COMPLEXITY ANALYSIS OF THE PRESBURGER REACHABILITY PROBLEM FOR DISCRETE TIMED AUTOMATA CHENG LI

COMPLEXITY ANALYSIS OF THE PRESBURGER REACHABILITY PROBLEM FOR DISCRETE TIMED AUTOMATA By CHENG LI A thesis submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN ELECTRICAL ENGINEERING WASHINGTON STATE UNIVERSITY School of Electrical Engineering and Computer Science DECEMBER 2002

To the Faculty of Washington State University: The members of the Committee appointed to examine the thesis of CHENG LI find it satisfactory and recommend that it be accepted. Chair ii

Acknowledgment First of all, I would like to thank my advisor Dr. Zhe Dang; this thesis would not have been possible without his continuous support. His invaluable advice, support and encouragement have made my work accomplished. I would also like to thank Dr. Dave Bakken and Dr. Curtis Dyreson for agreeing to be on my committee. Their comments, involvement and support have been extremely helpful and encouraging. I want to thank my parents, not only for raising me in the first place, but also for unconditional support and encouragement to pursue my interests. Their blessings have been a source of strength to me. I dedicate this work to them. Finally, I would like to express my sincere appreciation for my wife, Tengshun Peng. I cannot imagine that I could have completed this work without her love. iii

COMPLEXITY ANALYSIS OF THE PRESBURGER REACHABILITY PROBLEM FOR DISCRETE TIMED AUTOMATA Abstract by Cheng Li, M.S. Washington State University December 2002 Chair: Zhe Dang The Presburger reachability for discrete timed automata is to decide whether some clock values in a Presburger clock constraint are reachable in a discrete timed automaton. We present a procedure to solve this problem. The procedure constructs a finite state machine from an instance of the problem. The construction involves calculations of the minimal solutions to some linear Diophantine equations. An upper bound for the time complexity of the procedure is obtained in the thesis. This result helps to build an automatic verification tool for real-time systems in the future. However, from some preliminary experiments, we conclude that some optimization techniques shall be further developed in order for the procedure to be working on a large instance. iv

Contents Acknowledgment............................ iii Abstract................................. List of Figures.............................. iv vii 1 Introduction 1 2 Presburger Formulas and Minimal Solution 12 3 Tuple Machines 17 4 Discrete Timed Automata 24 5 Converting Discrete Timed Automata to Static Ones 27 6 The Algorithm for Static Discrete Timed Automata 38 7 A Complete Bounding Box Algorithm 51 8 TA2SMV tool 57 v

8.1 Introduction............................ 57 8.2 TA2SMV tool........................... 58 8.2.1 The input language.................... 58 8.2.2 SMV code generated by TA2SMV............ 61 8.2.3 Composition of two timed automata.......... 63 8.2.4 Complexity of the translation.............. 64 8.3 Some Examples.......................... 64 8.3.1 The subway control system................ 65 8.3.2 Example property 1.................... 65 8.3.3 Example property 2.................... 66 8.3.4 Experiments........................ 67 9 Conclusions 73 Bibliography 75 vi

List of Figures 1.1 An example of a timed automaton................ 6 5.1 Updates to the counters when y 4 resets............. 29 6.1 Partitioning A into M 0,, M k................. 39 8.1 An example of the subway system................ 65 8.2 An example of two trains in the subway............. 67 vii

Chapter 1 Introduction Model checking [1, 2, 3] is an automatic technique for verifying finite state transition systems against properties specified in a temporal logic. A finite state transition system can be understood as a directed graph over a finite number of nodes (states). The system traverses the graph from some initial states and nondeterministically chooses an arc to go. For instance, many digital circuits and communication protocols can be modelled as finite state transition systems [3]. The properties to be verified are drawn from a temporal logic which is a formalism to describing various orderings of the states on transition sequences. For the purpose of this thesis, we will focus on invariant properties in the temporal logic CTL (Computation Tree Logic)[4]. CTL is a branching time temporal logic, which views the behavior of a 1

finite state transition system as a tree with unbounded depths. Each branch in the tree resembles a nondeterministically chosen arc. CTL formulas are composed by temporal operators immediately preceded by a path quantifier. There are two path quantifiers A (for all paths) and E (for some path). These quantifiers are interpreted at a particular state to specify that all of the paths or some of the paths starting at that state satisfy the property specified by the temporal operators. An invariant is a temporal formula in the form of AG p, where A is a path quantifier, G is a temporal operator, and p is a subset of states (i.e., atomic formula). We say that a finite state transition system satisfies AG p if condition p is always, or globally (G), true in all the states of all (A) the possible paths of the transition system. The model-checking problem for AG p is to check whether, given a finite state transition system and a formula AG p, the system satisfies AG p. As the dual of AG p, EF p stands for the fact that there exists some path (E) on which eventually in the future (F) a state satisfies p. Model-checking invariants as well as the entire CTL can be implemented by an explicit state exploration on the transition graph. However, when the number of states in the graph is huge (i.e., 2 100 states), it is not feasible to even build the graph. SMV [5] is a symbolic model-checker for checking finite state transition systems against properties expressed in CTL. It is based on 2

a language for describing hierarchical finite state systems. Programs in the language can be verified by properties expressed in CTL. Since it is intended to describe finite state systems, the only data types in the language are finite ones - boolean, scalars and fixed arrays. Within SMV, complex temporal properties like safety, liveness, fairness and deadlock freedom, can be specified in a concise syntax. SMV extracts a transition system represented as an OBDD (Ordered binary decision diagrams)[6] from a SMV program and uses an OBDD-based search algorithm to efficiently determine whether the system satisfies a property. To illustrate the basic concepts of SMV, let us consider the following short example modified from an example in SMV manual: MODULE main VAR request : boolean; state : {ready,busy}; INIT init(state) := ready; TRANS (state = ready & request = true & next(state) = busy) (next(state) = ready next(state) = ready) SPEC AG(request -> AF state = busy) This is a SMV program, which contains both the transition system definition and the property specification. The states of the transition system is defined by a collection of variables. There are two variables in this example, variable request is declared as a boolean while the variable state is a scalar 3

