Automata for Real-Time Systems

B. Srivathsan

Chennai Mathematical Institute

Let T Σ

^∗

denote the set of all timed words

Universality: Given A, is L(A) = T Σ

^∗

? Inclusion: Given A, B, is L(B) ⊆ L(A) ?

Universality and inclusion are undecidable when A has two clocks or more

A theory of timed automata

Alur and Dill.TCS’94

Lecture 5:

A decidable case of the inclusion

problem

Universality: Given A, is L(A) = T Σ

^∗

? Inclusion: Given A, B, is L(B) ⊆ L(A) ?

One-clock restriction

Universality and inclusion are decidable when A has at most one clock

On the language inclusion problem for timed automata: Closing a decidability gap

Ouaknine and Worrell.LICS’05

In this lecture: universality for one clock TA

Universality: Given A, is L(A) = T Σ

^∗

? Inclusion: Given A, B, is L(B) ⊆ L(A) ?

One-clock restriction

Universality and inclusion are decidable when A has at most one clock

On the language inclusion problem for timed automata: Closing a decidability gap

Ouaknine and Worrell.LICS’05

In this lecture: universality for one clock TA

Step 0:

Well-quasi orders and Higman’s Lemma

Quasi-order

Given a setQ, aquasi-orderis areflexiveandtransitiverelation:

v ⊆ Q × Q

I (N,≤)

I (Z,≤)

LetΛ ={A,B, . . . ,Z}, Λ^∗={set of words}

I (Λ^∗, lexicographic orderv_L): AAAB v_L AAB v_L AB

I (Λ^∗, prefix order⊆_P): AB ⊆_P ABA ⊆_P ABAA

I (Λ^∗, subword order4) HIGMAN 4HIGHMOUNTAIN [OW’05]

Well-quasi-order

An infinite sequencehq₁,q₂, . . .iin(Q,v)issaturatingif ∃i<j:q_ivq_j

A quasi-ordervis awell-quasi-order (wqo)ifeveryinfinite sequence is saturating

I (N,≤)

√

I (Z,≤)

×

−1≥ −2≥ −3, . . .

I (Λ^∗, lexicographic orderv_L):

×

B w_L ABw_L AAB . . .

I (Λ^∗, prefix order⊆_P):

×

B, AB, AAB, . . .

I (Λ^∗, subword order4)

?

Well-quasi-order

An infinite sequencehq₁,q₂, . . .iin(Q,v)issaturatingif ∃i<j:q_ivq_j

A quasi-ordervis awell-quasi-order (wqo)ifeveryinfinite sequence is saturating

I (N,≤)√

I (Z,≤)

×

−1≥ −2≥ −3, . . .

I (Λ^∗, lexicographic orderv_L):

×

B w_L ABw_L AAB . . .

I (Λ^∗, prefix order⊆_P):

×

B, AB, AAB, . . .

I (Λ^∗, subword order4)

?

Well-quasi-order

An infinite sequencehq₁,q₂, . . .iin(Q,v)issaturatingif ∃i<j:q_ivq_j

A quasi-ordervis awell-quasi-order (wqo)ifeveryinfinite sequence is saturating

I (N,≤)√

I (Z,≤)

×

−1≥ −2≥ −3, . . .

I (Λ^∗, lexicographic orderv_L):

×

B w_L ABw_L AAB . . .

I (Λ^∗, prefix order⊆_P):

×

B, AB, AAB, . . .

I (Λ^∗, subword order4)

?

Higman’s lemma

Letvbe a quasi-order onΛ

Define the inducedmonotone domination order4onΛ^∗as follows:

a₁. . .a_m 4 b₁. . .b_n if there exists astrictly increasingfunction f :{1, . . . ,m} 7→ {1, . . . ,n}s.t

∀1≤i≤m: a_i v b_f(i)

Higman’52

Ifvis a wqo onΛ, then the induced monotone domination order4is a wqo onΛ^∗

Higman’s lemma

Letvbe a quasi-order onΛ

Define the inducedmonotone domination order4onΛ^∗as follows:

a₁. . .a_m 4 b₁. . .b_n if there exists astrictly increasingfunction f :{1, . . . ,m} 7→ {1, . . . ,n}s.t

∀1≤i≤m: a_i v b_f(i)

