 0 = A E(ϕ 1 U I ϕ 2 ). Thus, there exists a maximal run ρ Runs(A, s 0 ) that witnesses ϕ. This implies that there exists a prefix of ρ of the form ρ prefix = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n 1 n 1 s n 1 [ n 1 ] s n s n [], where vali ρ (n,, I), s n [] = A ϕ 2 an s k [ ] = A ϕ 1 for all (k, ) history ρ (n, ). By Lemma 33 there exists a run ρ prefix in B of the form such that ρ prefix =c ρ prefix. ρ prefix = t 0 0 t 0 [ 0 ] t 1 1 t1 [ 1 ] t n 1 n 1 t n 1 [ n 1 ] t n t n [], We want to show that t 0 = B E((tr(ϕ 1 ) stable)u I (tr(ϕ 2 ) stable)). Because s n [] =c t n [] an s n [] = A ϕ 2, we have by the inuction hypothesis that t n [] = B tr(ϕ 2 ) an from conition 1 of Definition 29 we have that t n [] = B stable. Let j be the inex corresponing to the occurrence of t n in the alternating sequence which unfols the steps. Because time elays are equivalent in the two runs, it follows that vali ρ (j,, I) an moreover, for any pair (k, ) history ρ (j, ) either, t k [ ] is an intermeiate state an thus t k [ ] = B stable, or t k [ ] is a stable state. From the construction of ρ prefix it follows that there exists a pair (k, ) history ρ (n, ) such that s k [ ] =c t k [ ]. By the inuction hypothesis an the fact that s k [ ] = A ϕ 1, it follows that t k [ ] = B tr(ϕ 1 ). This means that t k [ ] = B tr(ϕ 1 ) stable. Thus, any maximal run ρ Runs(B, t 0 ) that extens ρ prefix meaning t 0 = B E((tr(ϕ 1 ) stable)u I (tr(ϕ 2 ) stable)). witnesses tr(ϕ), ( ) : Assume t 0 = B E((tr(ϕ 1 ) stable)u I (tr(ϕ 2 ) stable)). Thus, there exists a maximal run ρ in B that witnesses tr(ϕ). By the fact that B is a no-elayin-intermeiate-state an elay-preserves-stable TTS there exists a prefix of ρ 40

47 Section 6.3 Main Theorem of the form ρ prefix = t 0 0 t 0 [ 0 ] t 1 1 t1 [ 1 ] t n 1 n 1 t n 1 [ n 1 ] t n t n [], such that vali ρ (j,, I), t n [] = B tr(ϕ 2 ) stable an t k [ ] = B tr(ϕ 1 ) stable for all (k, ) history ρ (j, ) where j is the inex corresponing to the occurrence of t n in the alternating sequence which unfols the steps as before. By Lemma 33 there exists a run ρ prefix in A of the form ρ prefix = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s n 1 such that ρ prefix =c ρ prefix. n 1 s n 1 [ n 1 ] s n s n [], We want to show that s 0 = A E(ϕ 1 U I ϕ 2 ). Because s n [] =c t n [] an t n [] = B tr(ϕ 2 ) stable, we have by the inuction hypothesis that s n [] = A ϕ 2. Since time elays are equivalent in the two runs, it follows that vali ρ (n,, I). Further, for any pair (k, ) history ρ (n, ), it follows that there exists a (k, ) history ρ (j, ) such that s k [ ] =c t k [ ]. By the inuction hypothesis, it follows that s k [ ] = A ϕ 1 because t k [ ] = B tr(ϕ 1 ) an t k [ ] = B stable. It then follows that any maximal run ρ Runs(A, s 0 ) starting with ρ prefix witnesses ϕ, thus s 0 = A E(ϕ 1 U I ϕ 2 ). ϕ = E(ϕ 1 R I ϕ 2 ): ( ) : Assume that s 0 = A E(ϕ 1 R I ϕ 2 ). By assumption, there exists a maximal run (infinite or finite) ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ] in A that witnesses ϕ. This means that for all i 0 an all R 0 if vali ρ (i,, I) is true then either s i [] = A ϕ 2 or there exist a (k, ) history ρ (i, ) s.t. s k [ ] = A ϕ 1. By Lemma 34 it follows that there exists a maximal run ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 2 t2 [ 2 ] (6.1) in B such that ρ =c ρ (see Definition 32). We want to show that t 0 = B E((tr(ϕ 1 ) stable)r I (tr(ϕ 2 ) stable)). For all k 0 an all R 0, if vali ρ (k,, I) is true then either t k [] is an intermeiate state an then t k [] = B stable, or 41

48 Chapter 6 TCTL-Preserving Framework t k [] is a stable state. This means that t k [] has a istinguishe inex in Equation (6.1). Let h be the inex of t k [] in Equation (6.1). It follows from the construction of the ρ that s h [] =c t h []. There are two cases to consier. Either s h [] = A ϕ 2 an then by the inuction hypothesis it follows that t h [] = B tr(ϕ 2 ), or there exists (l, ) history ρ (h, ) such that s l [ ] = A ϕ 1. From the construction of ρ it follows that there exists a (l, ) history ρ (k, ) such that s l [ ] =c t l [ ]. By the inuction hypothesis, it follows that t l [ ] = B tr(ϕ 1 ) stable. This in turn means that t 0 = B E((tr(ϕ 1 ) stable)r I (tr(ϕ 2 ) stable)). ( ) : Assume that t 0 = B E((tr(ϕ 1 ) stable)r I (tr(ϕ 2 ) stable)). Since B is a no-elay-in-intermeiate-state, elay-preserves-stable an eventually-stable TTS, there exists a maximal run (infinite or finite) ρ = t 0 0 t0 [ 0 ] t 1 1 t1 [ 1 ] t 2 2 t2 [ 2 ] in B that witnesses tr(ϕ). This means that for all i 0 an all R 0 if vali ρ (i,, I) is true then either t i [] = B tr(ϕ 2 ) stable or there exists a (k, ) history ρ (i, ) s.t. t k [ ] = B tr(ϕ 1 ) stable. By Lemma 34 it follows that there exists a maximal run ρ = s 0 0 s0 [ 0 ] s 1 1 s1 [ 1 ] s 2 2 s2 [ 2 ] in A such that ρ =c ρ. We want to show that s 0 = A E(ϕ 1 R I ϕ 2 ). For all k 0 an all R 0, we have that s k [] =c t k [] an whenever vali ρ (k,, I) is true then Either t k [] = B tr(ϕ 2 ) an then by the inuction hypothesis we have that s k [] = A ϕ 2, or there exists some (l, ) history ρ (j, ) where j is the inex corresponing to the occurrence of t k in the alternating sequence which unfols the steps, such that t l [ ] = B tr(ϕ 1 ) stable. From the construction of ρ, it follows that there exists a pair (l, ) history ρ (k, ) such that s l [ ] =c t l [ ]. By the inuction hypothesis, it follows that s l [ ] = A ϕ 1. This in turn means that s 0 = A E(ϕ 1 R I ϕ 2 ). Observe in the proof above that for the case of E(ϕ 1 U I ϕ 2 ) (ually for the case A(ϕ 1 R I ϕ 2 )), we only use Lemma 33 which requires only a one-by-many corresponence. On the other han, to prove the case of E(ϕ 1 R I ϕ 2 ) (ually, A(ϕ 1 U I ϕ 2 )) we use the eventually-stable property an Lemma 34, which requires a complete one-bymany corresponence. Hence, we may conclue the following corollary. 42

49 Section 6.4 Overall Methoology Corollary 37 Let A = (S, A, AP A, µ A ) an B = (T, B, AP B, µ B ) be two TTSs such that stable AP B. Further, let s 0 S an t 0 T be such that s 0 = t0. Then for any formula ϕ from the safety fragment of TCTL s 0 = A ϕ if an only if t 0 = B tr(ϕ) The reason we nee a complete one-by-many corresponence to preserve the full TCTL can be illustrate by consiering systems A an C in Figure 6.1 where {(s 0, u 0 ), (s 1, u 1 ), (s 2, u 4 ), (s 3, u 7 )} is a one-by-many corresponence between states in A an C. In this particular example, s 0 = A A(pU [3,5] q) but u 0 = B tr(a(pu [3,5] q)) = A((p stable)u [3,5] (q stable)). Both of the following maximal runs ρ = u 0 u 1 u 2 u 2 u 3 ρ = u u 1 u 5 0 u 5 u 6 0 u 6 u 6 0 u 6 u 6 0 in C are counter examples to tr(a(pu [3,5] q)). Moreover, there exists no run ρ in A such that ρ = ρ or ρ = ρ. 6.4 Overall Methoology This section will escribe what is neee to apply our framework to actual translations. The following list outlines the steps neee. 1. Give an algorithm that for a given system A constructs a system B with the notion of stable states in B. (a) Show that B is a no-elay-in-intermeiate-state an elay-preserves-stable TTS (an optionally an eventually-stable TTS). 2. Define the proposition translation function tr p : AP A AP B. 3. Define the relation R an show that it fulfills conition 1-6 of Definition Conclue that the translation preserves TCTL (or only the safety fragment if R is only a one-by-many corresponence). 6.5 Applications In Chapter 8 an Chapter 9, we shall present two novel translations from arbitrary boune TAPN to NTA an apply our framework to show that they preserve the full TCTL. To show the applicability of our framework, we shall apply our methoology to translations from the literature. Cassez an Roux [18] give a translation from Time Petri Nets (TPN) to networks of time automata with integer variables which preserves TCTL. They create a time 43