which takes value ready or busy. INIT describes the initial values of the system. The transition relation of the system is determined by the formula under TRANS. The formula characterizes the relation between the current values of the variables and their next values (after one iteration of the transition). The property specification of the system appears as a formula in CTL under the keyword SPEC. In this example, the property is that invariantly if request is true, then inevitably the value of state is true. BMC (Bounded Model Checking)[7] is another symbolic model checking technique based on SAT (Propositional decision procedures) solvers. The basic idea of BMC is easy to understand. For instance, consider an invariant to be verified. The invariant is violated iff there is a counter example path of some length k on which the invariant is violated. Hence, we may consider all the path segments no longer than k. If none of the path segments violates the invariant, the search is continued for a larger k. For a fixed k, checking whether the invariant is violated on all the path with length k can be reduced to checking the satisfiability of some boolean formula. The satisfiability can be further decided using a SAT-solver like Grasp[8] and SATO [9]. The key to the successes of model-checking tools like SMV and BMC is representing a huge but finite set of states symbolically as a Boolean formula. Although symbolic representations have greatly increased the size of the sys- 4

tems that can be handled, many practical systems are still too large to be managed. This is known as the state-explosion problem, in which the size of the state space grows exponentially in the number of variables and concurrent components of the system. There are some techniques invented in fighting the problem (such as compositional model-checking, abstraction, symmetry reduction, etc., [3]); however, in general, this problem is still a central problem in model-checking finite state systems. Successes of verification of finite state systems have greatly encouraged researchers to investigate automatic verification of some infinite state systems. Among these systems, real-time systems are widely studied, in which predictable response times are essential for correctness in safety-critical applications. Due to the nature of such applications, errors in real-time system designs can be extremely dangerous and even fatal. Automatic verification techniques for real time systems are highly demanded. Because of their ability to express quantitative time requirements, timed automata [10] have been widely used as a standard model in specifying realtime systems. A timed automaton can be considered as a finite automaton augmented with a finite number of clocks which progress at the same rate. Clocks and the difference of two clocks can be compared to a finite number of integer constants. Boolean combinations of the comparisons are called clock 5

regions [10]. Each transition comes with some clock resets and an enabling condition which is in the form of clock regions. In this thesis, we only consider timed automata with integer valued clocks. s 1 x 1 x 2 < 12 x 1 > 5 s 2 x 3 < 4 s 3 {x 3 } {x 2 } x 2 x 3 < 8 Figure 1.1: An example of a timed automaton Figure 1.1 is an example timed automaton with three clocks x 1,x 2 and x 3. We use s, v 1, v 2, v 3 to denote a configuration of the automaton, where the automaton is at state s and integral clock values are v 1, v 2, v 3 for x 1, x 2, x 3, respectively. Here is an example execution sequence of the automaton. From configuration s 1, 0, 0, 0, since the enabling condition x 1 x 2 < 12 x 2 > 5 holds, the automaton moves to state s 2 with x 3 reset. The resulting configuration is s 2, 0, 0, 0. Then, the automaton moves to state s 3 with configuration s 3, 0, 0,, 0. From configuration s 3, 0, 0, 0, since there is no clock reset in the edge s 3 s 1 and the enabling condition x 2 x 3 < 8 holds, all clocks make progress by 1, and the automaton moves back to s 1 with configuration 6

s 1, 1, 1, 1. Repeating above procedure, we can get a sequence of configurations: s 1, 0, 0, 0 s 2, 0, 0, 0 s 3, 0, 0, 0 s 1, 1, 1, 1 s 2, 1, 1, 0 s 3, 1, 0, 0 s 1, 2, 1, 1 Timed automata are infinite state systems, since clocks can go unbounded. The region technique proposed by Alur and Dill [10], which reduces the timed automaton to a finite state system, plays a key role in building a verification tool (e.g., UPPAAL [11]) for timed automata. For instance, using the region technique, one may automatically verify the following region reachability problem for a timed automaton A: From a given state s with all the clocks 0, whether A can reach another given state s with clock values satisfying x 1 x 2 > 5. Notice that x 1 x 2 > 5 is a clock region. Although the region technique is very useful, there are cases where it is not applicable. One example is the following Presburger reachability problem: From a given state s with all the clocks 0, whether A can reach another given state s with clock values satisfying x 1 x 2 > x 3. The Presburger reachability problem exists in designing/analyzing many real-time system, in which x 1 x 2 > x 3 specifies some undesired constraint over the clock variables. A witness that satisfies the constraint is therefore 7

a bug in the design. Unfortunately, x 1 x 2 > x 3 is not a clock region and hence the region technique can not be used for automatic verification of the Presburger reachability problem [12]. In this thesis, we consider discrete timed automata (i.e., timed automata with integer valued clocks). Though many temporal verification problems involving Presburger constraints over clocks are known undecidable [10, 13, 14] for timed automata, the Presburger reachability problem is decidable. The decidability has been shown in [12] using a flattening technique and in [15, 16] using a theory of reversal-bounded counter machines [17]. The decidability proofs presented in [12, 15, 16] result in algorithms that have extremely high worst-case time complexity. For instance, the proof in [12] gives at least a triple exponential time. The proof in [15, 16], on the other hand, reduces Presburger reachability into the emptiness problem for reversal-bounded counter machines. Combining the complexity results in [18] for the emptiness problem, the proof gives a time complexity lower bounded by O(2 S k ), where S (resp. k) is the number of (control) states (resp. the number of clocks) in the timed automaton in consideration. However, the upper bound for the time complexity of the procedures given in [12, 15, 16] is unknown. The high lower-bounded complexity in the proofs [12, 15, 16] remains even when the clocks take integer values (i.e., discrete timed automata). 8