Higman’52

Ifvis a wqo onΛ, then the induced monotone domination order4is a wqo onΛ^∗

Subword order

Λ := {A,B, . . . ,Z}

v := x v yifx = y

v is awqoas Λ isfinite

Induced monotone domination order4is the subword order HIGMAN 4HIGHMOUNTAIN

By Higman’s lemma,4is a wqo too

If we start writing aninfinite sequenceof words, we willeventually write down asuperwordof an earlier word in the sequence

Subword order

Λ := {A,B, . . . ,Z}

v := x v yifx = y v is awqoas Λ isfinite

Induced monotone domination order4is the subword order HIGMAN 4HIGHMOUNTAIN

By Higman’s lemma,4is a wqo too

If we start writing aninfinite sequenceof words, we willeventually write down asuperwordof an earlier word in the sequence

Subword order

Λ := {A,B, . . . ,Z}

v := x v yifx = y

v is awqoas Λ isfinite

Induced monotone domination order4is the subword order HIGMAN 4HIGHMOUNTAIN

By Higman’s lemma,4is a wqo too

If we start writing aninfinite sequenceof words, we willeventually write down asuperwordof an earlier word in the sequence

Subword order

Λ := {A,B, . . . ,Z}

v := x v yifx = y

v is awqoas Λ isfinite

Induced monotone domination order4is the subword order HIGMAN 4HIGHMOUNTAIN

By Higman’s lemma,4is a wqo too

If we start writing aninfinite sequenceof words, we willeventually write down asuperwordof an earlier word in the sequence

Step 1:

A naive procedure for universality of one-clock

TA

Terminology

LetA= (Q,Σ,Q0,{x},T,F)be a timed automaton with one clock

I Location: q₀,q₁,· · · ∈Q

I State: (q,u)whereu∈R≥0gives value of the clock

I Configuration: finiteset of states

{(q1,2.3),(q0,0)}

q₀ q₁

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

Terminology

LetA= (Q,Σ,Q0,{x},T,F)be a timed automaton with one clock

I Location: q₀,q₁,· · · ∈Q

I State: (q,u)whereu∈R≥0gives value of the clock

I Configuration: finiteset of states{(q1,2.3),(q0,0)}

q₀ q₁

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

Transition between configurations:

{(q₀,0)} −−−→^0.2,a

{(q₁,0.2)} −−−→ {(q^2.1,b ₁,2.3),(q₀,0)}. . .

q0 q1

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

C₁ −−→^δ,a C₂if

C₂={(q₂,u₂)| ∃(q₁,u₁)∈C₁s. t.(q₁,u₁) −−→^δ,a (q₂,u₂)}

Transition between configurations:

{(q₀,0)} −−−→ {(q^0.2,a ₁,0.2)}

2.1,b

−−−→ {(q₁,2.3),(q₀,0)}. . .

q0 q1

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

C₁ −−→^δ,a C₂if

C₂={(q₂,u₂)| ∃(q₁,u₁)∈C₁s. t.(q₁,u₁) −−→^δ,a (q₂,u₂)}

Transition between configurations:

{(q₀,0)} −−−→ {(q^0.2,a ₁,0.2)} −−−→^2.1,b

{(q₁,2.3),(q₀,0)}. . .

q0 q1

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

C₁ −−→^δ,a C₂if

C₂={(q₂,u₂)| ∃(q₁,u₁)∈C₁s. t.(q₁,u₁) −−→^δ,a (q₂,u₂)}

Transition between configurations:

{(q₀,0)} −−−→ {(q^0.2,a ₁,0.2)} −−−→ {(q^2.1,b ₁,2.3),(q₀,0)}. . .

q0 q1

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

C₁ −−→^δ,a C₂if

C₂={(q₂,u₂)| ∃(q₁,u₁)∈C₁s. t.(q₁,u₁) −−→^δ,a (q₂,u₂)}

Transition between configurations:

{(q₀,0)} −−−→ {(q^0.2,a ₁,0.2)} −−−→ {(q^2.1,b ₁,2.3),(q₀,0)}. . .

q0 q1

x<1,a

{x}

1≤x≤3,Σ

x≥2,b

C₁ −−→^δ,a C₂if

C₂={(q₂,u₂)| ∃(q₁,u₁)∈C₁s. t.(q₁,u₁) −−→^δ,a (q₂,u₂)}

Labeled transition system ofconfigurations

...

...

0.4,a 3.6,b

. . .

. . . . . . . . .