50 Chapter 6 TCTL-Preserving Framework automaton for every transition, as well as a supervisor automaton. A transition automaton can be in one of three states: enable, isable or firing. A global integer array represents the current marking: the integer at inex i gives the number of tokens in place p i. We shall refer to this array as the marking array. Let us briefly escribe how the constructe NTA works. Assume that we want to simulate the firing of transition t i an it is enable. First the supervisor synchronizes with transition automaton A i on the channel pre (naturally, the interval associate with the transition is checke here). This removes any consume tokens from the marking array. Next, the supervisor broacasts on the channel upate. By construction, all automata will participate in this synchronization. This changes the current location of all transition automata to match the enableness/isableness in the TPN (remember the transition automata has a location representing enable an one representing isable). Next, automaton A i can synchronize with the supervisor automaton on the channel post. This as prouce tokens to the marking array. Again, the supervisor broacasts on the upate channel. As before, this involves all automata an the locations of all transition automata are upate to reflect the enableness/isableness of the corresponing transition. Moreover, ue to the use of committe locations, no time can elapse uring this sequence. Our framework can be applie to this translation as follows. First, a state is stable whenever the supervisor can synchronize on a pre channel. Further, the noelay-in-intermeiate-state property is satisfie, since time elays (except 0) are not possible in intermeiate locations. Time elays o not change the current location, hence the elay-preserves-stable property is satisfie. The authors show that any finite run ens in a stable state. This generalizes to maximal runs (for infinite maximal runs, a stable state appears infinitely often) which means that the eventually-stable property is satisfie. Finally, they present a theorem that shows conition 3 6 of our efinition, thus it follows that our framework can be applie to show that their translation preserves the full TCTL. Byg et al. [17] efines a translation from k-boune TAPN to NTA that preserves the safety fragment of a subset of Computation Tree Logic (CTL). First they translate the k-boune TAPN to a TAPN of egree 2 (a net where all transitions have two incoming an two outgoing arcs). The iea is that a transition in the original net is simulate by a number of egree 2 transitions in the egree 2 net, such that input tokens are first remove one-by-one after which the tokens are put into the respective output places one-by-one. During the simulation of a transition, elays cannot occur ue to the use of invariants. A special place calle p lock acts as a mutex, ensuring that the simulations of two transitions cannot interleave. However, extra ealocks are introuce because it is possible to start the simulation of a transition an get stuck miways (e.g. if a token of an appropriate age is not present in one of the input places). Thus, this translation preserves only safety. A TAPN of egree 2 is simulate in an NTA via hanshake synchronizations between two automata (each representing a token). The TAPN of egree 2 is shown strongly time bisimilar to the NTA. Our framework also applies to these translations. First, a marking in the e- 44

51 Section 6.5 Applications gree 2 net is stable whenever a token is in p lock. Because time cannot elapse uring the simulation of a transition, it follows that the unerlying TTS is no-elayin-intermeiate-state. Similarly, the elay-preserves-stable property is fulfille since elays o not change the placement of tokens. We cannot show that the translate system is eventually-stable, since extra ealocks are introuce. The authors prove conition 3-6 of Definition 29 in the paper. Finally. since atomic propositions follow the same style as ours, it follows that our framework can be applie to show that the safety fragment of TCTL is preserve, improving on the result of the paper. Since their secon translation preserves strong time bisimulation, all states are stable an hence, as note in Remark 30, it follows that we can apply our framework to show that it preserves the full TCTL. In Chapter 9 we exten the translation from k-boune TAPN to NTA such that it preserves the full TCTL. In theory, our framework shoul apply to any translation that has been shown to preserve strong time bisimulation, as note in Remark 30 (see e.g. [15, 20, 29] for examples of strong bismulation preserving translations where our framework applies). However, some papers (e.g. [22]) use a non-stanar efinition of strong time bisimulation, which means our framework may not apply to their translations. Cortés et al. [19] presents a translation from 1-safe PRES+ moels (essentially, a generalization of time Petri nets) to time automata. While they o not show any relationship between the two moels (though they implicitly claim that formal TCTL moel checking is possible on 1-safe PRES+ moels using the translation), their translation actually preserves strong time bisimulation, an hence our framework coul be applie to prove the correctness of the translation. 45

52

53 Chapter 7 Networks of Time Automata with Integer Variables Time automata were first introuce by Alur an Dill [5, 6] an have become one of the most well-stuie formalisms for the moeling an verification of real-time systems. While there exists a number of tools for real-time moel checking an verification of time automata, this report will focus on the tool UPPAAL [2], as the UPPAAL is a state-of-the-art verification tool an it is use behin-the-scenes in the verification tool TAPAAL [1]. 7.1 Clocks Before we can introuce the syntax an semantics of a time automaton, we nee to efine some of the main concepts in the formalism. Because time automata, as the name implies, allow for moelling of timing constraints, we nee a way to moel time. This is one via a finite set of real-value clocks C = {c 1, c 2,...} whose elements represent names of clocks. A clock constraint (or guar) is a boolean expression efine by the abstract syntax: g 1, g 2 ::= true c 1 n c 1 c 2 n g 1 g 2 where c 1, c 2 C, n N 0 an {<,, =,, >}. The set of all clock guars over the set of clocks C is enote CG(C). For our purposes, invariants follow the same syntax as guars with the one exception that {, <}. We enote the set of all clock invariants over a set of clocks C as CI (C). A (clock) valuation of C is a function v : C R 0, which for every clock c C returns the value of c. In orer to allow time to pass, we efine a elay operation as follows. Let v be a valuation an a non-negative real. We let v + be the valuation such that (v + )(c) = v(c) + for every c C. Similarly, we nee to be able to reset 47

54 Chapter 7 Networks of Time Automata with Integer Variables clocks. For a subset of clocks r C, we let v[r] be the valuation such that { 0 if c r v[r](c) = v(c) otherwise. A clock valuation v over C satisfies a clock guar g CG(C) or a clock invariant g CI inv (C) (written v = g) if the clock constraint evaluates to true uner the clock assignments of v. Formally, v = g is efine inuctively on the structure of g as follows. v = true v = c 1 n iff v(c 1 ) n v = c 1 c 2 n iff v(c 1 ) v(c 2 ) n v = g 1 g 2 iff v = g 1 an v = g 2 where c 1, c 2 C, n N 0 an {<,, =,, >}. If v oes not satisfy g we write v = g as expecte. 7.2 Integer Variables We will now efine the concept of integer variables in time automata. Let X be a finite set of integer variables. The set of arithmetic variable expressions over X (enote VE(X)) is efine accoring to the following abstract syntax expr 1, expr 2 ::= m x expr 1 expr 2 where m Z, x X an {+, }. efine by the following abstract syntax A variable guar is a boolean expression ϕ 1, ϕ 2 ::= true expr 1 expr 2 ϕ 1 ϕ 2 ϕ 1 ϕ 2 where expr 1, expr 2 VE(X) an {<,, =,, >}. We enote the set of all variable guars over the set of variables X by VG(X). Variable assignments are efine accoring to the following syntax x := expr where x X an expr VE(X). We enote the set of all variables assignments over X by VA(X). A set of non-conflicting variable assignments A is a finite subset of VA(X), where for every x X whenever (x := expr 1 ) A an (x := expr 2 ) A then expr 1 = expr 2. Finally, we will efine a variable valuation as a total mapping z : X Z which given some variable x X returns the current value of x. We will exten this mapping to support expressions in VE(X) as follows z(m) = m if m Z z(e 1 e 2 ) = z(e 1 ) z(e 2 ) if e 1, e 2 VE(X) 48

55 Section 7.3 Time Automata with Integer Variables where {+, }. A variable valuation z satisfies a variable guar ϕ VG(X) (written z = ϕ) if the variable guar evaluates to true uner the valuation z. Formally, z = ϕ is efine inuctively on the structure of ϕ as follows z = true z = e 1 e 2 iff z(e 1 ) z(e 2 ) z = ϕ 1 ϕ 2 iff z = ϕ 1 an z = ϕ 2 z = ϕ 1 ϕ 2 iff z = ϕ 1 or z = ϕ 2 where e 1, e 2 VE(X) an {<,, =,, >}. Given a set of non-conflicting variable assignments A we let z[a] enote a variable valuation such that { z(expr) if (x := expr) A z[a](x) = z(x) otherwise. 7.3 Time Automata with Integer Variables We can now efine the notion of a time automaton. Definition 38 (Time Automaton) A Time Automaton (TA) is a tuple (L, Act, C, X,, I C, I X, l 0 ), where L is a finite set of locations, Act is a finite set of actions, C is a finite set of clocks, X is a finite set of integer variables, L CG(C) VG(X) Act 2 C 2 VA(X) L is a finite set of eges such that whenever (l, g, ϕ, a, r, A, l ) then A is a finite non-conflicting set, I C : L CI (C) is a function assigning clock invariants to locations, I X : L VG(X) is a function assigning variable invariants to locations, an l 0 is the initial location. We write l g,ϕ,a,r,a l instea of (l, g, ϕ, a, r, A, l ), where l is the source location, g is the clock guar, ϕ is the variable guar, a is the action, r is the set of clocks to be reset, A is the set of non-conflicting variable assignments an l is the target location. 49

56 Chapter 7 Networks of Time Automata with Integer Variables Note for notational convenience, we shall sometimes conjunct the clock invariant an the variable invariant when rawing TA. Let us now turn our attention to networks of time automata. A network of time automata is basically a parallel composition of time automata. Besies hanshake synchronization, UPPAAL also supports broacast channels. Thus, our network of time automata will support both hanshake synchronization in which two time automata can synchronize, as well as a notion of broacast synchronization which allows for more than two time automata to participate in a synchronization. In orer to hanle synchronizations, we assume the existence of a finite set of channel names Chan (for hanshake synchronizations), a finite set of channel names Broa (for broacast synchronizations) an a finite set of orinary actions, enote by N, which inclues the internal action τ, such that Chan Broa N =. We then efine Act = {c!, c? c Chan} {a!, a? a Broa} N. The intuition is that c! inicates output, i.e. that an automation sens a hanshake synchronization request on the channel c, an c? is use for input, i.e. that an automaton is prepare to receive a hanshake synchronization request on the channel c. Further, a inicates broacasting on channel a an a inicates that an automaton is prepare to receive a broacast synchronization request on channel a.? We can now efine a network of time automata.! Definition 39 (Network of Time Automata) Let n N an let A i = (L i, Act, C, X, i, IC i, Ii X, li 0 ) be time automata for all 1 i n, over a fixe set of actions Act, clocks C an integer variables X. A Network of Time Automata (NTA) is a parallel composition of A 1, A 2,..., A n enote by A = A 1 A 2... A n. The semantics of a network of time automata is given in terms of a TTS. A configuration of an NTA is a tuple (l 1, l 2,..., l n, z, v) where l i L i for all 1 i n, z is a variable valuation over X an v is a clock valuation over C such that for every 1 i n it hols that z = I i X (l i) an v = I i C (l i). In other wors, the configuration specifies which location each automaton in the network is in, an the value of every variable an clock in the network (with the requirement, that the invariants of all locations are satisfie by the variable an clock valuations). We will enote the set of all configurations of a given NTA A by Conf (A). We can now efine the precise semantics of networks of time automata. Definition 40 Let A = A 1 A 2... A n where A i = (L i, Act, C, X, i, I i C, Ii X, li 0 ) for all 1 i n, be an NTA over a fixe set of actions Act, clocks C an integer variables X. The TTS generate by A, is efine as T (A) = (S,, AP, µ), where S = Conf (A), the transition relation consists of 50