In this thesis, we present an algorithm to solve Presburger reachability for a discrete timed automaton A (with k clocks and states in S) and obtain an upper-bound for the time complexity of the algorithm. Intuitively, the algorithm is divided into two steps. In the first step, A is translated into a static discrete timed automaton A in which there is no clock constraints on transitions. The price paid in this step is to introduce k extra bounded counters to A. The translation presented in this thesis greatly improves the one in [16, 14] in which k + k 2 bounded counters are needed. In the second step, A is further decomposed into k machines M 1,, M k, each of which is a counter machine containing only one monotonic counter. A small bound, which is determined only by the Presburger formula in the Presburger reachability problem (e.g., x 1 x 2 > x 3 ), is found by studying the minimal solutions to the formula. A finite state machine M can therefore be constructed from the bound and the M i s, according to the results on tuple machines studied in Chapter 2. Roughly speaking, M is the result of a composition of all the M i s in which each counter never exceeds the bound. It can be shown that the Presburger reachability problem for A is equivalent to a state reachability problem for M. The state space size of M, in the worst case, is O(k! e max (1 + k C) 2k2 S 2k ), (1.1) where e max is a constant that only depends on the Presburger formula and C 9

is one plus the maximal absolute value of all the constants appearing in the clock constraints of A. Hence, the Presburger reachability problem of discrete timed automata is solvable in time quadratic to (1.1). Our algorithm used to derive the complexity bound does not directly lead to an efficient implementation, due to the complex nature of the algorithm itself. Later in the thesis, we present the idea of complete bounding box by computing a number B from an instance of the Presburger reachability problem. We use [A] B to denote the version of the discrete timed automaton A in the instance. It is shown that the instance is true for A iff it is true for [A] B. Hence, in theory, a finite state model-checker like SMV [5] can be directly used to check on [A] B. However, from some preliminary experiments, we conclude that a new symbolic representation is needed in order to efficiently solving the finite instance [A] B when A is large. The rest of the thesis is organized as follows. Chapter 2 presents the definitions and basic results for Presburger formulas and their minimal solutions. Chapter 3 provides an algorithm solving the Presburger reachability problem for a class of monotonic counter machines (i.e., tuple machines). Chapter 4 defines discrete timed automata and the Presburger reachability problem for them. Chapter 5 presents a translation from discrete timed automata to static ones. Chapter 6 shows an algorithm that 10

solves the Presburger reachability problem for static discrete timed automata, in which the worst-case complexity is obtained for the Presburger reachability problem. Chapter 7 presents a complete bounding box algorithm. Chapter 8 discusses the implementation issues. Chapter 9 is conclusions and discussions. 11

Chapter 2 Presburger Formulas and Minimal Solution Let N be the set of nonnegative integers and k be a positive integer. Let x 1,, x k be k variables on N. We call 1 i k a i x i # b (2.1) an equation (resp. inequality) if # is = (resp. ), where the a i s and b are integers. When (2.1) is an equation, (2.1) is made homogeneous if one makes b = 0 in the equation. We call x i c b a mod-constraint if c 0 and b are nonnegative integers. A Presburger formula P is a disjunction of m (for some m 1) conjunctions of equations, inequalities, and mod-constraints. P is made homogeneous if each equation in P is made homogeneous. It is 12

well known that Presburger formulas are closed under quantification. Let Q be a set of k-tuples (j 1,, j k ) in N k. Q is Presburger-definable if there is a Presburger formula P (x 1,, x k ) such that the set of nonnegative integer solutions to P is exactly Q. The set Q is a linear set if there exist vectors v 0, v 1,..., v q in N k such that Q = {v v = v 0 + b 1 v 1 + + b q v q, b i N}. The set Q N k is semilinear if it is a finite union of linear sets. It is known that Q is a semilinear set iff Q is Presburger-definable [19]. One may already notice that, for the purpose of this thesis, we define a Presburger formula only over nonnegative integer variables (instead of integer variables). By definition, a Presburger formula P can be written into a disjunction P 1 P m (2.2) where each P i is a conjunction L i1 L ir. (2.3) Each L ij is an equation, an inequality, or a mod-constraint. For notational convenience and without loss of generality, we assume that, among L i1,, L ir in (2.3), there are exactly n inequalities and mod-constraints (all the others are equations), for each 1 i m. An inequality can be translated 13

into an equation by introducing a slack variable (e.g., x 1 2x 2 3 into x 1 2x 2 u = 3 where u, a new variable on N, is the slack variable). A mod-constraint can be done similarly (e.g., x 1 3 1 into x 1 3u = 1). Therefore, after introducing n slack variables u 1,, u n, each P i can be rewritten into a conjunction of r equations over x 1,, x k, u 1,, u n. We use P i (x 1,, x k ) and P i (x 1,, x k, u 1,, u n ) to denote (2.3) before and after the translation, respectively. Same convention goes to P (x 1,, x k ) and P (x 1,, x k, u 1,, u n ). Notice that, here, we have only one set of slack variables u 1,, u n for all the P i s. It is routine to show that, for any x 1,, x k in N, P (x 1,, x k ) u 1,, u n N, P (x 1,, x k, u 1,, u n ). (2.4) In the sequel, for notational convenience, we shall use x k+1,, x k+n for the slack variables u 1,, u n. If m = 1, P (x 1,, x k+n ) is simply a linear Diophantine equation system with r equations. In the sequel, we shall use P hom (x 1,, x k+n ) to denote the result of making P (x 1,, x k+n ) homogeneous. Given two tuples (v 1,, v k+n ) and (v 1,, v k+n) in N k+n, we say (v 1,, v k+n ) (v 1,, v k+n) if v i v i for all 1 i k + n. We say (v 1,, v k+n ) < (v 1,, v k+n) if (v 1,, v k+n ) (v 1,, v k+n) and v i < v i for some 1 i k + n. (v 1,, v k+n) is a minimal solution to a linear Diophantine equation system 14