Bad:all locationsnon-accepting

Is abadconfigurationreachablefrom someinitialconfiguration?

Labeled transition system ofconfigurations

...

...

0.4,a 3.6,b

. . .

. . . . . . . . .

Bad:all locationsnon-accepting

Is abadconfigurationreachablefrom someinitialconfiguration?

Labeled transition system ofconfigurations

...

...

0.4,a 3.6,b

. . .

. . . . . . . . .

Bad:all locationsnon-accepting

...

...

. . .

. . . . . . . . .

Need to handle two dimensions of infinity!

...

...

. . .

. . . . . . . . .

abstraction byequivalence∼

C1 C2

C1∼C2iff:

...

...

. . .

. . . . . . . . .

finitedominationorder4

C1

C2

C₁4C₂iff:

C₂goes to abadconfig ⇒ C₁goes to abadconfig. too

No needto exploreC₂!

...

...

. . .

. . . . . . . . .

finitedominationorder4

C1

C2

C₁4C₂iff:

C₂goes to abadconfig ⇒ C₁goes to abadconfig. too

Step 2:

The equivalence

Credits:Examples in this part taken from one ofOuaknine’s talks

Equivalent configurations: Examples

C₁={(q₀,0.5)}C₂={(q₀,1.3)}

q0

q₀

. . .

. . . . . . . . . . . . . . .

C₁ C2

q0 q1

x>1,Σ Σ

C₂is universal, butC₁rejects(a,0)

Equivalent configurations: Examples

C₁={(q₀,0.5)}C₂={(q₀,1.3)}

q0

q₀

. . .

. . . . . . . . . . . . . . .

C₁ C2

q0 x>1,Σ q1 Σ

C₂is universal, butC₁rejects(a,0)

q₀

q0

. . .

. . . . . . . . . . . . . . .

∼

q₀

q0

. . .

. . . . . . . . . . . . . . .

∼

q0

q₀

. . .

. . . . . . . . . . . . . . .

0.7 1.2

1.8 0.3

C₁ C2

q0 q1

x<1∨x>2,Σ Σ

C2is universal, butC1rejects(a,0.5)

q0

q₀

. . .

. . . . . . . . . . . . . . .

0.7 1.2

1.8 0.3

C₁ C2

q0 q1

x<1∨x>2,Σ Σ

C2is universal, butC1rejects(a,0.5)

LetKbe the largest constant appearing inA DefineREG={r₀,r¹₀,r₁, . . . ,r_K,r^∞_K }

0

r₀

1

r₁ r¹₀

2

r₂ r₁²

K

r_K r^∞_K

· · ·

C={(q1,0.0),(q1,0.3),(q1,1.2),(q2,1.0),(q3,0.8),(q3,1.3)} {(q1,r0,0),(q1,r₀¹,0.3),(q1,r₁²,0.2),(q2,r1,0),(q3,r₀¹,0.8),(q3,r₁²,0.3)} {(q₁,r₀,0),(q₂,r₁,0)} {(q₁,r²₁,0.2)} {(q₁,r¹₀,0.3)(q₃,r₁²,0.3)} {(q₃,r₀¹,0.8)}

H(C) ={(q1,r0),(q2,r1)} {(q1,r₁²)} {(q1,r₀¹)(q3,r₁²)} {(q3,r₀¹)}

LetKbe the largest constant appearing inA DefineREG={r₀,r¹₀,r₁, . . . ,r_K,r^∞_K }

0

r₀

1

r₁ r¹₀

2

r₂ r₁²

K

r_K r^∞_K

· · ·

C={(q1,0.0),(q1,0.3),(q1,1.2),(q2,1.0),(q3,0.8),(q3,1.3)}

{(q1,r0,0),(q1,r₀¹,0.3),(q1,r₁²,0.2),(q2,r1,0),(q3,r₀¹,0.8),(q3,r₁²,0.3)} {(q₁,r₀,0),(q₂,r₁,0)} {(q₁,r²₁,0.2)} {(q₁,r¹₀,0.3)(q₃,r₁²,0.3)} {(q₃,r₀¹,0.8)}

H(C) ={(q1,r0),(q2,r1)} {(q1,r₁²)} {(q1,r₀¹)(q3,r₁²)} {(q3,r₀¹)}

LetKbe the largest constant appearing inA DefineREG={r₀,r¹₀,r₁, . . . ,r_K,r^∞_K }