57 Section 7.3 Time Automata with Integer Variables Orinary transitions: (l 1,..., l i,..., l n, z, v) (l 1,..., l i,..., l n, z, v ) if there exists an a N g,ϕ,a,r,a such that there is an ege l i i l i in the i th automaton such that v = g, z = ϕ, v = v[r], z = z[a], v = IC i (l i ) j i Ij C (l j) an z = I i X (l i ) j i Ij X (l j), Hanshake synchronization transitions: (l 1,..., l i,..., l j,..., l n, z, v) (l 1,..., l i,..., l j,..., l n, z, v ) if g i,ϕ i,a!,r i,a i i l i an l j g j,ϕ j,a?,r j,a j j l j such i j an there are eges l i that a Chan, v = g i g j, z = ϕ i ϕ j, v = v[r i r j ], z = (z[a i ])[A j ], v = IC i (l i ) Ij C (l j ) k i,j Ik C (l k) an z = IX i (l i ) Ij X (l j ) k i,j Ik X (l k), Broacast synchronization transitions: (l 1,..., l n, z, v) (l 1,..., l n, z, v ) if there exists an a Broa such that there exists an i, 1 i n such that there is an ege g i,ϕ i,a,r i,a i l i! i l i in the i th automaton where v = g i an z = ϕ i, let J be the set of all j, 1 j i n where there is an ege g j,ϕ j,a,r j,a j l j? j l j in the j th automaton such that v = g j an z = ϕ j, for all j J we set l j, A j an r j accoring to the ege g j,ϕ j,a?,r j,a j l j j l j (note that there may be multiple eges to choose from), for all j J, 1 j i n we let l j = l j, A j = an r j =, z = (... ((... (s[a i ])[A 1 ])[A 2 ])... [A i 1 ])[A i+1 ])... [A n ] an z = n k=1 Ik X (l k ), an v = v[r] where R = n k=1 r k an v = n k=1 Ik C (l k ), Delay transitions: (l 1,..., l n, z, v) (l 1,..., l n, z, v + ) for all R 0 such that v + = n i=1 I i(l i ), AP ef = {(#l m) l n i=1 L i, m N an {<,, =,, >}}, an µ : S 2 AP is a function assigning sets of true atomic propositions to states. A proposition (#l m) is true in configuration s if an only if the number of parallel components that are currently in the location l satisfies the proposition with respect to m. The initial state is (l 1 0, l2 0,..., ln 0, z 0, v 0 ) where z 0 (x) = 0 for all x X an v 0 (c) = 0 for all c C. We assume z 0 an v 0 always satisfy the invariants of l i 0 for all 1 i n, i.e. z 0 = n i=1 Ii X (li 0 ) an v 0 = n i=1 Ii C (li 0 ). Remark 41 Note that for hanshake an broacast synchronizations, variable assignments are always evaluate in a specific orer. First any assignments on the ege 51

58 Chapter 7 Networks of Time Automata with Integer Variables of the sener are evaluate an following this the assignments of any receivers are evaluate in the orer from A 1 to A n. 7.4 Complexity an Computability In the following, we will briefly iscuss the eciability an complexity of reachability an TCTL moel checking of time automata an time automata with integer variables. We shall focus on the problems for TA, as an NTA can be viewe as a single prouct automaton. Even though the state space is infinite, the reachability problem for a TA was shown eciable an PSPACE-complete in [5, 6]. The basic iea is to construct a region graph, which represents the behaviour of a TA in a finite way. Intuitively, a region is a collection of states with the same behaviour. From this abstraction the reachability problem is reuce to checking reachability in a finite graph. The construction of the finite region graph also has other applications. In [7], this construction is use to prove the eciability of TCTL moel checking for TA. The authors also prove that this problem is PSPACE-complete. In Definition 38, the TA is extene with integers variables. If we restrict TA to use only boune integer variables, then it is still possible to construct a finite region graph. This is because the boune range of integer variables only result in finitely many extra states. However, if use unboune integers, the region abstraction is no longer capable of representing the state space in a finite way. Thus, both reachability an TCTL moel checking become uneciable in this case. 52

59 Chapter 8 Broacast Translation In this section, we will present a translation from k-boune TAPN to NTA. The basic iea in the translation is to create a TA for each token in the TAPN. Since we cannot ynamically instantiate new TA uring the verification process, we nee to have a constant number of tokens in the net at all times. Since the translation works for boune TAPN, we can assume that we know the boun of the TAPN. Thus, if we know the TAPN is k-boune we construct k TA to simulate the tokens. In each of these TA there is a location for each place in the TAPN. A TA in one of these locations simulates a token in the corresponing place in the TAPN. We refer to these TA as token automata. Further, each TA has a clock which simulates the age of the token. All the token automata have the exact same structure, the only ifference being their initial location, which correspons to the initial marking of the TAPN, an the name of their clock. As there may not be k tokens in the initial marking, an aitional place l capacity is introuce where automata representing currently unuse tokens are waiting. Initially, there are k M 0 token automata in l capacity. When simulating a transition t where t > t, we can move t t token automata to l capacity. Similarly, when simulating a transition t where t < t, we can move t t token automata out of l capacity. Note that there is only one l capacity location in each automaton. In aition to these token automata, we create a single control automaton. The purpose of this TA is to simulate the firing of transitions an move tokens aroun by synchronizing with some of the token automata. This TA has a location l stable which acts as a mutex, in the sense that the control automaton moves out of this location once the simulation of a transition begins an only returns once the simulation of the transition ens. Further, each time the control automaton is in this location, the locations an the clock values of the token automata correspon to a marking in the TAPN. We will begin by emonstrating the translation on an example. 53

60 Chapter 8 Broacast Translation {1.2, 2.5, 3.3, 5.5} #4 [0, 4] t p 0 (a) A simple TAPN moel. p 1 Control: l stable count 1 := 0 t test! t fire! c := 0 l(t) count 1 == 1 inv: c == 0 count 1 1 c = 0.0 c 1 = 1.2 c 2 = 2.5 c 3 = 3.3 c 4 = c 1 4 count 1++ Token 1: t test? τ p 0 l(t p 0 count 1 count 1 > 1 p 1 ) t fire? c 1 := 0 p 1 0 c 2 4 count 1++ Token 2: t test? τ p 0 l(t p 0 count 1 count 1 > 1 p 1 ) t fire? c 2 := 0 p 1 0 c 3 4 count 1++ Token 3: t test? τ p 0 l(t p 0 count 1 count 1 > 1 p 1 ) t fire? c 3 := 0 p 1 0 c 4 4 count 1++ Token 4: t test? τ p 0 l(t p 0 count 1 count 1 > 1 p 1 ) t fire? c 4 := 0 (b) The NTA resulting from translation of the TAPN in Figure 8.1a. The box in the rightmost sie of the picture shows the clock valuation of the NTA. Notice that the values of c i, 0 i 4, correspon exactly to the ages of the tokens in p 0. Figure 8.1: Broacast translation example. p 1 54

61 Section 8.1 Example 8.1 Example Figure 8.1a shows a very simple TAPN with a single transition an four tokens, an the translate NTA is shown in Figure 8.1b. The NTA consists of five automata: one control automaton with a istinguishe clock c an four token automata, one for each token in the TAPN. Intuitively, the value of c can be unerstoo as the time that has elapse since the last transition was execute. Notice that for the sake of this example we have refraine from aing the l capacity location because it is not neee. We shall now explain how the translate NTA works. When we want to simulate the firing of a transition t in the NTA, the control automaton will broacast on the t test channel. Any token automaton whose clock has a value within the interval [0, 4] will be force to participate in the broacast. In our case, this means that token automata 1-3 will participate in the broacast synchronization. Token automaton 4 will not participate since its clock has the value 5.5 an hence the guar prohibits it from participating. We will use integer variables to count the number of token automata which participate in the transition when broacasting on the t test channel. Because the preset an postset of t has size 1, we only nee one counter variable. Thus, when these automata participate in the synchronization, they will move to the intermeiate l(t p 0 p 1 ) location thereby incrementing the counter variable count 1, resulting in the value 3. This means that the invariant on l(t) is satisfie in the control automaton. In other wors, we know that there are enough tokens with appropriate ages in the input places of t to fire it (in this case there are more than neee). Notice that if there were not enough tokens in some of the input places, then the invariant on l(t) woul not be satisfie when broacasting on the t test channel an thus this broacast woul not be possible. This is one of the crucial aspects to realize in orer to see why this translation preserves liveness properties, as we will show later. However, because the value of count 1 is 3, the control automaton cannot broacast on the t fire channel, since the guar ensures that this is only possible when exactly one token automaton remains in its intermeiate location for each input place. Therefore, we are force to move two of the token automata back to p 0 via the τ-transitions. Notice that this is only possible as long as count 1 > 1, which means one token automaton has to remain in its intermeiate location. When all the extra token automata have been move back to the original location, the control automaton can broacast on the t fire channel. The token automata remaining in the intermeiate locations (in our case, a single automaton) must participate in this synchronization (because they have no guars), an thus the token automata move to the output places, which ens the simulation of firing transition t. We shall now show how the translation works on a slightly more elaborate example using all of the features of the TAPN moel. Figure 8.2a shows a TAPN moel that uses transport arcs, invariants an inhibitor arcs. The translate NTA create by our algorithm is shown in Figure 8.2b. Note that Figure 8.2b only shows a template for one token automaton. This template is repeate three times, once for each token. The only ifference between the templates is the initial location (p 1, p 2 an p 3 respectively) 55

62 Chapter 8 Broacast Translation p 1 p p [1, 5] t [0, 4] [0, 2] [0, ) t inv: 3 p 4 (a) A TAPN moel. inv: c == 0 count 1 1 l(t ) c := 0 t test count 1 == 1 t fire count 1 := 0!! l stable t test count 1 := 0, count 2 := 0, count 3 := 0! t fire c := 0 l(t) count 1 == 1 count 2 == 1 count 3 == 0! inv: c == 0 count 1 1 count 2 1 count 3 == 0 p 1 count 1 τ count 1 > 1 l(t p 1 p 4 ) Template repeate three times: 1 c i 3 t test? count 1 ++ p 2 count 2 τ count 2 > 1 l(t p 2 l capacity ) 0 c i 4 t test? count 2 ++ count 1 τ count 1 > 1 l(t p 3 p 4 ) p 3 0 c i 2 t test? t? test count 1 ++ count 3 ++ p 4 t fire? l capacity t fire? c i := 0 t? fire c i := 0 inv: c i 3 (b) The NTA resulting from translation of the TAPN in Figure 8.2a. c is a istinguishe clock for the control automaton. Note that the lower TA is a template which is repeate three times with ifferent initial locations (p 1, p 2 an p 3 resp.) an with ifferent clock names (c 1, c 2 an c 3 resp.) Figure 8.2: A more elaborate broacast translation example. 56