P if (v 1,, v k+n) is a solution to P but any (v 1,, v k+n ) with (0,, 0) < (v 1,, v k+n ) < (v 1,, v k+n) is not. (In particular, from this definition, the zero vector (0,, 0) in N k+n constitutes a minimal solution if it is a solution.) Let Min(P ) be the set of the minimal solutions to P (x 1,, x k+n ). The following facts are well-known. Lemma 1 For any linear Diophantine equation system P, both Min(P ) and Min(P hom ) are finite sets. Suppose Min(P hom ) = {v 1,, v q }. For any v N k+n, P (v) iff there are t 1,, t q N, v = v 0 + t 1 v 1 + + t q v q for some v 0 Min(P ). For each 1 i k + n, we use B i (resp. Bi hom ) to denote the maximal value of all the i-th components of the vectors in Min(P ) (resp. Min(P hom )). B i (resp. Bi hom ) is called the inhomogeneous (resp. homogeneous) bound for x i in P. When Min(P ) is empty, we let each B i = 0. Clearly, both Min(P ) and Min(P hom ) are Presburger definable. All the B i s and the Bi hom s can be computed using a Presburger solver such as the Omega library [20] for the given P. Remark. Estimating the bound for the minimal solutions to a linear Diophantine equation system (homogeneous or inhomogeneous) has been widely studied [21, 22, 23, 24, 25]. For instance, in [23], Domenjoud has shown that each B hom i is bounded by (k + n r)d, where D is the upper bound on the 15

absolute values of r r subdeterminants of the coefficient matrix for P hom (wlog, suppose the rank of the matrix is r). For inhomogeneous cases, the estimated bounds are even bigger. When P has a small size, a direct calculation of the bounding using Omega is feasible. Indeed, P, when used to specify safety properties, is in most cases very small in size, which is in contrast to the large size of a transition system [26]. When m > 1, for each 1 i k + n, one may obtain the maximal value of all the inhomogeneous (resp. homogeneous) bounds for x i in P 1,, P m ; we use ˆB 1,, ˆB k+n (resp. ˆBhom 1,, ˆB hom k+n) to denote them. The bounds will be used in the next chapter to solve the Presburger reachability problem for tuple machines. 16

Chapter 3 Tuple Machines A monotonic machine M is a finite state machine augmented with one monotonic counter (taking values in N). During a transition from one state to another, the counter can be incremented by 1 or stay unchanged. We use R ss (M) to denote the set of all the v s such that M reaches from state s to state s during which the total increments to the counter is v. M can also be treated as a finite automaton working on a one-way unary input tape, where reading an input symbol corresponds to incrementing the counter by 1. R ss (M) is a regular language when each element is encoded as a unary string. Therefore, R ss (M), as a set of numbers, is Presburger definable. Let k N and M be a k-tuple (M 1,, M k ) of monotonic machines. Let S i be the finite state set of M i. In the sequel, M is also called a tuple machine. We are 17

interested in the following Presburger reachability problem for tuple machines: Given: A k N, a tuple machine M = (M 1,, M k ), two subsets S init, S final S 1 S k, and a Presburger formula P (x 1,, x k ). Question: Is P reachable in M? (i.e., are there (s 1,, s k ) S init and (s 1,, s k) S final such that there is a solution (x 1,, x k ) N k to P satisfying x i R si s (M i i) for each 1 i k?) The problem is obviously decidable. This is because the answer to the question is equivalent to, for some (s 1,, s k ) S init and (s 1,, s k) S final, the following is true: x 1,, x k N, 1 i k x i R si s i (M i) P (x 1,, x k ). (3.1) Since each R si s (M i i), 1 i k, is Presburger definable, the truth value of (3.1) is decidable. However, verifying (3.1) directly would require computing a regular expression for each R si s (M i i) (treated as a unary language). Calculating the regular expression may cause an exponential blow-up in the size of the resulting regular expression (see [27]). In the following, we propose a technique that uses a finite state modelchecker (e.g., SMV [5]) to solve the Presburger reachability problem. Notice that, in general, the counters in M are unbounded. Therefore, M can not be simply treated as a finite state machine. Suppose P is in the form of 18

(2.2). Our technique first calculates bounds ˆB 1,, ˆB k+n and ˆB hom 1,, ˆB hom k+n from P, as shown in Chapter 2. (Recall that n is the number of the slack variables.) Notice that the bounds do not depend on M. Then, we construct a machine M containing counters c 1,, c k+n, whose values are bounded by max( ˆB 1, ˆB hom 1 ),, max( ˆB k+n, ˆB hom k+n), respectively. Hence, M is a finite state machine. After showing that the Presburger reachability problem for M is equivalent to a state reachability problem (Given two states, can one reach the other?) for the finite state machine M, a symbolic model-checker like SMV may be used directly to solve the problem. The result will be used in the later chapters to solve the Presburger reachability problem for discrete timed automata. Given M, the finite state machine M works as follows. M first guesses a tuple (s 1,, s k ) in S init, and M then simulates M in which each M i starts from s i. M uses counters c 1,, c k to simulate x 1,, x k in M (x i is the counter in M i ) and uses c k+1,, c k+n to simulate the slack variables. Initially, c 1,, c k+n are all 0 and M guesses a number j 0 with 1 j 0 m. (Recall that m is defined in (2.2).) An execution of M consists of some homogeneous rounds followed by one inhomogeneous round. In a homogeneous round, for each 1 i k, M i is executed for 0 or more moves and then, nondeterministically, it is suspended. Additionally, for each k+1 i k+n, M executes c i := c i +1 19