0

r₀

1

r₁ r¹₀

2

r₂ r₁²

K

r_K r^∞_K

· · ·

C={(q1,0.0),(q1,0.3),(q1,1.2),(q2,1.0),(q3,0.8),(q3,1.3)}

{(q1,r0,0),(q1,r₀¹,0.3),(q1,r₁²,0.2),(q2,r1,0),(q3,r₀¹,0.8),(q3,r₁²,0.3)}

{(q₁,r₀,0),(q₂,r₁,0)} {(q₁,r²₁,0.2)} {(q₁,r¹₀,0.3)(q₃,r₁²,0.3)} {(q₃,r₀¹,0.8)} H(C) ={(q1,r0),(q2,r1)} {(q1,r₁²)} {(q1,r₀¹)(q3,r₁²)} {(q3,r₀¹)}

LetKbe the largest constant appearing inA DefineREG={r₀,r¹₀,r₁, . . . ,r_K,r^∞_K }

0

r₀

1

r₁ r¹₀

2

r₂ r₁²

K

r_K r^∞_K

· · ·

C={(q1,0.0),(q1,0.3),(q1,1.2),(q2,1.0),(q3,0.8),(q3,1.3)}

{(q1,r0,0),(q1,r₀¹,0.3),(q1,r₁²,0.2),(q2,r1,0),(q3,r₀¹,0.8),(q3,r₁²,0.3)}

{(q₁,r₀,0),(q₂,r₁,0)} {(q₁,r²₁,0.2)} {(q₁,r¹₀,0.3)(q₃,r₁²,0.3)} {(q₃,r₀¹,0.8)}

H(C) ={(q1,r0),(q2,r1)} {(q1,r₁²)} {(q1,r₀¹)(q3,r₁²)} {(q3,r₀¹)}

LetKbe the largest constant appearing inA DefineREG={r₀,r¹₀,r₁, . . . ,r_K,r^∞_K }

0

r₀

1

r₁ r¹₀

2

r₂ r₁²

K

r_K r^∞_K

· · ·

C={(q1,0.0),(q1,0.3),(q1,1.2),(q2,1.0),(q3,0.8),(q3,1.3)}

{(q1,r0,0),(q1,r₀¹,0.3),(q1,r₁²,0.2),(q2,r1,0),(q3,r₀¹,0.8),(q3,r₁²,0.3)}

{(q₁,r₀,0),(q₂,r₁,0)} {(q₁,r²₁,0.2)} {(q₁,r¹₀,0.3)(q₃,r₁²,0.3)} {(q₃,r₀¹,0.8)}

H(C) ={(q1,r0),(q2,r1)} {(q1,r₁²)} {(q1,r₀¹)(q3,r₁²)} {(q3,r₀¹)}

LetKbe the largest constant appearing inA REG:={r₀,r¹₀,r₁, . . . ,r_K,r_K^∞}

Λ :=P(Q×REG)

We can give H:C7→Λ^∗ that remembers:

I integralpart of the clock value (moduloK) in each state ofC,

I orderoffractionalparts of the clock among different states inC

Equivalence

C1∼C2 if H(C1) =H(C2)

It can be shown that∼is abisimulation

C₁goes to abadconfig. ⇔ C₂goes to abadconfig.

Equivalence

C1∼C2 if H(C1) =H(C2)

It can be shown that∼is abisimulation

C₁goes to abadconfig. ⇔ C₂goes to abadconfig.

...

...

. . .

. . . . . . . . .

abstraction byequivalence∼

C1 C2

C1∼C2iff:

Step 3:

The domination order

...

...

. . .

. . . . . . . . .

finitedominationorder4

C1

C2

C14C2iff:

Look atH(C₁)andH(C₂), the words overΛ^∗ Λ =P(Q×REG)

Let⊆be theinclusion(quasi-)order onΛ

Consider the induced monotone domination order4overΛ^∗

{(q₀,r₀)} {(q₁,r¹₀),(q₀,r₂³)}

4

{(q₀,r₀),(q₁,r₁)} {(q₂,r₂³)} {(q₁,r₀¹),(q₀,r₂³),(q₂,r²₁)} Theorem:IfH(C₁)4H(C₂), then∃C₂⁰ ⊆C₂s.t.C₁∼C₂

⊆is a wqo asΛisfinite. Therefore,4is awqodue toHigman’s lemma

Look atH(C₁)andH(C₂), the words overΛ^∗ Λ =P(Q×REG)