63 Section 8.2 Translation Algorithm an the name of the clock (c 1, c 2 an c 3 respectively). We see that the control automaton has a test-fire loop for every transition in the TAPN moel, in this case there are two of them. There are some special cases that are worth mentioning in NTA. First of all, consier the inhibitor arc from p 3 to t. We see that this arc is encoe using a self-loop participating in the t test broacast synchronization. Again, we use a counter variable to count the number of automata that take this transition. We simply encoe the requirement of the inhibitor arc (that is, that no token satisfies the interval) in the invariant of l(t), namely that count 3 == 0. In other wors, the control automaton can only broacast on the t test channel if there are no token automata in the location p 3 that can synchronize on the t test channel, since this is the only way for count 3 to maintain the value 0. A secon observation is the guar on the transition from p 1 to l(t p 1 p 4 ). Specifically, it is evient that this oes not match the interval [1, 5] locate on the arc from p 1 to t in the TAPN moel. This guar has been change accoring to the invariant on p 4 to avoi ealocks. Since the arc from p 1 to p 4 is a transport arc, we nee to test the invariant of the target location when we fire t test also to avoi ealocks. Thus, we make an intersection of the guar on the transport arc an the invariant on the target place which is then use as the guar on the t test ege. Remark 42 One woul think that it was enough to simply a the invariant from p 4 to the intermeiate location l(t p 1 p 4 ), however, this will result in incorrect behavior, in the sense that it will block t test if e.g. there are two tokens in p 1 with ages 4 an 2, because invariants block the entire broacast transition if a single automaton with a satisfie guar cannot participate ue to its target location invariant. For this specific example, we nee at least one token of age [1, 3] in p 1, at least one token of age [0, 4] in p 2 an zero tokens of age [0, 2] in p 3 in orer for t to be enable which is precisely the invariant on l(t). Notice that simulating transition t will move the token automaton in p 2 to l capacity, since t > t. We also see that transitions share counter variables. The variable count 1 is use in the simulation of both transitions. This is perfectly acceptable, because it is use in a non-conflicting way, in the sense that we are never simulating t an t at the same time. Finally, it is clear that simulating transition t will move a token automaton from p 3 to p 4. Notice that in this case, there is no guar on the t test transition in the token automata, because the interval oes not restrict the ages in the TAPN moel. Further, we o not take the invariant of the target location into account since the arc t to p 4 is a normal arc an prouces a token of age zero which always satisfies any invariant. This conclues our introuction to the translation. 8.2 Translation Algorithm We will now escribe the translation formally. We will aopt the set Pairing(t), introuce by Byg et al. [17], which for a given transition t pairs input an output 57

64 Chapter 8 Broacast Translation places, P airing(t) = {(p, I, p, tarc) (p, t, p ) F tarc I = c tarc (p, t, p )} {(p 1, I 1, p 1, normal),..., (p m, I m, p m, normal) {p 1,..., p l } = {p (p, t) F }, {p 1,..., p l } = {p (t, p) F }, m = max(l, l ), I i = c(p i, t) if 1 i l, I i = [0, ) if l < i m, p i = l capacity if l < i m, p i = l capacity if l < i m} The intuition behin Pairing(t) is that it pairs input an output places in orer to fix the paths on which tokens will travel when firing t as well as remember the time interval on the input arc an the type of the arc (normal for normal arcs an tarc for transport arcs). Note that Pairing(t) is chosen a priory (there may be multiple choices for how to pair input an output places of a transition) an pairing a transition is always possible. Because inhibitor arcs o not consume tokens when firing a transition, they are not inclue in Pairing(t). As a concrete example of this set consier the TAPN in Figure 8.2b. The pairing use in this example for transition t is Pairing(t) = {(p 1, [1, 5], p 4, tarc), (p2, [0, 4], l capacity, normal)}. Note that this is the only possible pairing for this transition. Let us efine the number integer variables neee by the translation for a given TAPN. Definition 43 Given a TAPN N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι), the number of integer variables neee by the translation is NumVars(N) ef = max({ Pairing(t) + {(p, t) (p, t) F inhib } t T }) To present the algorithm, we shall first introuce some notation. Given an interval I an a clock c, we let c I enote a guar that is satisfie if the value of c belongs to the interval I. For example, if I = [3, 5) then c I woul correspon to the guar c 3 c < 5. We let c enote the guar false, i.e. a guar that is never satisfie. Algorithm 1 shows how to convert intervals to guars. As mentione previously, we nee to make sure the guar also encoes the invariant of the target location in case the arc is a transport arc to avoi ealocks. Thus, if the arc in question is a transport arc, the clock value must lie in the intersection of the arc interval an the invariant interval. Otherwise, it must simply satisfy the arc interval. Notice that it is incorrect to create the guar c I ι(p ) in the case where type inicates a normal arc, since ages of tokens are reset when firing the transition. Restricting the interval to inclue the invariant in this case coul isallow certain tokens to be use to fire the transition in the NTA even though they can be use in the TAPN moel. Algorithm 2 shows how to convert invariants for TAPN to invariants for NTA. Algorithm 3 gives the translation. Note that for a k-boune TAPN we will prouce an NTA consisting of k + 1 components in parallel (one automaton for each of the k tokens an a control automaton). Further, we will assume that the control automaton is always the first automaton in the network. 58

65 Section 8.3 Correctness Algorithm 1: Translation of intervals to guars. Name: CreateGuar(c, I, p, type) Input: A clock c, an arc interval I, a target location p an an arc type type. Output: A guar g for a time automaton. begin if type tarc then g := c I en else g := c I ι(p ) Algorithm 2: Translation of invariants for TAPN to invariants for NTA. Name: CreateInvariant(c, I) Input: A clock c an an interval I of the form I = [0, a] or I = [0, b) for a N 0, b N { }. Output: A invariant inv for a time automaton. begin if I = [0, a] then inv := c a en else inv := c < b Observe that because at most k token automata can participate in a broacast synchronization, we have that the value of any counter variable will be less than or equal to k. 8.3 Correctness t For notational convenience, we will in this section sometimes write for a iscrete transition t. To prove the correctness of this translation, we will follow the methoology escribe in Section 6.4. We let (N, M 0 ) be a marke k-boune TAPN an let P TA be the NTA constructe by Algorithm 3 with initial configuration s 0. We efine the stable proposition as (#l stable = 1). Recall that (#l stable = 1) is true whenever there is one TA in the l stable location. Thus (l, l 1, l 2,..., l k, z, v) = (#l stable = 1) if an only if l = l stable. We will first show that P TA possesses the three properties require by a complete one-by-many corresponence. Recall that T (P TA ) is the TTS generate by P TA. Lemma 44 Let P TA be an NTA constructe by Algorithm 3. no-elay-in-intermeiate-state TTS. Then T (P TA ) is a Proof Since all locations in the control automaton except l stable have the invariant c 0, it follows that only 0 elays are possible in intermeiate states. 59

66 Chapter 8 Broacast Translation Algorithm 3: Translation from k-boune TAPN to NTA. Input: A k-boune TAPN N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) with initial marking M 0. Output: An NTA P TA = A A 1 A 2... A k where A = (L, Act, C, X,, I C, I X, l 0) an A i = (L i, Act, C, X, i, IC, i IX, i l i 0). begin for i := 1 to k o L i := P {l capacity} L := {l stable }?? Act := {t test, t test, tfire, t fire t T } {τ} C := {c, c 1, c 2,..., c k } X := {count i 1 i NumVars(N)} forall t T o j := 0 varinv t := true; varguar t := true while Pairing(t) > 0 o j := j + 1 Remove some (p, I, p, type) from Pairing(t) for i := 1 to k o L i := L i {l(t p p )} g := CreateGuar(c i, I, p, type)!! A p g,true, t? test,, count j ++ i l(t p p ) A l(t p p ) true, true,? t fire, R, i p s.t. R = {c i} if type = normal else R = A l(t p p ) true, count j >1, τ,, count j i p varinv t := varinv t count j 1 varguar t := varguar t count j == 1 forall p P where (p, t) F inhib o j := j + 1 for? i := 1 to k o A p c i c inhib (p,t), true, t test,, count j ++ i p varinv t := varinv t count j == 0 varguar t := varguar t count j == 0 L := L {l(t)} A l stable true, true, t test, {c},! l(t) an l(t) true, varguar t, t fire l stable for i := 1 to k { o IC(p) i CreateInvariant(c i, ι(p)) if p P := true if p L i \ P IX(p) i := true for p L i { true if p = l stable I C(p) := c 0 if p L \ {l stable } { varinv t if p = l(t) for t T I X(p) := true if L \ {l(t) t T } i := 0; forall p P o forall Token M 0(p) o l i 0 := p; i := i + 1 for i := M to k o l i 0 := l capacity l 0 := l stable en!,, {count i :=0 1 i j} 60

67 Section 8.3 Correctness Lemma 45 Let P TA be an NTA constructe by Algorithm 3. elay-preserves-stable TTS. Then T (P TA ) is a Proof Since time elays o not change the current location of any automaton, it follows that any time elay from a stable configuration will result in another stable configuration. Thus, T (P TA ) is a elay-preserves-stable TTS. Lemma 46 Let P TA be an NTA constructe by Algorithm 3. Then T (P TA ) is an eventually-stable TTS. Proof We must show that for any (finite or infinite) maximal iscrete sequence of length at least 1 ρ = s 0 s 1 s 2 s 3 where s 0 = (#l stable = 1), there exists an i 1 such that s i = (#l stable = 1). Because s 0 is stable, it follows that the control automaton is in location l stable in s 0. We will show that by construction any maximal iscrete sequence starting in s 0 contains a prefix of the form s 0 t test t fire s1 s 2 s n 1 s n such that n k + 1 an s n = (#l stable = 1). If any iscrete transition is enable in s 0 then by construction, it is a broacast t transition on some channel t test. Assume that s test 0 s1. In s 1 there are only two possibilities for iscrete transitions, which are mutually exclusive an by construction one of them is always possible (ue to the use of integer guars an invariants). Either there is an τ-transition enable in some token automaton in case there are more than one token automata currently in the same intermeiate location l(t p p ) or a broacast on the t fire channel is enable when there is exactly one token automaton in each of the require l(t p p ) locations. In the first case, the only possibility is to keep taking τ-transitions, which move the extra token automata back to their original locations. This must continue until some configuration s n 1 is reache where there are no more τ-transitions enable. By construction, this will always happen. It follows by construction that t fire will be the only enable iscrete transition in s n 1. In the worst case, all k TA participate in the t test broacast synchronization an only a single TA is require to synchronize on the t fire broacast channel. Thus, we must move k 1 TA back to their original location. In the secon case, only the t fire broacast synchronization is enable an we have by construction of P TA that the invariants on the target location of all t fire broacast receivers will be satisfie. Since synchronizing on the t fire channel brings the control automaton back to l stable, it follows that s n = (#l stable = 1). Hence, T (P TA ) is an eventually-stable TTS. Remark 47 By Lemma 44 an Lemma 46 we also have that for any stable configuration s with an enable iscrete transition, it hols that s s for some configuration s. 61