for 0 or more times (chosen nondeterministically). During the homogeneous round, whenever x i, 1 i k, is incremented by one, so is c i. M crashes if some c i, 1 i k + n, exceeds ˆB hom i during the round. At the end of the homogeneous round, M makes sure that Pj hom 0 (c 1,, c k+n ) holds otherwise, M crashes. The round is completed by resetting every c i, 1 i k + n, to 0. A new homogeneous round may be started by resuming every M i from the suspended point. After 0 or more homogeneous rounds, nondeterministically, M decides to start the inhomogeneous round. The inhomogeneous round is exactly as a homogeneous round except for the following two items: during the inhomogeneous round, M crashes if some c i, 1 i k + n, exceeds ˆB i (instead of ˆB hom i ); at the end of the inhomogeneous round, M makes sure that P j0 (c 1,, c k+n ) (instead of Pj hom 0 (c 1,, c k+n )) holds. M terminates if on completing the inhomogeneous round, the tuple (s 1,, s k) is in S final, where s i is the state of M i. Theorem 1 P is reachable in M iff M terminates. Proof.. Suppose that P is reachable in M, witnessed by a solution (x 1,, x k ). According to (2.4) and (2.2), there is a j 0 such that P j0 (x 1,, x k, x k+1,, x k+n ) 20

holds for some slack variable values x k+1,, x k+n. According to Lemma 1, (x 1,, x k+n ) = v 0 + t 1 v 1 + + t q v q for some t 1,, t q N. Notice that v 0 Min(P j0 ) and v 1,, v q are in Min(Pj hom 0 ). It is not hard to see that M terminates by performing, for each 1 l q, t l homogeneous rounds (each such round makes the counters (c 1,, c k+n ) incremented by v l ), and finally performing an inhomogeneous round during which the counters are incremented by v 0.. Obvious. Each counter c i, 1 i k + n, in M is in the range of 0.. max( ˆB i, ˆB hom i ). A state of M is a tuple of counter values, the choice of j 0, and the states of each M i in M. Let e = (1 + max( ˆB i, 1 i k+n ˆB hom i )). (3.2) e depends only on P. The total number of states in M is e Π 1 i k S i, where each S i is the number of states in M i. Deciding whether M terminates therefore has time complexity quadratic to O(e Π 1 i k S i ) (e.g., using a depth-first search). Hence, Theorem 2 Whether P is reachable in M is decidable in time quadratic to O(e Π 1 i k S i ) where e is defined in (3.2). In practice, when the number of states in M is big (e.g., 2 100 ), a symbolic 21

model-checker like SMV can be used to check whether M terminates, instead of explicitly running a depth-first search. For this purpose, we will show the following formal construction of M, which can be easily adapted into a SMVcode for the model-checker. A state in M is a tuple (s 1,, s k, c 1,, c k+n, j 0 ) where each s i S i, each c i is in 0.. max( ˆB i, hom ˆB i ), and 1 j 0 m. For any 1 i k and any two states s i and t i in M i, we use s i δ t i (3.3) to denote a transition in M i that transits from state s i to state t i while incrementing the counter x i by δ {0, 1}. For each (s 1,, s k, c 1,, c k+n, j 0 ), whenever there is a transition in the form of (3.3) for some 1 i k, we add the following transition to M ˆB hom i (s 1,, s k, c 1,, c k+n, j 0 ) c i+δ (s 1,, t i,, s k, c 1,, c i +δ,, c k+n, j 0 ), where c i + δ hom ˆB i is the enabling condition. In addition, for each (s 1,, s k, c 1,, c k+n, j 0 ), we add the following transition (s 1,, s k, c 1,, c k+n, j 0 ) P hom j 0 (c 1,,c k+n ) (s 1,, s k, 0,, 0, j 0 ) 22

to M. Finally, we add two new states called start and success to M. For each 1 j 0 m and each (s 1,, s k ) S init, the following transition is added to M : start (s 1,, s k, 0,, 0, j 0 ). We also add a transition (s 1,, s k, c 1,, c k+n, j 0 ) P j 0 (c 1,,c k+n ) success to M for each (s 1,, s k) S final, each c 1,, c k+n and each j 0. This completes the construction of M. Clearly, M terminates iff start reaches success in M. 23

Chapter 4 Discrete Timed Automata A timed automaton [10] is a finite state machine augmented with a number of clocks. All the clocks progress synchronously with rate 1, except when a clock is reset to 0 at some transition. A clock region is a Boolean combination of clock constraints in the following form: x#c, x y#c, where x, y are clocks, # denotes,, <, >, or =, and c is an integer. A discrete timed automaton A is a tuple S, {x 1,, x k }, E where S is a finite set of (control) states, x 1,, x k are clocks taking values in N, and E is a finite set of edges or transitions. Each edge s, λ, l, s denotes 24

a transition from state s to state s with enabling condition l in the form of clock regions and a clock reset set λ {1,, k}. Sometimes, we also write the edge as s l λ s, or simply s λ s when l is true. Without loss of generality, we assume that λ 1. That is, each transition resets at most one clock. (Resetting several clocks can be simulated by resetting one by one.) When λ =, the edge is called a progress transition. Otherwise, it is a reset transition. A is static if the enabling condition on each edge is simply true. The semantics of A is defined as follows. A configuration is a tuple of a control state and clock values. Let s, v 1,, v k and s, v 1,, v k be two configurations. s, v 1,, v k s, v 1,, v k denotes a one-step transition satisfying all of the following conditions, There is an edge s, λ, l, s in A, The enabling condition of the edge is satisfied; i.e., l(v 1,, v k ) is true, If λ = (i.e., a progress transition), then every clock progresses by one time unit; i.e., v i = v i + 1, 1 i k, If for some j, λ = {j} (i.e., a reset transition), then x j resets to 0 and all the other clocks do not change; i.e., v j = 0 and v i = v i for each 1 i j k. 25

s, v 1,, v k reaches s, v 1,, v k if s, v 1,, v k s, v 1,, v k where is the transitive closure of. Let S init and S final be two subsets of S. A Presburger formula P (x 1,, x k ) is reachable in A if there are two states s S init and s S final, and clock values v 1,, v k N such that s, 0,, 0 reaches s, v 1,, v k, and P (v 1,, v k ) holds. The Presburger reachability problem for discrete timed automata is to decide whether P is reachable in A. The problem is known decidable. However, the decidability proofs [12, 16, 15], as we mentioned earlier, do not come up with a practical algorithm and with high time complexity. In the following two chapters, we present an algorithm to solve the problem. In Chapter 5, the discrete timed automata is converted to static ones. In Chapter 6 using the results in Chapter 3, an algorithm is given for static discrete timed automata. 26