Let⊆be theinclusion(quasi-)order onΛ

Consider the induced monotone domination order4overΛ^∗

{(q₀,r₀)} {(q₁,r¹₀),(q₀,r₂³)}

4

{(q₀,r₀),(q₁,r₁)} {(q₂,r₂³)} {(q₁,r₀¹),(q₀,r₂³),(q₂,r²₁)} Theorem:IfH(C₁)4H(C₂), then∃C₂⁰ ⊆C₂s.t.C₁∼C₂

⊆is a wqo asΛisfinite. Therefore,4is awqodue toHigman’s lemma

Look atH(C₁)andH(C₂), the words overΛ^∗ Λ =P(Q×REG)

Let⊆be theinclusion(quasi-)order onΛ

Consider the induced monotone domination order4overΛ^∗

{(q₀,r₀)} {(q₁,r₀¹),(q₀,r₂³)}

4

{(q₀,r₀),(q₁,r₁)} {(q₂,r₂³)} {(q₁,r₀¹),(q₀,r₂³),(q₂,r²₁)}

Theorem:IfH(C₁)4H(C₂), then∃C₂⁰ ⊆C₂s.t.C₁∼C₂

⊆is a wqo asΛisfinite. Therefore,4is awqodue toHigman’s lemma

Look atH(C₁)andH(C₂), the words overΛ^∗ Λ =P(Q×REG)

Let⊆be theinclusion(quasi-)order onΛ

Consider the induced monotone domination order4overΛ^∗

{(q₀,r₀)} {(q₁,r₀¹),(q₀,r₂³)}

4

{(q₀,r₀),(q₁,r₁)} {(q₂,r₂³)} {(q₁,r₀¹),(q₀,r₂³),(q₂,r²₁)}

Theorem:IfH(C₁)4H(C₂), then∃C₂⁰ ⊆C₂s.t.C₁∼C₂

⊆is a wqo asΛisfinite. Therefore,4is awqodue toHigman’s lemma

Look atH(C₁)andH(C₂), the words overΛ^∗ Λ =P(Q×REG)

Let⊆be theinclusion(quasi-)order onΛ

Consider the induced monotone domination order4overΛ^∗

{(q₀,r₀)} {(q₁,r₀¹),(q₀,r₂³)}

4

{(q₀,r₀),(q₁,r₁)} {(q₂,r₂³)} {(q₁,r₀¹),(q₀,r₂³),(q₂,r²₁)}

Theorem:IfH(C₁)4H(C₂), then∃C₂⁰ ⊆C₂s.t.C₁∼C₂

⊆is a wqo asΛisfinite. Therefore,4is awqodue toHigman’s lemma

Final algorithm

I

Start from H (C

0

), where C

0

is the initial configuration

I

Successor computation is effective

I

Termination guaranteed as domination order is wqo

A is universal iff the algorithm does not reach a bad node

One-clock

Universality is decidable for one-clock timed automata

For two clocks, we know universality is undecidable

Where does this algorithm go wrong when A has two clocks?

One-clock

Universality is decidable for one-clock timed automata

For two clocks, we know universality is undecidable

Where does this algorithm go wrong when A has two clocks?

One-clock

Universality is decidable for one-clock timed automata

For two clocks, we know universality is undecidable

Where does this algorithm go wrong when A has two clocks?

Two clocks

State: (q,u,v)

Configuration:{(q₁,u₁,v₁),(q₂,u₂,v₂), . . . ,(q_n,u_n,v_n)}

At theleast, the following should be remembered while abstracting:

I relative ordering between fractional parts ofx

I relative ordering between fractional parts ofy

Currentencoding can rememberonly oneof them

Other encodings possible?

Consider some domination order4

C164C2if for allC₂⁰ ⊆C2:

I either relative order of clockxdoes not match

I or relative order of clockydoes not match

In the next slide:No wqopossible!

An infinite non-saturating sequence C

1

, C

2

, C

3

, . . .

x y

C3

x y

C4

x y

C5

An infinite non-saturating sequence C

1

, C

2

, C

3

, . . .

x y

C3 x

y

C4

x y

C5

An infinite non-saturating sequence C

1

, C

2

, C

3

, . . .

x y

C3 x

y

C4

x y

Conclusion

I

An algorithm for universality when A has one clock

I

Can be extended for L(B) ⊆ L(A) when A has one-clock