68 Chapter 8 Broacast Translation We now efine the proposition translation function tr p. An atomic proposition for the TAPN always have the form (p n) where p is a place, n N an {<,, =,, >}. Such a proposition is translate into (#p n). Let us now efine a corresponence relation R between markings an configurations. The goal is to show that this relation is a complete one-by-many corresponence. Let M = {(p 1, r 1 ), (p 2, r 2 ),..., (p n, r n )} be a marking of N where n k an (p i, r i ) is a token locate in the place p i with age r i R 0. Further, let s = (l, l 1, l 2,..., l k, z, v) be a configuration of P TA, where v is a clock valuation over the clocks {c, c 1, c 2,..., c k } an z is a variable valuation over the variables {count i 1 i NumVars(N)}. We write M R s if there exists an injection h : {1, 2,..., n} {1, 2,..., k} such that l = l stable, l h(i) = p i an v(c h(i) ) = r i for 1 i n, an l j = l capacity for all j {1, 2,..., k} \ range(h). Intuitively, whenever M R s, it means that for every token in M, there is a istinct TA location an clock valuation in the configuration s matches exactly that token an the remaining k n token automata are in the l capacity location. We shall now prove that R is a complete one-by-many corresponence. Theorem 48 R is a complete one-by-many corresponence. Proof Let (N, M 0 ) be a marke k-boune TAPN an P TA be the NTA generate by Algorithm 3. We will show that R satisfies all requirements of Definition 29 an thus is a complete one-by-many corresponence. From Lemma 44, Lemma 45 an Lemma 46 it follows that T (P TA ) is a no-elay-in-intermeiate-state, elay-preserves-stable an eventually-stable TTS. Let M be a marking an let s be a configuration, such that M R s. We shall now prove that R satisfies conitions 1-6 of Definition 29 on page s = (#l stable = 1) follows from the efinition of R. 2. From the efinition of R it follows that M = iff s = tr p ( ). 3. Assume M M. This means that there exists a transition t such that M t M. We must show that s s such that M R s. We will start by showing that t test is enable in s. Since t test is a broacast channel, the first requirement is that the t test sener has to be enable. There are no guars on the sener transition, so only the invariant on l(t) may block the t test sener. The secon requirement is that every possible receiver (i.e. any receiver whose guar is satisfie) must participate in the broacast synchronization. Due to the construction of P TA, there are no invariants on the intermeiate locations l(t p p ). Thus, any receiver with a satisfie guar can participate in the broacast synchronization. By the fact that M R s, it follows that enough TA will participate in the broacast synchronization to satisfy the invariant on l(t). Thus, s. ttest Since s = (#l stable = 1) an s ttest we have by Lemma 46 that s ttest s 1 s 2 s n = s 62

69 Section 8.3 Correctness such that s i = (#l stable = 1) for 1 i < n an s n = (#l stable = 1). By construction, this sequence has the form s ttest t fire s 1 s 2 s n 1 s n where n k + 1. Thus, since M t M we can use the sequence above an Lemma 44 to get the sequence s s. Observe that if t > t then t t token automata will have move to l capacity after simulating t from s an if t < t then t t token automata will have move out of l capacity after simulating t from s. Since M R s, we get M R s by matching the changes in M when firing t to the changes in s when executing the sequence above. 4.,6. Time elays can only be restricte by invariants. By Lemma 44 an the fact that the invariant on place p in N is carrie over to location p in P TA, we have that it is always possible to o the same time elays in M an s. By Lemma 45, it follows clearly that if M versa. 5. Assume s s. This implies that M then s s such that M R s an vice s s 1 0 s 1 s 2 0 s 2 s n 1 0 s n 1 s n = s such that s i = (#l stable = 1) for 1 i < n an s n = (#l stable = 1). By construction of P TA, we have that n k an that this sequence must be of the form (leaving out 0 elays) s ttest t fire s 1 s 2 s n 1 s n. Since s ttest s 1 we know that the invariant on l(t) is satisfiable. By the construction of P TA, this in turn means that there are enough token automata that can synchronize on t test in such a way that for each input place p t there is at least one automaton whose current location is p an the clocks of these automata satisfy the guars on the t test transitions. Further, for each place p such that there is an inhibitor arc from p to t, there is no automaton in location p with a clock satisfying the guar on t test. This is exactly what is neee to fire t from M, an because M R s, then M t M. If any token automaton moves out of l capacity when s s then aitional tokens will be prouce when firing transition t from M an if any token automaton moves into l capacity when s s then t will consume more tokens than it prouces when fire from M. Since M R s, we clearly get M R s by matching the changes in s when simulating t to the changes in M when firing t. Since R is a complete one-by-many corresponence, Theorem 36 allows us to conclue the following corollary. 63

70 Chapter 8 Broacast Translation Corollary 49 Let (N, M 0 ) be a k-boune TAPN an let P TA be the NTA constructe by Algorithm 3. For any TCTL formula ϕ we have that N = ϕ if an only if P TA = tr(ϕ) As an example of this corollary, consier the TAPN N an translate NTA P TA in Figure 8.2b on page 56. The TAPN moel satisfies the query ϕ = E((p 4 = 0) U [0, ) (p 4 = 1)) which asks whether it is possible to put a token in p 4. Let M = {(p 1, 2.8), (p 2, 1.4), (p 3, 3.0)} enote the marking illustrate in the figure. The maximal run ρ = M 0.5 M 1 t 1 t M 2 M 3 M 4 2 in T (N) witnesses the property ϕ. Thus, we have M = E((p 4 = 0) U [0, ) (p 4 = 1)). In P TA, we can construct a witness for the translate query tr(ϕ) = E(((#p 4 = 0) (#l stable = 1))U [0, ) ((#p 4 = 1) (#l stable = 1))). Let s be a configuration such that M R s. The maximal run ρ = s 0.5 t s test 0 t fire 1 t 1 s2 s 3 s 4 s test 0 t fire 2 5 s 6 s 7 s 8 in T (P TA ) witnesses tr(ϕ). Thus, we have s = E(((#p 4 = 0) (#l stable = 1))U [0, ) ((#p 4 = 1) (#l stable = 1))). 64

71 Chapter 9 Degree 2 Broacast Translation We will now present an alternative translation using broacasts. Byg et al. [17] presente a translation from TAPN with invariants an transport arcs to NTA. However, their translation preserves only the safety fragment of CTL. We incorporate the iea of using broacast synchronizations into their algorithm to achieve a translation that preserves the full TCTL an also hanles inhibitor arcs. It turns out that on some moels, this translation is more efficient than the translation in the previous section, as will be emonstrate in Chapter 12. We will again have a time automaton for each token in the TAPN an one control automaton. Thus, a k-boune TAPN will be translate to an NTA with k +1 parallel components. Token placement an age will be simulate in the same manner as in the translation in Chapter 8 an since the TAPN may not always contain k tokens in its current marking, we will again use the location l capacity where automata representing currently unuse tokens are waiting. The basic iea is still to test if a transition t is enable by broacasting on the channel t test, in orer to ensure that we cannot get stuck uring the simulation of t. However, this time the token automata will stay in the same location instea of moving to intermeiate locations. Because of this, we o not nee to move any extra tokens back via τ-transitions after executing t test. Thus, we only use t test as a mechanism to count the number of tokens (using integer variables, as before) of appropriate age from each input place of the transition. To simulate the prouction of tokens at the output places, we replace the t fire broacast with a sequence of hanshake synchronizations. We still use the intermeiate locations while executing the hanshake synchronizations, however, the intermeiate locations will now function more as temporary holing locations while tokens are move out of the input places. Because we remove input tokens one-by-one in a sequence, these holing locations are neee to ensure that a prouce token is not consume by the next step in the sequence.! 65

72 Chapter 9 Degree 2 Broacast Translation 9.1 Example Let us illustrate the translation on an example. We will emonstrate how the translation works on the TAPN from the secon example of Chapter 8. The TAPN is reprouce in Figure 9.1a an the NTA resulting from the translation is presente in Figure 9.1b. Note that the token automata are presente as a template which shoul be repeate three times with ifferent initial locations (p 1, p 2 an p 3, respectively) an ifferent clock names (c 1, c 2 an c 3, respectively). We will now explain how the NTA simulates the TAPN. Consier the transition t which has an inhibitor arc, a transport arc an a normal arc as input. We start simulating t when the control automaton broacasts on the t test channel. As in the previous translation, this is only possible when there are tokens of appropriate ages in all input places ue to the invariant of l(t) (i.e. zero tokens of appropriate age in any input place with an inhibitor arc to t an at least one token of appropriate age otherwise). However, as mentione above, we o not move the token automata to intermeiate locations when executing the t test broacast synchronization. Instea, we use self-loops that increment a counter as illustrate in Figure 9.1b. As before, we intersect the guar an the target location invariant for transport arcs to avoi aitional ealocks. To complete the simulation of t we nee to move one token of appropriate age from each input place in t to an output place. In this case, t consumes two tokens an prouces one so we will move the token automaton in p 2 to l capacity. Moving tokens to output places is one by executing a sequence of hanshake synchronizations on the channels t 1 in, t2, t 1 out. We start by moving a token from p 1 to the intermeiate location l(t p 1 p 3 ) by synchronizing on the t 1 in channel. Following this we will move a token from p 2 irectly to the output location l capacity (because this is the last input token to be move) by synchronizing on t 2 an finally we move the token in the intermeiate location l(t p 1 p 3 ) to the output place p 3 by synchronizing on t 1 out, whereby the control automaton also returns to l stable.! 9.2 Translation Algorithm We will now escribe the translation formally. Recall the efinition of the set Pairing(t) from Section 8.2 which we will use in the algorithm here as well. P airing(t) = {(p, I, p, tarc) (p, t, p ) F tarc I = c tarc (p, t, p )} {(p 1, I 1, p 1, normal),..., (p m, I m, p m, normal) {p 1,..., p l } = {p (p, t) F }, {p 1,..., p l } = {p (t, p) F } m = max(l, l ), I i = c(p i, t) if 1 i l else I i = [0, ), p i = l capacity if l < i m, p i = l capacity if l < i m} Further, we will also use the CreateGuar(c i, I, p, type) function from Algorithm 1 an the CreateInvariant(c i, ι(p)) function from Algorithm 2. We shall also reuse 66

73 Section 9.2 Translation Algorithm p 1 p p [1, 5] [0, 4] [0, ) t [0, 2] t inv: 3 p 4 (a) A simple TAPN moel. inv: c == 0 count 1 1 l(t ) t 1! count 1 := 0, c := 0 c := 0 t test! c := 0 t 1 out! l stable l(t) inv: c == 0 t test c := 0 count 1 1 count 2 1 count 3 == 0! t 1 in! count 1 := 0, count 2 := 0, count 3 := 0, c := 0 inv: c 0 l(t 1 out ) c := 0 t 2! l(t 1 in ) inv: c 0 1 c i 3 t test? count 1 ++ Template repeate three times: p 1 p 2 p 3 1 c i 3 t 1 in? 0 c i 4 t test? count c i 4 0 c i 2 t test? count 3 ++ t? test count 1 ++ l(t p 1 p 3 ) t 2? t 1? c i := 0 t 1 out? c i := 0 inv: c i 3 p 4 l capacity (b) The NTA resulting from translation of the TAPN in Figure 9.1a. Note that the token automata are illustrate by a template which is repeate three times with ifferent initial locations (p 1, p 2 an p 3 resp.) an ifferent clock names (c 1, c 2 an c 3 resp.). Figure 9.1: Degree 2 broacast translation example. 67