Chapter 5 Converting Discrete Timed Automata to Static Ones Let A be a discrete timed automaton. Since enabling conditions in A are in the form of clock tests: x i x j #c and x i #c, in general A is not static. In this chapter, we will present a technique to eliminate these tests and thus to transform A into a static discrete timed automaton A. In the previous work [16], we used k 2 + k bounded integer variables to do the elimination. Here, we present a new technique that introduces only k (instead of k 2 + k) bounded integer variables (called bounded counters). The technique is as follows. Let C be one plus the maximal absolute value of all the constants appearing the tests in A. Let y 1,, y k be k bounded 27

counters whose range is 0..k C. Initially, the counters are 0. A faithfully simulates every transition of A. In particular, on a transition of A, A updates the counters according to the updating instructions shown below. There are two goals of the instructions. One is to ensure that each counter is indeed bounded in 0..k C. In fact, as will be shown later, at any moment of the simulation, if we sort the counter values y 1,, y k into a nondecreasing sequence, then the first value in the sequence as well as the difference between any two adjacent values in the sequence is bounded in 0..C. (Hence, each y i is in 0..k C.) The other goal is to ensure that, at any moment of the simulation, we can use y i y j #c and y i #c to replace tests x i x j #c and x i #c, respectively. After the replacement, A is static, since y i y j #c and y i #c are tests on bounded counter values. Now, we give the updating instructions. On a progress transition, A updates the counters as follows (we use y i to denote the new value of y i ): If min(y 1,, y k ) < C then y i = y i + 1 (for each 1 i k) else y i = y i (for each 1 i k). Therefore, if the minimal value of the counter values is less than C, every counter is incremented by 1. Otherwise, the values do not change. On a reset transition, the updates are more complex. Figure 5.1 shows an example of resetting x 4 (hence y 4 ). Suppose that, for simplicity, y 1,, y k are already in 28

0 y1 y2 y3 y4 y5 yk... shrink Figure 5.1: Updates to the counters when y 4 resets the nondecreasing order. After resetting y 4 to 0, y 3 and y 5 are adjacent. In order to ensure the first goal mentioned earlier, once the gap of y 5 y 3 is greater than C, we shall shrink the gap by moving all the values y 5,, y k uniformly to the left by the amount of y 5 y 3 C. The result gives the new values of the y i s. The details of the updating instructions for a reset transition are given as follows. Assume that clock x j, for some j, resets on the transition. We still use y i (resp. y i) to denote the old (resp. new) value. Suppose that y 1,, y k are rearranged into a nondecreasing order 0 y h1 y hk. (One may have many different choices for the h s. Pick one.) Let q be the index satisfying h q = j. We have the following cases to consider. Case 1. q = k. In this case, the updating instructions are y j = 0, and y i = y i, for each 1 i j k. Case 2. q = 1 and k > 1. In this case, the updating instructions are 29

y j = 0, and if y hq+1 > C, then ( shrink ) y i = y i (y hq+1 C), for each 1 i j k, else y i = y i, for each 1 i j k. Case 3. 1 < q < k. In this case, the updating instructions are y j = 0, and if y hq+1 y hq 1 > C, then ( shrink ) y h i = y hi (y hq+1 y hq 1 C) for each q < i k, and y h i = y hi for each 1 i < q, else y i = y i, for each 1 i j k. After adding these updating instructions, we claim that the first goal is met. That is, Claim 1. y h1,, y hk At any moment of executing A, any nondecreasing sequence for y 1,, y k is tight; i.e., y h1 C and y hi+1 y hi C (5.1) 30

for each 1 i < k. Therefore, y 1,, y k are all bounded in 0..k C. Proof of Claim 1. Clearly, the claim holds for the initial values, which are 0, for y 1,, y k. Suppose that the claim holds when A executes l progress/reset transitions with counter values y 1,, y k. If the next transition is a progress transition, the claim also holds for the new values y 1,, y k by looking at the updating instructions on the transition. Now, suppose that the next transition is a reset transition on which x j resets. Let y h1,, y hk be a nondecreasing sequence (chosen arbitrarily) for y 1,, y k. For each of the three cases in the definition of the updating instructions for the reset transition, one can show that there is some tight nondecreasing sequence for the new values y 1,, y k. Observe that, any nondecreasing sequence for y 1,, y k is tight if one nondecreasing sequence is tight. The claim then follows. In below, we claim that the second goal is also met. That is, Claim 2. By adding the updating instructions to A, after A executes any transition, the following conditions hold for all 1 i, j k and for each integer c, C < c < C: (1). x i x j #c iff y i y j #c, (2). x i #c iff y i #c. Proof of the Claim 2. We prove it by induction. 31

The Claim holds for the initial values v i of all clocks x i since the clock values start from 0. If we let y i = 0, then the claim holds. Suppose that A is currently at configuration s, v 1,, v k and the Claim holds. Thus, we assume the induction hypothesis as follows. For all 1 i k and for each integer c [m 1] (i.e., all the integers from (m 1) to m 1), v i v j #c iff y i y j #c and v i #c iff y i #c hold. Therefore, s, v 1,, v k satisfies an enabling condition x i x j #c (resp. x i #c) in A iff the entry y i satisfies the same enabling condition by replacing x i x j (resp. x i ) with y i y j (resp. y i ), noticing that m is chosen such that it is greater than the absolute value of any constant in all the enabling conditions in A. Assume s, v 1,, v k satisfies the enabling condition on an edge e and A will execute e next. Thus, A, using the entry y i to test the enabling condition, will also execute the same edge. We use s, v 1,, v k to denote the configuration after executing the edge, and use y i to denote the entry values after executing the edge. We need to show, for all 1 i k and for each integer c [m 1], for all 1 i, j k and for each integer c [m 1], (*) v i v j#c iff y i y j#c 32