74 Chapter 9 Degree 2 Broacast Translation NumVars(N) from Definition 43 of the previous chapter. Finally, for a transition t, we efine max(t) = max( t, t ). This will allow us to calculate how many t i in (resp. t i out) channels we nee. The egree 2 translation is given formally in Algorithm Correctness We shall now prove the correctness of the translation. For notational convenience, t we will sometimes write for a iscrete transition t as before. We will also follow the methoology outline in Section 6.4. Again, we efine the stable proposition as (#l stable = 1). Recall that (#l stable = 1) is true whenever there is one TA in the l stable location. We will first show that P TA possesses the three properties require by a complete one-by-many corresponence. Lemma 50 Let P TA be an NTA constructe by Algorithm 4. no-elay-in-intermeiate-state TTS. Proof Similar to the proof for Lemma 44. Lemma 51 Let P TA be an NTA constructe by Algorithm 4. elay-preserves-stable TTS. Proof Similar to the proof for Lemma 45. Then T (P TA ) is a Then T (P TA ) is a Lemma 52 Let P TA be an NTA constructe by Algorithm 4. Then T (P TA ) is an eventually-stable TTS. Proof We must show that for any (finite or infinite) maximal iscrete sequence of length at least one ρ = s 0 s 1 s 2 s 3 where s 0 = (#l stable = 1), there exists an i 1 such that s i = (#l stable = 1). Because s 0 is stable, it follows that the control automaton is in location l stable in s 0. We will show that by construction any maximal iscrete sequence starting in s 0 contains a prefix of the form (we omit naming the intermeiate states) s 0 t test t 1 in t2 in tmax(t) 1 in tmax(t) tmax(t) 1 out tmax(t) 2 out t1 out s such that s = (#l stable = 1). If any iscrete transition is enable in s 0 then by construction, it is a broacast t transition on some channel t test. Assume that s test 0. This implies that the invariant in location l(t) is satisfie. This invariant uses the counter variables to encoe exactly 68

75 Section 9.3 Correctness Algorithm 4: Translation from k-boune TAPN to NTA. Input: A k-boune TAPN N = (P, T, F, c, F tarc, c tarc, F inhib, c inhib, ι) with initial marking M 0. Output: An NTA P TA = A A 1 A 2... A k where A = (L, Act, C, X,, I C, I X, l 0) an A i = (L i, Act, C, X, i, IC, i IX, i l i 0). begin for i := 1 to k o L i := P {l capacity} L := {l stable } {l(t) t T } {l(t i in), l(t i out) t T, 1 i < max(t)}? Act := {t test, t test, t max(t) t T } {t i in, t i out t T, 1 i < max(t)} {τ} C := {c, c 1, c 2,..., c k }; X := {count i 1 i NumVars(N)} forall t T o j := 0; m := 0; varinv t := true while Pairing(t) > 1 o j := j + 1; m := m + 1; varinv t := varinv t count j 1 Remove some (p, I, p, type) from Pairing(t) for i := 1 to k o L i := L i {l(t p p )}; g := CreateGuar(c i, I, p, type)! A p g,true, t? test,, count j ++ i p?, R, A p g,true, tm in i l(t p p ) s.t. R = if type = tarc else R = {c i} A l(t p p ) true,true, tm out?, R, i p s.t. R = if type = tarc else R = {c i} j := j + 1; varinv t := varinv t count j 1 Let {(p, I, p, type)} := Pairing(t); g := CreateGuar(c i, I, p, type) for i := 1 to k o A p g, true, t? test,, count j ++ i p A p g, true, tmax(t), R, i p s.t. R = if type = tarc else R = {c i} forall p P where (p, t) F inhib o j := j + 1; varinv t := varinv t count j == 0 for? i := 1 to k o A p c i c inhib (p,t), true, t test,, count j ++ i p true, true, t test, {c}, A l stable l(t) if max(t) = 1 then else! A l(t) true, true, t1!, {c}, A l stable s.t. A = {count i := 0 1 i j} A l(t) true, true, t1 in!, {c}, A l(t 1 in) s.t. A = {count i := 0 1 i j} A l(t i 1 in A l(t max(t) 1 in i 1 true, true, t in!, {c}, ) l(t i in) for all 2 i < max(t) ) true, true, tmax(t)!, {c}, l(t max(t) 1!, {c}, out ) A l(t i out) true, true, ti out l(t i 1 out ) for all 2 i < max(t) A l(t 1 out) true, true, t1 out!, {c}, l stable for i := 1 to k { o IC(p) i := i, ι(p)) CreateInvariant(c true if p P if p L i \ P ; Ii X(p) := true for p L i { { I C(p) := if p = l(t) for t T ; IX(p) := c 0 if p L \ {l stable } true if p L \ {l(t) t T } true if p = l stable varinv t i := 0; forall p P o forall Token M 0(p) o l i 0 := p; i := i + 1 l 0 := l stable ; for i := M to k o l i 0 := l capacity en 69

76 Chapter 9 Degree 2 Broacast Translation the requirements neee for the control automaton to return to l stable. In other wors, the invariant being satisfie implies that for every channel t 1 in, t 2 in,..., t max(t) 1 in, t max(t) there exists at least one istinct TA that can synchronize on the channel with the control automaton. Moreover, if t test is enable then we cannot reach a ealock by firing this sequence of transitions. In fact, if a ealock coul be reache uring this sequence, then t test woul not have been enable (ue to the invariant). By construction, it follows that if we can synchronize on the channels t 1 in, t2 in,..., t max(t) 1 in, t max(t), then it is possible to synchronize on the channels t max(t) 1 out, t max(t) 2 out,..., t 1 out, an no ealock can be reache uring this sequence. This follows from the fact that the automaton synchronizing on channel t i in will also be the one to synchronize on channel t i out for all 1 i max(t) 1. In turn, this means that any maximal iscrete sequence starting in s 0 contains a prefix of the form (again, omitting the intermeiate states) s 0 t test t 1 in t2 in tmax(t) 1 in tmax(t) tmax(t) 1 out tmax(t) 2 out t1 out s. It follows from the construction that synchronizing on the t 1 out channel brings the control automaton back to l stable which implies that s = (#l stable = 1). Thus, we will always return to a stable state an hence T (P TA ) is an eventuallystable TTS. Remark 53 By Lemma 52 we get that for any stable configuration s with an enable iscrete transition, it hols that s s for some configuration s. As for the previous translation, the proposition translation function tr p translates propositions of the form (p n) to propositions of the form (#p n) for some {<,, =,, >}. We efine the corresponence relation R as before. That is, let M = {(p 1, r 1 ), (p 2, r 2 ),... (p n, r n )} be a marking of a k-boune TAPN N where n k such that (p i, r i ) enotes a token locate in the place p i with age r i R 0. Further, let s = (l, l 1, l 2,..., l k, z, v) be a configuration of the NTA resulting from translating N by Algorithm 4, where z is a variable valuation over the set of variables {count i 1 i NumVars(N)} an v is a clock valuation over the set of clocks {c, c 1, c 2,..., c k }. We write M R s, if there exists an injection h : {1, 2,..., n} {1, 2,..., k} such that l = l stable, l h(i) = p i an v(c h(i) ) = r i for all i where 1 i n, an l j = l capacity for all j {1, 2,..., k} \ range(h). We shall now prove that conitions 1-6 of Definition 29 are satisfie by R. Theorem 54 The relation R is a complete one-by-many corresponence. 70

77 Section 9.3 Correctness Proof Let (N, M 0 ) be a marke k-boune TAPN an P TA be the NTA generate by Algorithm 4. We will show that R satisfies all requirements of Definition 29 an thus is a complete one-by-many corresponence. From Lemma 50, Lemma 51 an Lemma 52 it follows that T (P TA ) is a no-elay-in-intermeiate-state, elay-preserves-stable an eventually-stable TTS. Let M be a marking an let s be a configuration, such that M R s. We shall now prove that R satisfies conitions 1-6 of Definition 29 on page s = (#l stable = 1) follows from the efinition of R. 2. From the efinition of R it follows that M = iff s = tr p ( ). 3. Assume that M M. This means that there exists a transition t such that M t M. We must show that s s such that M R s. We will start by showing that the t test broacast synchronization is enable in s. Since t test is a broacast channel, the first requirement is that the t test sener has to be enable. There are no guars on the sener transition, thus only the invariant on l(t) may block the t test sener. The secon requirement is that every possible receiver (i.e. any receiver whose guar is satisfie) must participate in the broacast synchronization. Since a self-loop is use for all receivers (with counter upates only), the target invariants will be satisfie for all of them. Thus, any receiver with a satisfie guar can participate in the broacast synchronization. Further by the fact that M R s, it follows that enough TA will participate in the broacast synchronization to satisfy the invariant on l(t). Thus, s. ttest By Lemma 52 an the fact that s, ttest we can conclue that s ttest s 1 s 2 s n 1 s n = s such that s n = (#l stable = 1) an s i = (#l stable = 1) for 1 i < n. By construction, this sequence of transitions must be of the form t test, t 1 in, t 2 in,..., t max(t) 1 in, t max(t), t max(t) 1, t max(t) 2,..., t 1 out as this is the only sequence available in the control automaton involving t test. This implies that n = 2 max(t). Hence, since M t M, we can use the sequence above an Lemma 50 to get the sequence s s. Observe that by construction of P TA, we know that if t > t then t t token automata will be move to l capacity when simulating the firing of transition t an if t < t then t t token automata will be move out of l capacity when simulating the firing of transition t. By matching the changes in M when firing t to the changes in s when executing the sequence above, we get that M R s. 4., 6. Time elays can only be restricte by invariants. By Lemma 50 an the fact that the invariant on place p in N is carrie over to location p in P TA, we have that it is always possible to o the same time elays in M an s. By Lemma 51, out out 71