and (**) v i#c iff y i#c hold. There are two cases to consider according to the form of the assignment on edge e. Case 1. The assignment is a clock progress x i := x i + 1 for all 1 i k. After firing the edge, v i = v i + 1 for each 1 i k. On the other hand, according to the entry updating procedure, y i are updated for each 1 i k as follows: y i = y i + 1 if y c1 < m y i if y c1 m, y i y j = y i y j. Therefore, Claim (*) holds. This is because v i v j#c iff v i v j #c iff (induction hypothesis) y i y j #c iff y i y j#c. Claim (**) holds. This can be shown by considering the following two subcases, noticing that y i is nonnegative: the subcase for y c1 < m. Notice that y i = y i + 1, and from the induction hypothesis (v i #c iff y i #c) (v i #c 1 iff y i #c 1). We have v i#c iff v i + 1#c iff y i + 1#c iff y i#c. 33

the subcase for y c1 = m. Notice that y i = y i m, and from the induction hypothesis, v i m. Hence, v i = v i + 1 > m. By the choice of c, we have v i#c iff m#c iff y i#c. Case 2. The assignment is a clock reset in the form of x i := 0 for x i λ, where λ is the set of clock resets on edge e. Notice that, in this case, if x i λ, then v i = 0, else v i = v i. If x i λ and y i is the j-th smallest counter y cj in A, let set y be the set of counters {y c1 y cj 1 } which are less than or equal to y cj, let set y be the set of counters {y cj+1 y ck } which are greater than or equal to y cj. In order to show Claim (*) holds, there are four subcases to consider according to the entry updating procedure for y i : for all 1 i k, If x i, x j λ, then v i = v j = 0, y i = y j = 0 and therefore v i v j = y i y j = 0. Thus, Claim (*) holds. If x i λ and x j λ, then, v i = 0, v j = v j, y i = 0. There are two subcases to consider: the subcase for y cj+1 y cj 1 m. y j = y j, y i y j = y j. Thus, for each c [m 1], v i v j#c iff v j #c iff (induction hypothesis) y j #c iff y i y j#c. Thus, Claim (*) holds. the subcase for y cj+1 y cj 1 > m. If y j y then y j = y j. Thus, Claim (*) holds(first subcase). 34

If y j y then y j m, v j m(induction hypothesis), v j > m, y j = y j (y cj+1 y cj 1 m) y cj+1 (y cj+1 y cj 1 m) = y cj 1 + m m. Thus, for each c [m 1], v i v j#c iff v j#c iff m#c iff y j#c iff y i y j#c. Thus, Claim (*) holds. If x i λ and x j λ, similar to the above. If x i λ and x j λ, then, v i = v i, v j = v j. There are two subcases to consider: the subcase for y cj+1 y cj 1 m. y i = y i, y j = y j. v i v j#c iff v i v j #c iff (induction hypothesis) y i y j #c iff y i y j#c. Thus, Claim (*) holds. the subcase for y cj+1 y cj 1 > m. If y i, y j y then y i = y i, y j = y j. Thus, Claim (*) holds(first subcase). If y i, y j y then y i = y i (y cj+1 y cj 1 m), y j = y j (y cj+1 y cj 1 m), y i y j = y i y j. Thus, Claim (*) holds(first subcase). If y i y and y j y then y i y j < m, y i = y i, y j = y j (y cj+1 y cj 1 m). y i y j = y i y j + (y cj+1 y cj 1 m) (y cj+1 y cj 1 ) + (y cj+1 y cj 1 m) = m. Thus, for each 35

c [m 1], v i v j#c iff v i v j #c iff y i y j #c iff m#c iff y i y j#c. Thus, Claim (*) holds. If y i y and y j y, similar to the above. Now we prove Claim (**) holds. There are two subcases to consider according to the entry updating procedure for y i : for all 1 i k, If x i λ, v i = v i. There are two subcases to consider: the subcase for y cj+1 y cj 1 m. y i = y i. Claim (**) holds. the subcase for y cj+1 y cj 1 > m. If y i y then y i = y i. Thus, Claim (**) holds(first subcase). If y i y then y i > m, v i > m, y i = y i (y cj+1 y cj 1 m) y cj 1 + m m. By the choice of c, we have v i#c iff m#c iff y i#c. If x i λ, then y i = 0, and v i = 0. Claim (**) also holds. This ends the proof of the Claim 2. From the claim, it is valid to replace clock tests x i x j #c and x i #c with tests y i y j #c and y i #c on finite state variables y 1,, y k. Hence, A is static. Given a Presburger formula P (x 1,, x k ) and two state sets S init and S final, consider the instance of the Presburger reachability problem for A. Recall that 36

P is reachable in A with respect to S init and S final if there are s S init and s S final such that (s, 0,, 0) reaches (s, x 1,, x k ) in A with P (x 1,, x k ), for some x 1,, x k. Define S init = {(s, 0,, 0) : s S init } and S final = {(s, y 1,, y k ) : s S final, 0 y 1,, y k k C}. Both of the sets are state sets of A (since now a state in A is a state in A augmented with counter values). Clearly, Theorem 3 P is reachable in A with respect to S init and S final iff P is reachable in A with respect to S init and S final. The number of states in A is (1 + k C) k S. (5.2) Remark. In [16], a table look-up technique was proposed to translate discrete timed automaton A into a static one A. The technique needs to introduce k 2 + k bounded counters whose range is in 0..C. Hence, the state space of A would be (1 + C) k2 +k S which is greater than the one obtained in (5.2) using the technique in this chapter when C is large. 37

Chapter 6 The Algorithm for Static Discrete Timed Automata A static discrete timed automaton A is a discrete timed automaton without enabling conditions (i.e., each condition is simply true). Hence, in A, there are two kinds of transitions: a progress transition in the form of s {} s that increments every clock by 1, and a reset transition in the form of s {j} s that resets the clock x j to 0 (all the other clocks remain unchanged). Given two states s and s, consider an execution path p of A from s to s. Suppose 38

that clocks x 1,, x k in A start with 0 and end with values v 1,, v k on p. What is the value v i for clock x i? It is the total number of the increments made to x i since the last reset of x i (if x i does not reset on p, we may treat the last reset as the starting point of p). Therefore, v i is insensitive to the values of x i before the last reset. In other word, those values can be ignored. This observation inspires us to further partition p as follows. v1 v2 x1 v3 x2 x3 vk xk... M0 M1 M2 Mk y1 y2 yk Figure 6.1: Partitioning A into M 0,, M k For simplicity, we assume that all the clocks x 1,, x k are reset on p and, furthermore, the last resets of the clocks are in this order: x 1,, x k. As shown in Figure 6.1, p is partitioned into k + 1 segments, marked by M 0,, M k, respectively. For each 1 i k, clock x i resets at the beginning of the segment marked by M i in fact this is also the last reset for x i. Hence, after M i begins, none of the clocks x j s with j i resets. Suppose that y i is the 39

total number of progress transitions on the segment marked by M i, 1 i k. Clearly, y i is also the total increments made towards x i on the segment. The relationship between (y 1,, y k ) and (v 1,, v k ) is as follows, v 1 = y 1 + y 2 + + y k, v 2 = y 2 + + y k,. v k = y k. From this relationship, p can be considered as an execution of the sequential composition of the following machines: M 0, M 1,, M k, where M 0 is the finite state machine that keeps all the state transitions of A but ignores clock resets and progresses, Each M i, 1 i k, is a monotonic machine with counter y i. M i simulates the following behavior of A: A starts with a reset transition for x i and proceeds with a sequence of progress/reset transitions on which none of x j (j i) is reset. In the simulation, each reset transition s {j} s is simulated by a transition s y i:=y i s in M i ; each progress transition s {} s is simulated by a transition s y i:=y i +1 s in M i. Obviously, M 0 and M 1 can be sequentially composed into a monotonic machine we still use M 1 to denote the resulting monotonic machine. The Pres- 40

burger reachability problem for A with respect to a given Presburger formula P (x 1,, x k ) can therefore be translated into the Presburger reachability problem for the tuple machine (M 1,, M k ) with respect to the Presburger formula P (y 1 + + y k,, y k ). The algorithm presented in Chapter 3 can therefore be applied. However, here, (M 1,, M k ) is not a tuple machine in the sense of Chapter 3. The reason is that M 1,, M k are sequential: each M i ends with the starting state of M i+1. This problem can be easily solved by making each M i working on a pair of states: one is used to remember the starting state of M i and the other one is the original state in M i. In this way, the sequentiality can be justified by properly choosing S init and S final in the corresponding Presburger reachability problem for the tuple machine. From Chapter 3, one may obtain a finite state machine M. There are only finitely many choices for the order of the last resets. One may combine all of the M s for each choice and result in a finite state machine M. The rest of the chapter presents a formal construction from A to M, when all of the orders are considered. Before we proceed to show the construction, more definitions are needed. Finite(A) is a finite state machine M on states S defined as follows: for any s 1, s 1, s 1 s 1 is a transition in M iff one of the followings is true: s 1 = s 1, either s 1 {} s 1 or s 1 {j} s 1 (for some j) is a transition in A. 41

Clearly, Finite(A) is exactly the M 0 shown above. Reset(λ) is a finite state machine M on states S such that for any s 1, s 1, s 1 s 1 is a transition in M iff s 1 {j} s 1 (for some j λ) is a transition in A. Hence, Reset(λ) is the result of keeping only the state transitions in A that reset some clock in λ. Mono(A, λ, y) is a monotonic machine M on states S and with counter y defined as follows: for any s 1, s 1, s 1 y:=y s 1 is a transition in M iff either s 1 = s 1 or s 1 {j} s 1 (for some j λ) is a transition in A, and s 1 y:=y+1 s 1 is a transition in M iff s 1 {} s 1 is a transition in A. Roughly speaking, Mono(A, λ, y) is the result of keeping only the state transitions in A that do not reset a clock in λ. In the meantime, Mono(A, λ, y) replace every progress transition in A by a counter increment. It is not hard to see that each M i, 1 i k, constructed earlier as in Figure 6.1 can be treated as Mono(A, {1,, i}, y i ). For each machine M of Finite(A), Reset(λ), and Mono(A, λ, y), one can easily make a pairwise version ˆM that works on states S S. For instance, let M = Finite(A). ˆM can be defined as follows: for all s, s1, s 1, (s, s 1 ) (s, s 1) is a transition in ˆM iff s 1 s 1 is a transition in M. That is, any execution of ˆM does not change the first state in a state pair. For notational convenience, 42

in the sequel, we still use Finite(A), Reset(λ), and Mono(A, λ, y) to denote their pairwise versions. Recall that an instance of the Presburger reachability problem for static discrete timed automata is as follows: Given: A static discrete timed automaton A with clocks x 1,, x k, two sets S init, S final S, and a Presburger formula P (x 1,, x k ). Question: Is P reachable in A? (i.e., are there s S init and s S final such that for some v 1,, v k, A can reach from state s with clocks being 0 to state s with clock values (v 1,, v k ) satisfying P (v 1,, v k )?) From this instance, we will construct a finite state machine M such that the Question part is true iff M terminates (will be defined in a moment). The construction is shown in Algorithm6.1. Algorithm 6.1 1 For each 0 n k and for each sequence of clock reset sets λ 1,, λ n, where each λ i contains exactly one element in {1,, k}, and all of the λ i s are pairwisely disjoint, If 1 i n λ i {1,, k}, then build a finite state machine M λ1,,λ n using Algorithm 6.1.1, 43