78 Chapter 9 Degree 2 Broacast Translation it follows clearly that if M versa. 5. Assume s s. This implies M then s s such that M R s an vice s s 1 0 s 1 s 2 0 s 2 s n 1 0 s n 1 s n = s such that s = (#l stable = 1) an s i = (#l stable = 1) for all 1 i < n. By construction of P TA, we have that this run must be of the form (leaving out 0 elays) s ttest s 1 t 1 in tmax(t) 1 in s max(t) t max(t) t max(t) 1 s out max(t)+1 t1 out s n = s which is a simulation of some transition t an thus n = 2 max(t). Since s ttest s 1 we know that the invariant on l(t) is satisfiable. By the construction of P TA, this in turn means that there are enough automata that can synchronize on the t test channel in such a way that for each input place p t, there is at least one automaton whose current location is p an the clocks of all these automata satisfy the guars on the t test transitions. Further, for each place p where there is an inhibitor arc from p to t, there is no automaton in location p with a clock satisfying the guar on the t test transition. This is exactly what is neee to fire t, an because M R s, then M t M. If any token automaton moves out of l capacity when s s then aitional tokens will be prouce when firing transition t from M an if any token automaton moves into l capacity when s s then t will consume more tokens than it prouces when fire from M. Since M R s, we clearly get M R s by matching the changes in s when simulating t via the sequence above to the changes in M when firing t. Since R is a complete one-by-many corresponence, Theorem 36 allows us to conclue the following corollary. Corollary 55 Let (N, M 0 ) be a k-boune TAPN an let P TA be the NTA constructe by Algorithm 4. For any TCTL formula ϕ we have that N = ϕ if an only if P TA = tr(ϕ) As a concrete example, consier the TAPN N an translate NTA P TA in Figure 9.1on page 67. Let M = {(p 1, 2.8), (p 2, 1.4), (p 3, 3.0)} be the marking illustrate in the figure. The maximal run ρ = M 0.5 M 1 t 1 t M 2 M 3 M 4 2 in T (N) witnesses the property ϕ = E((p 4 = 0) U [0, ) (p 4 = 1)). Thus, we have M = E((p 4 = 0) U [0, ) (p 4 = 1)). In P TA we can construct a witness for the translate 72

79 Section 9.3 Correctness query tr(ϕ) = E(((#p 4 = 0) (#l stable = 1))U [0, ) ((#p 4 = 1) (#l stable = 1))). Let s be a configuration such that M R s. The maximal run ρ = s 0.5 t s test 0 t 1 s2 s 1 in 0 t 3 s 4 s 2 0 t 5 s 6 s 1 out 7 s 8 1 t s test 0 t 9 s 10 s s 12 in T (P TA ) witnesses tr(ϕ). Thus, we have that s = E(((#p 4 = 0) (#l stable = 1))U [0, ) ((#p 4 = 1) (#l stable = 1))). 73

80

81 Chapter 10 Time-Arc Petri Nets with Integers In this section, we will exten TAPN moel by letting tokens carry integer values besies their age. This feature is often referre to as a color. Our approach is rather simple compare to other notions of colors in Petri Nets [30, 31, 41], however our approach preserves eciability of reachability for boune moels. Before we formally efine this moel, we nee to introuce some notation. We efine arbitrary intervals in the form [(a, b)] where [( { [, ( }, )] { ], ) } an a, b Z. We let the set of all arbitrary intervals be enote by I all. Note that some intervals are not well-forme, e.g. [2, 2) or [3, 1]. Such intervals are interprete as the empty interval. The preicate r I is efine for I I all an r R 0 in the expecte way. In the TAPN with integers moel, we can use the value of a token as a parameter to the time interval on input arcs. Therefore we introuce age guars as extene time intervals with linear functions as bouns, which are efine accoring to the abstract syntax I ext ::= [(a val b, c val )], where [( { [, ( }, )] { ], ) }, {+, }, a, b, c, N 0 an val is the special keywor referring to the value of the token use. We enote the set of all age guars by I ext. Further, we let Iext inv I ext be the set of all intervals of the form [0, c val )]. We will write expressions of the form 0 val + b simply as b. We efine a function eval : I ext N 0 I all that evaluates extene intervals accoring to a specific value. For example, eval([1 val 4, 3 val + 5), 3) evaluates to the interval [ 1, 14). We let VG = { I 1, I 2,..., I n n N an I i I for 1 i n} be the set of all finite sets of value guars. For some I 1, I 2,..., I n VG an some v N 0 we write v I 1, I 2,..., I n if v I i for some 1 i n. Note that even though elements of VG are finite, they can represent infinite sets of values, e.g. [1, 4], [7, 7], [10, ) VG represents the infinite set {1, 2, 3, 4} {7} {v v 10}. We further efine the following sets: 75

82 Chapter 10 Time-Arc Petri Nets with Integers AU = {0, preserve} is the set of possible age upates on output arcs, an V U = {N 0 } {preserve} is the set of possible value upates on output arcs. Output arcs will always upate the age of a token to 0, except in the case of transport arcs which may preserve the age. Further, output arcs can set the value of the newly prouce token. If an output arc is part of a transport arc it may preserve the value or the age of the consume token. This is the reason for the inclusion of the keywor preserve in the age an value upate sets. This further means that we have four slightly ifferent types of transport arcs: they can preserve either nothing, the age, the value or both. From this notation we can now formally efine TAPN with integers. Definition 56 A TAPN with integers is a 7-tuple (P, T, IA, OA, Transport, Inhib, ι), where P is a finite set of places, T is a finite set of transitions s.t. P T =, IA P I ext VG T is a finite set of input arcs s.t. ((p, I, vg, t) IA (p, I, vg, t) IA) (I = I vg = vg ), OA T AU V U P is a finite set of output arcs s.t. ((t, au, vu, p) OA (t, au, vu, p) OA) (au = au vu = vu ), Transport : IA OA {true, false} is a function efining transport arcs s.t.for all (p, I, vg, t) IA an (t, au, vu, p ) OA if Transport((p, I, vg, t),(t, au, vu, p )) then t = t an for all α IA an all β OA (Transport(α, (t, au, vu, p )) α = (p, I, vg, t)) (Transport((p, I, vg, t), β) β = (t, au, vu, p )), Inhib : IA {true, false} is a function efining inhibitor arcs, s.t. if Inhib(α) for some α IA then for all β OA we have Transport(α, β), ι : P I inv ext VG is a function assigning age invariants an value invariants to places, an for all α IA an all β OA if Transport(α, β) then β = (t, 0, vu, p) for some t T, vu N 0 an p P. The preset of a transition t T is efine as t = {p P (p, I, vg, t) IA}. Similarly, the postset of t is efine as t = {p P (t, au, vu, p) OA}. Like the TAPN efine in Chapter 3, we o not allow multiple input arcs (resp. output arcs) between the same place an transition (resp. transition an place). 76

83 Section 10.1 Example {(3.4, 1)} {(3.4, 1)} {(3.4, 1)} {(3.4, 1)} #1 p 0 #1 p 2 #1 p 4 #1 p 6 age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] t 1 t 2 t 3 t 4 age := preserve age := 0 age := preserve val := preserve val := preserve val := 5 age := 0 val := 5 p 1 p 3 p 5 p 7 inv: val [5, 5] Figure 10.1: Four small TAPN with integers emonstrating the semantics of integers Example Figure 10.1 shows four small TAPN with integers, each with a single transition. As evient, tokens are now pairs (x, v) where x R 0 inicates the age of the token an v N 0 inicates the value of the token. In all four moels, the age of the token must lie between 2 val + 1 (in this case 3 since the value of all tokens is 1) an 7 an moreover the value of the token must belong to the set [1, 1], [5, 9]. For transport arcs, the information on the output arc inicates which part of the tokens ata is preserve. Thus, the leftmost TAPN has a transport arc that preserves both the age an value of a token, whereas the secon an thir TAPN from the left preserves only the value an the age of the token, respectively. Notice that when only the age of the token is preserve (the thir TAPN from the left), we assign a specific value to the output token, in this case 5. The invariant on p 5 ensures that tokens may only have the value 5 in this place. The fourth TAPN emonstrates the semantics of normal arcs. Like a TAPN without integers, the age of the token is reset by the normal arcs. However, we must assign a value to the output token, as emonstrate on the output arc (in this case, the value 5). Figure 10.2 shows the same four TAPN after firing transition t 1, t 2, t 3 an t 4. Finally, let us emonstrate the integer version of inhibitor arcs. Figure 10.3 shows two simple TAPN. In the left most TAPN, both the age an value of the token in p 0 satisfy their respective guars on the inhibitor arc. Thus, transition t 1 is blocke. Looking at the rightmost TAPN, we see that the age of the token in p 3 satisfies the age guar on the inhibitor arc whereas the value oes not satisfy the value guar. Thus, transition t 2 is not blocke by the inhibitor arc because not all guars are satisfie. Similarly, if the value guar was satisfie but the age guar was not, then t 2 woul not be blocke. This conclues our introuctory example to the various features of TAPN with integers. 77

84 Chapter 10 Time-Arc Petri Nets with Integers p 0 p 2 p 4 p 6 age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] age [2 val + 1, 7] val [1, 1], [5, 9] t 1 t 2 t 3 t 4 age := preserve age := 0 age := preserve val := preserve val := preserve val := 5 age := 0 val := 5 #1 p 1 p 3 #1 {(3.4, 5)} #1 p 5 #1 p 7 inv: val [5, 5] {(3.4, 1)} {(0, 1)} {(0, 5)} Figure 10.2: The moels from Figure 10.1 after firing transitions t 1, t 2, t 3 an t Semantics We will now efine the semantics of the TAPN with integers moel. reefining the concepts from Section 3.3 with support for integers. This entails Definition 57 (Marking) Let N = (P, T, IA, OA, Transport, Inhib, ι) be a TAPN with integers. A marking M on N is a function M : P B(R 0 N 0 ), such that for every place p P, every token (x, v) M(p) an the invariant ι(p) = (I inv, vi) it hols that x eval(i inv, v) an v vi. The set of all markings over N is enote M(N). Note that we shall also sometimes use the convention (p, x, v) to refer to a token in the place p with age x R 0 an value v N 0. Likewise, we shall sometimes write M = {(p 1, x 1, v 1 ), (p 2, x 2, v 2 ),..., (p n, x n, v n )} for a marking M with n tokens locate in places p i an with age x i an value v i for 1 i n. Further, we shall sometimes inex tokens by a place, such as (p i, x pi, v pi ). We shall use this notation only when there is a unique token in the set from any particular place. A marke TAPN with integers is efine as a pair (N, M 0 ) where N is a TAPN with integers an M 0 is the initial marking on N. Note that we only allow initial markings where all tokens have age 0. There are no restrictions on the values of tokens in the initial marking. Definition 58 (Enableness) Let N = (P, T, IA, OA, Transport, Inhib, ι) be a TAPN with integers. We say that a transition t T is enable in a marking M by tokens In = {(p, x p, v p ) p t} an Out = {(p, x p, v p ) p t } if for all input arcs except inhibitor arcs, there is a token in the input place with an age an a value satisfying the age guar an value guar on the arc respectively, i.e. (p, I, vg, t) IA. Inhib((p, I, vg, t)) (x p eval(i, v p ) v p vg), 78

85 Section 10.2 Semantics {(2.4, 6)} {(1, 7)} {(2.1, 3)} {(1, 7)} #1 p 0 #1 p 1 #1 p 3 #1 p 4 age [2, 3] age [1, 3] age [2, 3] age [1, 3] val [5, 9] val [0, ) val [5, 9] val [0, ) t 1 t 2 age := 0 val := 3 age := 0 val := 3 p 2 p 5 Figure 10.3: Two small TAPN emonstrating the semantics of integers an inhibitor arcs. for all inhibitor arcs, there is no token in the input place of the arc with an age an a value satisfying the age guar an value guar on the arc respectively, i.e. (p, I, vg, t) IA. Inhib((p, I, vg, t)) ( (x, v) M(p). x eval(i, v) v vg), for all input arcs an output arcs which constitute a transport arc, if the arc is age-preserving, then the age of the output token must match that of the input token an likewise for the value if the arc is value-preserving, i.e. (p, I, vg, t) IA. (t, au, vu, p ) OA. Transport((p, I, vg, t), (t, au, vu, p )) ( au = preserve xp = x p ) (vu = preserve v p = v p ) ) for all output arcs, the age an the value must satisfy the invariants of the output locations, i.e. (t, au, vu, p ) OA. (au preserve x p = 0) (vu preserve v p = vu) x p eval(i inv, v p ) v p vi where ι(p ) = (I inv, vi). Definition 59 (Firing Rule) Let N = (P, T, IA, OA, Transport, Inhib, ι) be a TAPN with integers, M some marking on N an t T some transition of N. If 79

86 Chapter 10 Time-Arc Petri Nets with Integers t is enable in the marking M by tokens In = {(p, x p, v p ) p t} an Out = {(p, x p, v p ) p t } then it can be fire, whereby we reach a marking M efine as M = (M \ In) Out where \ an are operations on multisets. Let us now efine the notion of a time elay in our moel. To o so, we shall introuce an aition operator on multisets. For a multiset B = (R 0 N 0, f) an a non-negative real R 0, we efine the aition operator in the following manner, { f(x, v) if x 0 (B + )(x, v) = 0 otherwise where x R 0 an v N 0. Definition 60 (Time Delay) Let N = (P, T, IA, OA, Transport, Inhib, ι) be a TAPN with integers an M some marking on N. A time elay R 0 is allowe if (x + ) eval(i inv, v) where ι(p) = (I inv, vi) for all p P an all (x, v) M(p), i.e. by elaying time units no token violates the invariants. By elaying time units we reach a marking M efine as M (p) = M(p) + for all p P. The semantics of a TAPN with integers is given by a time transition system. Specifically, a TAPN with integers N = (P, T, IA, OA, Transport, Inhib, ι) generates a TTS T (N) = (M(N),, AP, µ) where the set of states are the markings on N, an the transition relation is efine such that M M if by firing some transition t in marking M we get to marking M an M M if by elaying time units in marking M we get to marking M. The set of atomic propositions AP is the same as for TAPN without integers. Thus, AP ef = {(p n) p P, n N 0 an {<,, =,, >}} an the labeling function is efine as µ(m) ef = {(p n) M(p) n, {<,, =,, >}} Translation an Correctness We will now exten the translations from Chapter 8 an Chapter 9 to support TAPN with integers. However, as the extension is not substantial, we will only argue informally that the aition of the integers is a straightforwar extension of the translations. We will o this in terms of the Broacast translation in Chapter 8. The extension lies solely in changing the guars, upates an invariants of the constructe NTA. Recall that our notion of an NTA alreay supports integer variables as these are use as counters in the two translations. Further, since the translation as a TA for each token in the net, we can simply a an integer variable for each token automaton which will serve as the token s value. Note that in the syntax an semantics we have use unboune integers, which will obviously not work for verification purposes. However, since we can only upate the value of tokens by constants on output arcs (e.g. val := 5), we are using integers in a boune way. 80

87 Section 10.3 Translation an Correctness Value guars Value guars are represente as a set of integer intervals. This can easily be translate into a isjunction of the elements. For instance, the value guar [1, 5], [7, 7], [10, ) is translate to 1 x 5 x = 7 x 10 where x is the integer variable representing the value of the token. This is ae to the guar of the corresponing t test ege in the NTA. Value upates Value upates are also straightforwar to translate. For example, a value upate of 4 on some output arc will be translate to the variable upate x := 4 on the? corresponing t fire ege in the NTA where x is the integer variable representing the value of the token. If the value upate is preserve, then no value upate is ae to the corresponing ege in the NTA. Invariants For every output arc which has an upate of the form val := n for some n N 0, we must check whether n belongs to the value invariant of the target place. If this is not the case, the transition can never fire in the TAPN moel, an we must ensure that the simulation of the transition is always isable in the NTA. We achieve this by setting the invariant on the l(t) location to x < 1 x > 1, which is always false. Intersection of guars an invariants In orer to avoi ealocks, we must intersect the guars an the target invariants? when creating the guar for the t test ege, whenever the paire input an output places are connecte by a transport arc. However, since we now have four ifferent types of transport arcs, we must be careful to hanle them correctly. Let us first escribe how to intersect the guars an invariants an then explain how to hanle the ifferent types. When intersecting value guars an value invariants, we must intersect the iniviual intervals. For example, given the value guar [1, 1], [5, 7], [10, ) an the value invariant [1, 3], [6, 20] we get the intersecte guar {[1, 1], [6, 7], [10, 20]} containing precisely the elements that appear in both sets. Age guars are more tricky since bouns are given as linear functions, which may have ifferent slopes. Because of this, we cannot intersect them in the same way as in Chapter 8 (because it is not well-efine which is larger, since it epens on the value of the token). Instea, we make a conjunction of the functions. For instance, assume that an arc contains an age guar of the form [1 val + 1, 3 val + 3) an the target place contains an age invariant of the form [0, 2 val + 2]. The guar we create in the NTA will look like the following (assuming c 1 is the name of the clock): c 1 1 val + 1 && c 1 < 3 val + 3 && c 1 2 val + 2. Now, let us hanle the four types of transport arcs. 81

88 Chapter 10 Time-Arc Petri Nets with Integers Preserve nothing: equivalent to normal arcs. Preserve age: intersect the age guar an the age invariant of the target place only. Check the value upate an the value invariant of the target place, as escribe above. Preserve value: intersect only the value guar an the value invariant of the target place. Preserve age an value: intersect age guar an the age invariant of the target place, as well as the value guar an the value invariant of the target place. Summary Thus, the small aition of integers to TAPN only requires a straightforwar extension of the translation in Chapter 8. Further, the efinition of the complete one-by-many corresponence for these translations coul be extene such that it also requires that the value of tokens in a marking matches the values of the corresponing variables in a configuration of the NTA. As there is nothing in the aition of the integers which woul break the properties of a complete one-by-many corresponence, it woul still preserve the full TCTL. Note the Degree 2 Broacast translation from Chapter 9 can be extene in a similar fashion to support integers Deciability In this section we will look into the eciability of reachability for boune TAPN with integers. We have alreay sketche a translation to time automata in Section The use of integers shoul not cause problems as we are using the integers in a boune way, since we only allow value upates using constant values. Note that the expressions use in age guars may become negative as they are of the form age [(a val b, c val )], where [( { [, ( }, )] { ], ) }, {+, } an a, b, c, N 0. However, tokens can only carry non-negative integers an thus some age guars may not be satisfiable. For instance, we coul have an arc with a guar age [ 6, 2] which can never be satisfie by any token. However, this shoul not be a problem as it just prevents certain transitions from firing. Thus, we get the following theorem. Theorem 61 Reachability is eciable for boune TAPN with integers. Let us now consier a variant of the TAPN with integers moel in which we allow value upates to be of the form val := a val b where = {+, }. Let us enote this moel by TAPN(±upates). By allowing these types of value upates we can simulate of a 2-CM. Although the TAPN moel is boune in terms of the number of tokens, there is no boun on the values of tokens. Thus, we can use a single token to simulate 82

89 Section 10.4 Deciability a single register, where the value of the token represents the value of the register. This is possible because we can use value upates to both increase an ecrease the values of tokens. Further, it is possible to test for zero on the value guars by using the value guar [0, 0]. Thus, with two tokens we are able to simulate the two registers of a 2-CM an we get the following theorem. Theorem 62 Reachability is uneciable for boune TAPN(±upates). 83

90

91 Chapter 11 TAPAAL In this chapter, we will present an overview of the verification tool TAPAAL [1], which can be use to perform moeling, simulation an verification of TAPN moels. As alreay mentione, TAPAAL translates TAPN moels into networks of time automata, thereby leveraging the UPPAAL verification engine for the actual verification. Note that this section iscusses a prototype of TAPAAL (not publicly available) which inclue aitional features not foun in the current version 1.3 release Overview We will now give a short overview of the features of the tool. Main Winow Figure 11.1 shows a screenshot of the application. In TAPAAL, it is possible to raw TAPN moels using tools foun in the toolbar. Each tab contains a rawing surface on which TAPN moels can be rawn, hence each tab contains a moel. Moels in ifferent tabs cannot communicate in any way. For each moel, TAPAAL maintains a list of queries specifie by the user an a list of integer constants in the left-han pane. It is possible to save any number of queries for each moel. Verification of a query is possible via the Verify button. It is possible to efine integer constants which can be use in invariants an guars in the moel. This is useful if we nee to use the same integer in multiple places. For example, we might specify a elay constant which nee to be inclue in multiple guars. Without integer constants, it woul be necessary to change the value of the constant in multiple places if we were to, say, change the elay from 5 to 3. With an integer constant, we can simply change the value of the constant, an it is automatically upate in every place where the constant is use. TAPAAL also allows for simulation of TAPN moels. Clicking the flag in the toolbar, puts TAPAAL into simulation moe, in which changes to the moel cannot be mae. In this moe, it is possible to simulate the net by performing time elays an transition firings. This is useful for ebugging moels uring the moeling process. 85

92 Chapter 11 TAPAAL Figure 11.1: The moeling, simulation an verification tool TAPAAL. 86

93 Section 11.1 Overview Figure 11.2: The query ialog from TAPAAL. Query Dialog Figure 11.2 shows the query ialog which is use when creating or eiting queries. In this ialog it is, among other things, possible to check whether the net is k-boune. One can specify the extra number of tokens to use (besies the tokens alreay in the moel), an then check, whether the net is boune for this number of tokens. If the net is boune for the specifie number of extra tokens, it is possible to ask TAPAAL to optimize the number of extra tokens neee. TAPAAL will then use UPPAAL to fin the supremum (least upper boun) on the number of extra tokens neee for a faithful verification. Not all reuction options in TAPAAL can verify liveness properties (EG an AF). Specifically, the translation by Byg et al. [17] introuces aitional ealocks into the 87